wayne richard - pia risk management - atlseccon2011
TRANSCRIPT
Agenda
• By Definition…• Legal & Regulatory Context• Anatomy of a PIA• PIA in the Project Life Cycle• Consequences• Questions?
PIA Defined…• Privacy Impact Assessment (PIA) - an
analysis of how information is handled:• to ensure handling conforms to applicable legal,
regulatory, and policy requirements regarding privacy,
• to determine the risks and effects of collecting, maintaining and disseminating information in an electronic information system, and
• to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.
Personal Information is Defined As…
• Recorded information about an identifiable individual including:• name, address or telephone number,• race, national or ethnic origin, colour, religious or political
beliefs or associations,• age, sex, sexual orientation, marital or family status,• an identifying number, symbol, or other particular assigned
to an individual,• fingerprints, blood type or inheritable characteristics,• health-care history, including physical or mental disability,• educational, financial, criminal or employment history,• anyone else’s opinion about the individual, and• the individual’s personal views or opinions, except if they are
about someone else.
Confidential Information Is…• information that would reveal
• trade secrets of a third party,• commercial, financial, labour relations, scientific or technical
information of a third party,• that is supplied, implicitly or explicitly, in confidence,• the disclosure of which could reasonably be expected to
• significantly harm the competitive position or negotiating position of a third party,
• result in undue financial loss or gain to any person or organization,
• reveal information supplied to or the report of an arbitrator, mediator or labour relations officer,
• information obtained on a tax return or gathered for the purpose of determining tax liability
Not a Product but a Process
• The final PIA document is of course an important product as evidence of assessing privacy risk, but…
• The PIA should be considered as a process that provides guidance on privacy issues throughout the project life cycle.
• Avoids risk of expensive rework and delays near the end of a project.
A TRA by Comparison…
• Is broader in scope - examines not only risk of disclosure but also integrity, and availability of assets.
• Considers a wider asset base – information, infrastructure, and people.
• Determines level of risk based on known threats, impact of threat execution on assets, and vulnerabilities.
• Recommends safeguards required to reduce risk to an acceptable level.
Legal & Regulatory Context• Privacy legislation in Canada is based
on the CSA Model Code principles:• accountability • identifying purpose• consent• limiting collection• limiting use, disclosure, and retention• accuracy• safeguards• openness• individual access• challenging compliance
Context con’t.• Public Sector Organizations:
• Privacy Act applies to all federal departments, ministries of state, and specified organizations.
• FOIPOP Act for each province or territory applies to provincial public bodies; departments, agencies, boards, commissions, crown corporations, municipalities, school boards, universities.
• Private Sector Organizations:• Personal Information Protection and Electronic
Documents Act (PIPEDA)• Quebec, BC, Alberta, and Nova Scotia have
privacy legislation related to private sector organizations.
Context con’t.
• Health Information:• Alberta, Manitoba, Ontario, and Saskatchewan
have separate Health Information Acts.• A Pan-Canadian Health Information Privacy and
Confidentiality Framework has been endorsed.
Is a PIA Mandatory?• Public Sector:
• Government of Canada – yes for new or substantially changed services.
• Not consistent across provincial jurisdictions, some require a PIA be completed for new or significantly changed services, some only under HIPA if the legislation has been enacted, some jurisdictions only recommend completion of a PIA.
• Private Sector:• Some jurisdictions – yes for health care providers
under HIPA.• Not mandatory under PIPEDA.
Anatomy of a PIA
Intro
duct
ion
Des
crip
tion
Col
lect
ion,
Use
and
Dis
clos
ure
Of P
erso
nal I
nfor
mat
ion
Acce
ss R
ight
s fo
r Ind
ivid
uals
to
thei
r Per
sona
l Inf
orm
atio
n
Priv
acy
Stan
dard
s: C
once
rns
And
Secu
rity
Mea
sure
s
Com
plia
nce
with
PIID
PA
Con
clus
ions
Sign
-Off
Anatomy…Introduction
• Project Information• Project Name• Department• Key Project Personnel• Key Project Dates
Anatomy…Description• Summary of the New or Changed Service
• Description of the service – What does the business want to do?
• Purposes, Goals, Objectives – What does the business hope to achieve, and how will success be measured?
• The Need – What problem is the business trying to address?• Intended Scope
• Who are the service targets?• Is this the first phase of a multi-phase project?
• Conceptual Technical Architecture• Diagram & Text to illustrate infrastructure of service
endpoints, integration points, information storage, etc.• Information Flow
• Diagram & Text to illustrate where and how information is collected, used, stored, shared.
