strictly confidential enterprise privacy strategy memorial university may 2007

Strictly Confidential

Enterprise Privacy Strategy

Memorial University

May 2007

Strictly Confidential 2

Topics for Today

•What is an Enterprise Strategy?

•ATIPP Legislation

•Compliance requirements overview

•Privacy policy

•Organizing for privacy

•Privacy checklist• Getting your comments

•Privacy impact assessment • Overview

•Questions


Memorial Enterprise Privacy Strategy

• Data Gathering: Completing the Privacy Checklist

• Review of Current Documentation

• Gap Analysis, Enterprise Capacity Check

• Ensuring Best Practices• Roles, responsibilities, accountabilities, polices, procedures, training, audit

• Setting Priorities and Plan for addressing Gaps, privacy vulnerabilities

• Implementation and Resourcing schedule for moving towards compliance


Glossary

• Privacy analyst means a person in a department who has been designated the role of coordinating privacy compliance activities and privacy impact assessment with in that department.

• Project means 'scheme', 'program', 'initiative', 'application', 'system' and any other defined course of endeavour.

• PIA means Privacy Impact Assessment

• Privacy Officer refers to Rosemary Smith and her team and advisory group


Legislation

• Part IV of the Access to Information and Protection of Privacy (ATIPP) Act

• Not yet proclaimed – proclamation expected spring 2007• Planning currently underway• Primary privacy legislation for all government departments and agencies• This is the focus of current planning activities

• Personal Information Protection and Electronic Documents Act (PIPEDA)• Federal private-sector privacy legislation• Does not apply to provincial government departments or agencies• May apply to certain mash sector organizations in some circumstances• Applies to provincial private sector for commercial transactions

• Privacy Act of Newfoundland and Labrador• Establishes right to sue for privacy breaches ("tort")• Requires no specific action by government departments or agencies, but does

bind the Crown


ATIPP Act Definitions

• “Personal Information” (PI)• (o) "personal information" means recorded information about an identifiable

individual, including• (i) the individual's name, address or telephone number,• (ii) the individual's race, national or ethnic origin, colour, or religious or political

beliefs or associations,• (iii) the individual's age, sex, sexual orientation, marital status or family status,• (iv) an identifying number, symbol or other particular assigned to the individual,• (v) the individual's fingerprints, blood type or inheritable characteristics,• (vi) information about the individual's health care status or history, including a

physical or mental disability,• (vii) information about the individual's educational, financial, criminal or employment

status or history,• (viii) the opinions of a person about the individual, and• (ix) the individual's personal views or opinions;



• ATIPP Act imposes compliance requirements for the collection, use and disclosure of PI

• “Collection”• The addition of new PI to the records of a public body, or the revision of

existing PI based on other information originating outside the public body

• Encompasses all flows of PI into a public body from outside, provided the PI is recorded

• “Use”• Reference to, or application of, PI for any purpose within the public body

• Uses involving decisions about the individual are particularly important

• “Disclosure”• Transfer of PIA from the records of the public body to any entity that is not part

of the public body, subject to the definition of “employee” in the ATIPP Act

• Encompasses all flows of PIA out of a public body from inside



• “Employee”• (e) "employee", in relation to a public body, includes a person retained under

a contract to perform services for the public body;

• “Head”• (f) "head", in relation to a public body, means

• (i) in the case of a department, the minister who presides over it,• (ii) in the case of a corporation, its chief executive officer,• (iii) in the case of an unincorporated body, the minister appointed under the

Executive Council Act to administer the Act under which the body is established, or the minister who is otherwise responsible for the body, or

• (iv) in another case, the person or group of persons designated under section 66 or in the regulations as the head of the public body;



• “Public body”• (p) "public body" means

• (i) a department created under the Executive Council Act, or a branch of the executive government of the province,

• (ii) a corporation, the ownership of which, or a majority of the shares of which• is vested in the Crown,• (iii) a corporation, commission or body, the majority of the members of which, or the

majority of members of the board of directors of which are appointed by an Act, the Lieutenant-Governor in Council or a minister,

• (iv) a local public body,

• and includes a body designated for this purpose in the regulations made under section 73, but does not include,

