Approach to Data Privacy
Led by our Chief Privacy Officer (CPO), the Global Privacy Office (GPO) promotes a culture that values privacy by focusing on five main pillars:
- Operational Compliance
- Education and Training
- Data Protection Compliance Automation
We know that improperly handling personal information can have serious consequences for our employees, our company, our investors and our customers. Thus, data privacy is integral to our Code of Conduct and employee training programs.
General data security and data privacy training is required of all employees, including all part-time and consulting employees, annually. Additionally, we have created tailored training programs related to specific subject matters such as the Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). Annual HIPAA training, for example, is required for all employees who handle Protected Health Information related to U.S. residents. Likewise, data privacy awareness and related obligations are included in our Code of Conduct.
The GPO has also designed a robust Intranet site for Leidos employees, which includes a Data Privacy Best Practices Toolkit, a link to its customized privacy management system and numerous other data privacy-related resources.
We also have integrated Privacy by Design into our business operations, since protecting personal information is a commitment we make to our customers. It is an essential part of doing business. Privacy by Design is a framework based on proactively embedding privacy into the design and operation of IT systems, networked infrastructure, and business practices. As an example of Privacy by Design, the GPO has implemented processes for identifying customer programs which involve the handling of personal information. The GPO works closely with designated Points of Contact (POCs) to integrate data privacy protection into program execution. This is just one of several ways in which the GPO has implemented - and continues to implement - Privacy by Design.
The Leidos Board of Directors’ Technology & Information Security Committee provides oversight of matters involving the Company’s overall strategic direction and associated exposure to, as well as management of, significant business risks in the areas of technology, information, and operational security.
Leidos has also formed a Data Governance Steering Council (DGSC). The mission of the DGSC is to align Leidos data management goals, standards, practices and processes with its business goals and strategies, all while reducing the risk of misuse, misappropriation, loss, theft or unauthorized access to various types of data.
The DGSC is co-chaired by the Chief Privacy Officer (CPO) and Chief Information Officer (CIO) and includes members from several corporate functions, such as Corporate Security, Information Technology, Legal, International Regulatory Compliance, Program Execution, Human Resources, Finance, Contracts, and Corporate Communications, as well as from business teams and non-U.S. entities. It meets monthly to evaluate various aspects of data governance, including data ownership, classification, risk, quality, security, privacy, mapping, retention, unification, access and measurement. Its co-chairs and members serve as proponents of data governance at Leidos.
In addition, the DGSC has spun off several Working Groups, including a Records Retention Working Group, Data Classification Working Group, Data Protection Working Group and Cyber Regulatory Working Group.
Audit and Risk Assessments
As outlined in our approach to cybersecurity, to further validate our externally-validated standards, Leidos Internal Audit has developed an Information Technology Risk Assessment Framework (IT-RAF) and a Cybersecurity Risk Assessment Framework (CS-RAF). Both of these frameworks are based on Industry Standard Frameworks (e.g., NIST 800-171) and identify various domains under broader categories, further details of which can be found within the Cybersecurity page of our Trust Center.
In addition, the GPO has configured and implemented a software system to administer various types of data mapping questionnaires and Privacy Impact Assessments, as well as to process Subject Access Requests from individuals.
Preparedness and Incident Response
Leidos has an enterprise-wide Incident Response Plan and associated procedures which address how cybersecurity incidents and data spills are to be handled. These documents designate incident response teams, how to investigate and remediate cybersecurity incidents and data spills, and escalation paths for key stakeholder communications.