Bell Security Solutions - Memorial University of Newfoundland
advertisement
Enterprise Privacy Strategy Memorial University May 2007 Strictly Confidential Topics for Today • What is an Enterprise Strategy? • ATIPP Legislation • Compliance requirements overview • Privacy policy • Organizing for privacy • Privacy checklist • Getting your comments • Privacy impact assessment • Overview • Questions Strictly Confidential 2 Memorial Enterprise Privacy Strategy • • • • Data Gathering: Completing the Privacy Checklist Review of Current Documentation Gap Analysis, Enterprise Capacity Check Ensuring Best Practices • Roles, responsibilities, accountabilities, polices, procedures, training, audit • Setting Priorities and Plan for addressing Gaps, privacy vulnerabilities • Implementation and Resourcing schedule for moving towards compliance Strictly Confidential 3 Glossary • Privacy analyst means a person in a department who has been designated the role of coordinating privacy compliance activities and privacy impact assessment with in that department. • Project means 'scheme', 'program', 'initiative', 'application', 'system' and any other defined course of endeavour. • PIA means Privacy Impact Assessment • Privacy Officer refers to Rosemary Smith and her team and advisory group Strictly Confidential 4 Legislation • Part IV of the Access to Information and Protection of Privacy (ATIPP) Act • • • • Not yet proclaimed – proclamation expected spring 2007 Planning currently underway Primary privacy legislation for all government departments and agencies This is the focus of current planning activities • Personal Information Protection and Electronic Documents Act (PIPEDA) • • • • Federal private-sector privacy legislation Does not apply to provincial government departments or agencies May apply to certain mash sector organizations in some circumstances Applies to provincial private sector for commercial transactions • Privacy Act of Newfoundland and Labrador • Establishes right to sue for privacy breaches ("tort") • Requires no specific action by government departments or agencies, but does bind the Crown Strictly Confidential 5 ATIPP Act Definitions • “Personal Information” (PI) • (o) "personal information" means recorded information about an identifiable individual, including • (i) the individual's name, address or telephone number, • (ii) the individual's race, national or ethnic origin, colour, or religious or political beliefs or associations, • (iii) the individual's age, sex, sexual orientation, marital status or family status, • (iv) an identifying number, symbol or other particular assigned to the individual, • (v) the individual's fingerprints, blood type or inheritable characteristics, • (vi) information about the individual's health care status or history, including a physical or mental disability, • (vii) information about the individual's educational, financial, criminal or employment status or history, • (viii) the opinions of a person about the individual, and • (ix) the individual's personal views or opinions; Strictly Confidential 6 ATIPP Act Definitions • ATIPP Act imposes compliance requirements for the collection, use and disclosure of PI • “Collection” • The addition of new PI to the records of a public body, or the revision of existing PI based on other information originating outside the public body • Encompasses all flows of PI into a public body from outside, provided the PI is recorded • “Use” • Reference to, or application of, PI for any purpose within the public body • Uses involving decisions about the individual are particularly important • “Disclosure” • Transfer of PIA from the records of the public body to any entity that is not part of the public body, subject to the definition of “employee” in the ATIPP Act • Encompasses all flows of PIA out of a public body from inside Strictly Confidential 7 ATIPP Act Definitions • “Employee” • (e) "employee", in relation to a public body, includes a person retained under a contract to perform services for the public body; • “Head” • (f) "head", in relation to a public body, means • (i) in the case of a department, the minister who presides over it, • (ii) in the case of a corporation, its chief executive officer, • (iii) in the case of an unincorporated body, the minister appointed under the Executive Council Act to administer the Act under which the body is established, or the minister who is otherwise responsible for the body, or • (iv) in another case, the person or group of persons designated under section 66 or in the regulations as the head of the public body; Strictly Confidential 8 ATIPP Act Definitions • “Public body” • (p) "public body" means • (i) a department created under the Executive Council Act, or a branch of the executive government of the province, • (ii) a corporation, the ownership of which, or a majority of the shares of which • is vested in the Crown, • (iii) a corporation, commission or body, the majority of the members of which, or the majority of members of the board of directors of which are appointed by an Act, the Lieutenant-Governor in Council