• (v) the office of a member or an officer of the House of Assembly,• (vi) the Trial Division, the Court of Appeal or the Provincial Court, or• (vii) a body listed in the Schedule;



• “Local public body”• (k) "local public body" means

• (i) an educational body,• (ii) a health care body, and• (iii) a local government body;

• “Health care body”• (g) "health care body" means

• (i) a hospital board or authority as defined in the Hospitals Act,• (ii) a health and community services board established under the Health and

Community Services Act,• (iii) the Cancer Treatment and Research Foundation,• (iv) the Mental Health Review Board,• (v) the Newfoundland and Labrador Centre for Health Information, and• (vi) a body designated as a health care body in the regulations made under section

73;


Compliance Requirements: Collection

• PI may be collected only if• Authorized by legislation

• Required for law enforcement purposes

• Necessary for an operating program or activity of a public body

• Collection must normally be directly from the subject, with specific exceptions

• Subject must be informed of (with specific exceptions)• Legal authority for collection

• Purpose of collection

• Contact information for someone to whom questions may be directed

• PI to be kept accurate and up-to-date if used for decisions about subject• Retain for one year

• Subject has right to request correction of PI

• Reasonable security measures required


Compliance Requirements: Use

• PI may be used only• For original purpose or a consistent purpose

• With the consent of the subject

• For a purpose related to specified disclosure purposes in Section 38, 39• Requires reasonable and direct connection to disclosure purpose• Must be necessary for legally authorized purposes of the public body that uses the

information

• Use of PI limited to the minimum amount required for the specific purpose

• Cannot collect or retain PI “just in case”


Compliance Requirements: Disclosure

• PI may be disclosed only• As specified in Section 39

• For a purpose consistent with purpose of collection• Under court order• To an employee or the minister, if necessary for his or her duties• To the Auditor General or Provincial Archives• To an MHA when PI subject has requested assistance• For a law enforcement investigation• To protect the health and safety of any individual• When authorized or required by other provincial or federal legislation• others

• With the consent of the subject

• For research or statistical purposes, subject to specified conditions

• From the Provincial Archives, subject to specified conditions


Introduction to PIAs

• PIA: “An evaluation process which allows those involved in the collection, use or disclosure of Personal Information to assess and evaluate privacy, confidentiality or security risks associated with these activities, and to develop measures intended to mitigate the identified risks.”

• Identifies potential areas of noncompliance with the applicable privacy legislation and policy.

• Identifies risks

• Identifies measures to mitigate those risks.

• Due diligence exercise

• Best focused on risk assessment, not pure compliance

• Report should be a public document• Certain appendices may be withheld, e.g., sensitive security details

• Need clear ATIPP authority to withhold


PIA Purposes

• Provide information for informed policy, system design or procurement decisions.

• Ensure that privacy protection is a key consideration in the initial framing of a project’s objectives and activities.

• Provide a consistent format and structured process for analyzing compliance to legislation.

• Ensure that the protection of privacy is included in core criteria for projects.

• Identify a clear accountability and demonstrate due diligence

• Document the flow of personal information.

• Identify means to reduce or eliminate privacy risks.

• Build public trust and confidence


Draft PIA Policy

• “Public Bodies within the Government of Newfoundland and Labrador will conduct PIAs for all new and significantly redesigned collections, uses or disclosures of Personal Information that may raise potential privacy risks.”

• (Whether a given project involves potential privacy risks is to be determined in part by the Privacy Checklist, which we will discuss later)

• “A privacy impact assessment shall consist of:• “a specific assessment against the privacy provisions of the Access to

Information and Protection of Privacy Act;

• “a data flow description for the collection, use or disclosure of Personal Information;

• “a threat and risk assessment of the collection, use or disclosure of Personal Information.”

• PIAs to be conducted using tools and procedures that conform with GNL Privacy Legislation


Draft PIA Policy - Roles

• Public body• Head is responsible for compliance with the privacy provisions of ATIPP Act.

• Departments have ultimate responsibility for compliance with the privacy provisions of the ATIPP Act.

• The Sr, Exec. responsible for ensuring that a PIA is completed in accordance with this policy if necessary.