Anatomy…Collection, Use and Disclosure
• Authority for the Collection, Use and Disclosure of Personal Information• Documents the authority under which the service is being
created/changed, i.e. legislation or policy, and specific FOIPOP legislation that supports/prohibits the collection, use and disclosure of information as detailed in the Description.
• List of Personal Information to be Collected, Used or Disclosed and the Rationale.• “Personal Information” and/or “confidential information” as
defined by FOIPOP.
• Sources and Accuracy of Personal Information• Is the information collected directly from the individual or
from a third party? Is it verifiable?
Anatomy…Collection, Use and Disclosure• Location of the Personal Information
• Where is the information stored? Source information, databases, electronic documents, portable storage devices?
• Retention Schedule and Method of Destruction/De-identification• Records management practices that are followed including
third parties.• Electronic records retention may be problematic.
• Identification of Consent Issues• Is collection and disclosure permitted under FOIPOP without
the individuals consent? If not, how is consent obtained?• Is there a published copy of the organization’s privacy
policy?
• Users of Personal Information• Who will have access to the information collected and why?
Anatomy…Access Rights of Individuals
• As per the CSA Model Code, individuals have the right to know what personal information of theirs an organization has collected and stored.
• The individual also has a right to correct any information.
• What provisions have been made for this purpose?
Anatomy…Privacy Standards• Administrative Safeguards
• What user access controls are in place to limit access to only those who require it?
• Are the users aware of their privacy obligations, and privacy breach protocols?
• Is there an Information Sharing Agreement (ISA) in place that obligates third-party organizations to protect shared personal information as per FOIPOP?
• Basic Technical Safeguards• Document network and server security practices, data
exchange architecture.• Document application coding standards used, particularly for
web based applications.• If personal information is to be stored on mobile devices,
what precautions are taken?
Anatomy…Privacy Standards
• Auditing• Document what auditing practices will be employed to
demonstrate that personal information has not been accidently or fraudulently disclosed.
• What audit reports are required from third-party organizations who have been given access to the information?
• Methods of Avoidance of Unintentional Disclosure• One need only read the news to understand that this is a big
issue; stolen laptops, paper records tossed in dumpsters, etc.
Anatomy…Compliance with PIIDPA
• Personal Information International Disclosure Protection Act prohibits trans-border (Canadian) transmission or storage of personal information, and exceptions that permit it.
• PIIDPA also applies to third-party organizations performing a service on behalf of government.
• PIIDPA and the US Patriot Act are mutually exclusive.• Document any issues, and steps taken to mediate them.• In some cases, third-party support contracts with US-based
companies for example, the risk must be accepted, but controls put in place to monitor compliance.
Anatomy…Conclusions
• The impacts on the privacy, confidentiality and security of personal information as a result of the new or changed service.
• Identify areas that pose a risk to compliance.• Recommend a mitigation strategy to reduce risk, e.g.
request consent from a client to collect, use and/or disclose their personal information.• One might also recommend that an further assessment,
such as a vulnerability assessment be conducted prior to the service being operationalized.
Anatomy…Sign-Off
• Signifies acceptance of the Privacy Impact Assessment findings and recommendations.
• The Government of Nova Scotia requires sign-off by the Project Manager, Privacy Lead, Senior IT Executive, Program Owner, and Deputy Minister.
PIA in the Project Life Cycle
• Engage early in the process.• Involve throughout the project life cycle.• The Privacy Lead monitors the project throughout its
life cycle to ensure that design changes don’t negatively impact privacy compliance, and that any identified privacy issues are addressed early in the design phase.
PIA in the Project Life CycleProjectInitiation
FunctionalDesign
TechnicalDesign
SystemDevelopment
SystemTest
ProjectCompletion
PIA Introduction, General Description, Scope, Authority Technical Architecture,
Information Flow, List of Personal Information, Retention Schedule, Sources & Accuracy, Location of PI, Consent Issues, Users of PI
Policy Standards,Methods of Avoidance, Compliance with PIIDPA, Conclusions
Monitor andRecommend
Sig
n-O
ff, F
ollo
w-U
p
Privacy Breach Consequences
• Canadian Case Law cites many privacy complaints but very rarely are damages awarded.
• Most are investigated by the appropriate provincial or federal Privacy Commissioner and findings typically result in an apology, change in corporate policy and practice, etc.
• Privacy breaches may result in loss of trust, reputation, and/or embarrassment.
• That may change…