• PIAs to be approved by the Head, or by a person designated in writing by him or her to review and approve PIAs.

• PIAs involving information technology Projects or initiatives should also be approved by Memorial’s Privacy Officer, or by a person designated in writing by her to review and approve PIAs.



• Office of the ATIPP Coordinator GNL• Developing and maintaining the privacy impact assessment process and

procedures.

• Ensuring that the process and procedures are understood throughout the Government of Newfoundland and Labrador and the broader public sector.

• Changes to PIA Policy and related processes and procedures subject to the approval of the minister responsible for the ATIPP Office.

• Memorial University Privacy Officer • Approval of privacy impact assessments, in cooperation with responsible

Department(s)

• Incorporate PIAs into Memorial’s project management standards,

• Continued leadership and key resource for developing privacy capacities at Memorial University



• Project Manager• Conducting the PIA, or ensuring that it is conducted

• Overseeing the PIA process

• If the Project does not have a Project Manager assigned, the manager who otherwise carries day-to-day responsibility for the Project is responsible

• The Project Manager to undertake PIAs in accordance with the relevant PIA procedures and best practices approved by Memorial University Privacy Officer.


Analytical Phases of a PIA

• Phase 1: Project Initiation• Overall scope of the PIA determined• Appropriate tools are selected or developed • Collection and organization of information about the project• Selection of the people and skill sets. • Establishment of the PIA team and a PIA work plan • Retention of external expertise if required.

• Phase 2: Data Flow Analysis• Flow of personal information into, with the in, and out of data repositories and

systems that are part of the project is examined.

• Phase 3: Privacy Risk Analysis• Data flow analysis is assessed in the context of compliance requirements,

privacy principles, the sensitivity and volume of the personal information involved, and other factors.

• Risk factors and mitigation measures.

• Phase 4: Report Preparation


Operational Stages of a PIA

1. Complete Privacy Checklist (all projects)

2. Determine need for PIA• Privacy checklist guides decision

• Decision rendered by project steering committee, OR

• Any department involved in Project can force a PIA

3. Project manager assembles PIA team• PIA team assembles documentation and information

4. PIA team determines need for outside expertise• Should not be required for most PIAs, but…

• … Consider for very complex or sensitive PIAs

5. Conduct PIA using PIA Template

6. Prepare a report of findings and PIA implementation plan

7. Report and implementation plan approved by participating departments and Privacy Officer

8. Put implementation plan into effect and proceed with project


Timing Considerations

• Total elapsed time in working days

• ‘Easy’ PIA• the project is of limited scope• low volumes of personal information involved• personal information is not particularly sensitive. • 21-91 working days

• ‘Hard’ PIA• the project is of wide scope• large volumes of personal information• at least some personal information is very sensitive• 34-140 working days

• Completion times will decrease with PIA experience


PIAs and Project Management

• PIA process should be integrated as much as possible with project management processes

• important to understand where privacy risks might arise as soon as possible in project planning

• Complete privacy checklist before the project charter is approved if possible

• For IT projects, PIA is usually best done between the completion of the business analysis and the completion of application data models

• For non-IT projects, PIA should be completed after PI requirements reasonably well-known but before any part of the project involving PI is rendered operational.


PIA Team

• One or more representatives with specific privacy and security expertise (these will often be different people), including client department Privacy Coordinator

• Project manager(s) (from the larger project team)

• IT staff, including staff from the Memorial’s CIO or equivalent and external vendors, as appropriate

• Reps from business areas within the client department(s) that will supply, collect, use, or disclose personal information involved in the project

• Legal counsel if necessary, but the lawyer’s involvement can often be limited to specific legal questions

• Communications staff, if the project is likely to have a high public profile or if privacy risks are likely to become public


PIAs and Security

• PIAs and TRA's• A privacy impact assessment is not the same thing as a security threat and

risk assessment (TRA), but …

• Privacy and security must be considered in the same breath. • Privacy considerations will sometimes constrain security options

• Security is an essential prerequisite for privacy protection.

• Privacy and security measures influence each other in ways that may not be fully appreciated at the beginning of a project.

• Planned for eventual integration of PIA and TRA processes• Not right away; requires development of privacy and security policy and

procedures first

• Ensure security personnel involved in every PIA

• Ensure privacy personnel involved in every TRA

• Pursue security standards compliance


Contracts

• When project involves external vendors or contractors, an important part of the PIA is the assessment of the relevant contractual provisions.

• When a public body outsources any aspect of the management of personal information, it must ensure that the contractor provides a degree of privacy protection that is at least equivalent to the protection provided by the public body itself.

• In general, the responsibility for privacy protection under the ATIPP Act cannot be delegated by a public body to a contractor.

• The public body must therefore ensure that the contractor meets the obligations to which the public body is bound.


Essential Privacy Terms

• Privacy: not defined in legislation or regulations

• What is privacy?

[general discussion and consensus]


Essential Security Terms

• Personal identification (identity verification)• Done once during user registration

• Enrolment• Done once for each online service or programme a registered user is

authorised to access

• Authentication • Done each time a user logs into a system

• Authorisation• Checked each time a user accesses an online service or programme

• Accounting (auditing)• Done via audit logs or audit trails that record who does what when


Privacy & Security Contrasted

• Confidentiality• (e.g.: User authentication &

authorization)

• Data Integrity • (e.g.: non-repudiation,

audit trails)

• System AvailabilitySecurity

• Accountability

• Consent

• Limiting Collection

• Limiting Use, Disclosure, Retention

• Accuracy

• Security Safeguards

• Openness

• Individual Access

• Challenging Compliance

Privacy


Privacy & Security Contrasted

Privacy

Collection Limitation,Data Quality,

Purpose SpecificationUse Limitation,

Security Safeguards, Openness

Individual Access Accountability

Shared PracticesData Quality & Integrity,

Accuracy)Security Safeguards

Individual Access (availability)

Use Limitation (Authorization)

Non

SecurityAccess Controls (Confidentiality, Data Integrity, Availability),

Authentication, Authorization,

repudiation


Why Perform a Privacy Impact Analysis?

Consider a hypothetical Memorial project:Project 1: Unified Database of Addresses

for all Memorial staff, students, academics, researchers, alumni• shared by all departments) • benefits: eliminate duplication, effort, reduce cost, etc.

• Ask yourself these questions: • Does each project have a privacy impact?• Can the impact be lessened? • Is the residual impact too high?

[general discussion and consensus]


Why Perform a Privacy Impact Analysis?

• Privacy analysis has many factors

• It is difficult to know when the analysis is complete without some pre-existing framework or checklist to refer to

• Need a framework for the analysis


A Framework for Privacy Impact Analysis …cont.

ATIPP creates a privacy protection scheme that the government must follow to protect an individual’s right to privacy. The scheme includes rules regarding personal information: • collection, • retention, • use, • disclosure and • disposal • in its custody or control.

• If an individual feels his/her privacy has been compromised by a government institution, he/she may complain to the Information and Privacy Commissioner who may investigate the complaint.

• Individuals who are given access to their personal information have the right to request correction of that information where they believe there may be an error or omission.

• Where this request is refused, individuals may require that a statement of disagreement be attached to the information.

• Individuals may also require that all parties to whom the information has been disclosed in the preceding year be notified of the correction or statement of disagreement.


A Framework for Privacy Impact Analysis

• Privacy Principles:• Canadian Standards Association’s Model Code for the Protection of Personal Information

• Code was published in March 1996 as a national standard for Canada. It upholds ten basic privacy principles constitute a widely recognised and principled approach to data protection in Canada.

• Ten privacy principles:1. Accountability for personal information2. Identifying the purposes for collection, use and disclosure of personal info3. Consent4. Limiting collection of personal information5. Limiting use, disclosure and retention of personal information.6. Accuracy of personal information 7. Safeguards for the protection of personal information8. Openness about personal information management practices 9. Individual access to personal information 10. Challenging compliance

• Government privacy and security directives


A Framework for Privacy Impact Analysis

• Canadian Standards Association’s Model Code for the Protection of Personal Information • Code was published in March 1996 as a national standard for Canada. • Code upholds ten basic privacy principles. These core principles constitute a widely

recognised and principled approach to data protection in Canada.• Ten privacy principles:

1. Accountability for personal information2. Identifying the purposes for collection, use and disclosure of personal info3. Consent4. Limiting collection of personal information5. Limiting use, disclosure and retention of personal information.6. Accuracy of personal information 7. Safeguards for the protection of personal information8. Openness about practices concerning the management of personal information9. Individual access to personal information 10. Challenging compliance


Privacy Tool Set

• PIAs are not always needed

• Some projects only need simple PIAs

• Some projects need Extended PIAs

• Extended PIAs can be a lengthy and challenging undertaking

• How to determine whether a PIA is needed?

• If needed, how to determine whether a simple one will suffice or whether an extended PIA is needed?


Privacy Tool Set

Tool set consists of two tools:

• A privacy compliance checklist contains a series of about 40 multiple-choice questions in a workbook that automatically computes a score and advises whether a PIA should be performed

• If a PIA is indicated, a PIA template helps the user though the process with a predefined template and a set of yes/no questions for the use to answer• an attached workbook automatically scores responses and advises on whether potential

problems remain

• If the Messages and Warnings indicate a Extended PIA is suggested the user can use the Supplementary Considerations component of the PIA Template.


Process

Complete PIA template

Potential privacy compliance

issues or privacy risk factors?

Complete Mandatory Privacy

Compliance Checklist

Project Exceeds privacy risk thresholds?

Extended PIA

Privacy Assessment ConcludedImplement privacy measuresNo

Yes

Yes

No

Start


Timing

• PIA may result in changes and adjustments needing to be made to the project design, and possibly to the project plan as well.

• PIA may identify issues that represent significant project risk (such as the possibility of non-compliance by data sources).

• Therefore advisable to undertake the privacy analysis as early as practicable in the project life-cycle. • This means that the process should be performed preferably as part of the Concept

Phase, and no later than the Definition Phase.


Who Performs the Analysis?

• As is the case with PIAs themselves, the analysis needs to be performed by the project team, i.e., the operational segment of Memorial University that is responsible for the project as a whole.


Information Gathering

• The process should preferably be performed as part of Concept Phase, and no later than Definition Phase.

• Caveat: only limited documentation will be available during early stages of a project, and there will be uncertainty about the project's scope and the features of the intended system


Economy of Effort

Toolset determines whether a project’s potential privacy impact is high, moderate, low, or none:Projects that have No Privacy-Impact: • Project team begins the Privacy Checklist • Privacy Checklist indicates that no further action is required. • Request for approval of the project can be accompanied by a declaration that the proposal is

compliant with I&IT Directive para. 21, in that an appropriate form of assessment has concluded that no PIA is required.

Projects that have a Low to Moderate Privacy Impact:• Project team completes the Privacy Checklist • Privacy Checklist will suggest need for a PIA• Project team completes the PIA Template Projects that have a High Privacy Impact:• Project team completes the Privacy Checklist • Privacy Checklist will suggest need for a PIA• Project team completes the PIA Template • PIA Template will suggest need for an extended PIA


Toolset Minimises Effort

Complete PIA template

Potential privacy compliance

issues or privacy risk factors?

Complete Mandatory Privacy

Compliance Checklist

Project Exceeds privacy risk thresholds?

Extended PIA

Privacy Assessment ConcludedImplement privacy measuresNo

Yes

Yes

No

Start

No-Privacy-Impact Project(only part of the checklist needs

to be completed)

Low-Privacy-Impact Project

ModeratePrivacy-Impact Project

High-Privacy-Impact Project


Provisional Nature of the Analysis

• Determination of No, Low or High Privacy Impact is provisional, not final:• as the project is articulated from conception, through definition and planning to

implementation, its profile may evolve from Low-PII to High-PII, or from High-PII to Low-PII, particularly if key aspects that caused it to be ranked so highly are later withdrawn; and

• PIA process may uncover information that is inconsistent with the provisional conclusions reached during the Privacy Compliance Checklist, resulting in revisions and change in the PIA process.

• Therefore, it is essential that project manager remains sensitive throughout the project life-cycle to the possibility that the Privacy Compliance may need to be re-visited, or that the PIA Process Specification (step 3 above) may need to be revised at some later point in the project life-cycle.


Privacy Checklist

• Rapid, easily completed exercise to determine whether a full PIA is required

• Focused on legislative compliance

• Checklist approach; requires little or no privacy expertise

• Can be automated for basic expert system functions

• Proposed version based on automated Alberta Privacy Planning Tool, to be demonstrated

• Recommend adaptation of Alberta tool for Newfoundland, but need to consider:• IT infrastructure• Adaptation cost• Time required

• Benefits of automated checklist:• Fast recommendations• Thorough responses• Consistency in evaluation of risk factors• Reduced labour overhead for preliminary privacy reviews


Privacy Checklist

• Institutions have compliance obligations in relation to privacy law, Privacy Checklist provides institutions with convenient means to check and document compliance with ATIPP.

• Checklist is [currently] an Excel workbook that includes three main spreadsheets. • a checklist spreadsheet containing about 40 multiple choice questions. • a short approvals form• a scoring spreadsheet that calculates a score based on answers provided on the

checklist spreadsheet.• a warnings and suggestions spreadsheet


Privacy Checklist …cont.

• Questions are all multiple choice• Questions are designed to be straightforward and readily understood• Multiple-choice answers are designed to be objective (i.e., evidence-based

rather than based on opinion)• Privacy-protective answers receive a positive score• Answers that may pose privacy problems receive a negative score• “Don’t know” is usually scored as negatively as the most negative available

choice


Scoring in the Checklist

Scoring is calculated automaticallyScoring has several steps:• Answer to each multi-choice question is assigned a positive or negative score

(questions, answers, and scores on subsequent slides) • Weighting factors may increase the positive or negative score under certain

circumstances (e.g.: the project collects a certain type of data but does not use it or disclose it)

• All the scores (both positive and negative) are summed to calculate a raw score

• Raw score is normalized to a score of zero to 100:• Worst possible score is mapped to zero• Best possible raw score is mapped to 100


Results of Checklist

Recommendations are automatically made as to whether the PIA template needs to be completed.

PIA template will need to be completed:• if the normalized score is less than the established threshold or• if there are more positively scored answers than negatively scored answers, or• If project, as indicated by answers given, involves the outsourcing of personal

information management functions or• If project, as indicated by answers given, involves disclosure of identifiers (i.e.,

identifying numbers or symbols) or fingerprints PIA template may need to be completed:• If project, as indicated by answers to specific questions, is a large one• If project, as indicated by answers given, involves collection of identifiers (i.e.,

identifying numbers or symbols) or fingerprints


Checklist Scoring

• The Scorings embedded in the checklist to assess compliance vulnerabilities have been provided as examples of default settings and are by way of example.

• The Scorings in the checklist can been modified by Memorial’s Privacy Officer based on use and experience and might not reflect the numbers provided in the version currently being commented on by Enterprise Privacy Strategy participants: you.


Questions in the Checklist (sample)

• Will the project collect, store, use or disclose personal information about identifiable individuals?• Yes [-3]

• No [+3]

• Unknown [-3]

• Other (please elaborate) [-3]

If user is certain that no personal information about any identifiable individual will be collected, used, or disclosed, they are advised that the checklist is complete.


PIA Template

• Use of template helps to ensure consideration of all major factors

• Focused on risk assessment, not just legislative compliance

• Even with the template, PIA requires judgment and expertise

• No universally recognized format or template for PIAs

• Most jurisdictions that are active in privacy impact assessment use templates; may or may not be mandatory

• Content of template should be a responsibility of the ATIPP office, with input from departments and staff from the CIO

• Proposed template based on British Columbia template• Similar legislation

• Includes some elements from Alberta template, to address corporate issues

• Revised to ensure compatibility with Newfoundland legislation


Questions

strictly confidential enterprise privacy strategy memorial university may 2007

Documents

privacy privacy checklist

privacy breaches tort

compliance slide

individuals personal

individuals race

individuals fingerprints

individuals age

individuals educational