or a minister, • (iv) a local public body, • and includes a body designated for this purpose in the regulations made under section 73, but does not include, • (v) the office of a member or an officer of the House of Assembly, • (vi) the Trial Division, the Court of Appeal or the Provincial Court, or • (vii) a body listed in the Schedule; Strictly Confidential 9 ATIPP Act Definitions • “Local public body” • (k) "local public body" means • (i) an educational body, • (ii) a health care body, and • (iii) a local government body; • “Health care body” • (g) "health care body" means • (i) a hospital board or authority as defined in the Hospitals Act, • (ii) a health and community services board established under the Health and Community Services Act, • (iii) the Cancer Treatment and Research Foundation, • (iv) the Mental Health Review Board, • (v) the Newfoundland and Labrador Centre for Health Information, and • (vi) a body designated as a health care body in the regulations made under section 73; Strictly Confidential 10 Compliance Requirements: Collection • PI may be collected only if • Authorized by legislation • Required for law enforcement purposes • Necessary for an operating program or activity of a public body • Collection must normally be directly from the subject, with specific exceptions • Subject must be informed of (with specific exceptions) • Legal authority for collection • Purpose of collection • Contact information for someone to whom questions may be directed • PI to be kept accurate and up-to-date if used for decisions about subject • Retain for one year • Subject has right to request correction of PI • Reasonable security measures required Strictly Confidential 11 Compliance Requirements: Use • PI may be used only • For original purpose or a consistent purpose • With the consent of the subject • For a purpose related to specified disclosure purposes in Section 38, 39 • Requires reasonable and direct connection to disclosure purpose • Must be necessary for legally authorized purposes of the public body that uses the information • Use of PI limited to the minimum amount required for the specific purpose • Cannot collect or retain PI “just in case” Strictly Confidential 12 Compliance Requirements: Disclosure • PI may be disclosed only • As specified in Section 39 • • • • • • • • • For a purpose consistent with purpose of collection Under court order To an employee or the minister, if necessary for his or her duties To the Auditor General or Provincial Archives To an MHA when PI subject has requested assistance For a law enforcement investigation To protect the health and safety of any individual When authorized or required by other provincial or federal legislation others • With the consent of the subject • For research or statistical purposes, subject to specified conditions • From the Provincial Archives, subject to specified conditions Strictly Confidential 13 Introduction to PIAs • PIA: “An evaluation process which allows those involved in the collection, use or disclosure of Personal Information to assess and evaluate privacy, confidentiality or security risks associated with these activities, and to develop measures intended to mitigate the identified risks.” • Identifies potential areas of noncompliance with the applicable privacy legislation and policy. • Identifies risks • Identifies measures to mitigate those risks. • Due diligence exercise • Best focused on risk assessment, not pure compliance • Report should be a public document • Certain appendices may be withheld, e.g., sensitive security details • Need clear ATIPP authority to withhold Strictly Confidential 14 PIA Purposes • Provide information for informed policy, system design or procurement decisions. • Ensure that privacy protection is a key consideration in the initial framing of a project’s objectives and activities. • Provide a consistent format and structured process for analyzing compliance to legislation. • Ensure that the protection of privacy is included in core criteria for projects. • Identify a clear accountability and demonstrate due diligence • Document the flow of personal information. • Identify means to reduce or eliminate privacy risks. • Build public trust and confidence Strictly Confidential 15 Draft PIA Policy • “Public Bodies within the Government of Newfoundland and Labrador will conduct PIAs for all new and significantly redesigned collections, uses or disclosures of Personal Information that may raise potential privacy risks.” • (Whether a given project involves potential privacy risks is to be determined in part by the Privacy Checklist, which we will discuss later) • “A privacy impact assessment shall consist of: • “a specific assessment against the privacy provisions of the Access to Information and Protection of Privacy Act; • “a data flow description for the collection, use or disclosure of Personal Information; • “a threat and risk assessment of the collection, use or disclosure of Personal Information.” • PIAs to be conducted using tools and procedures that conform with GNL Privacy Legislation Strictly Confidential 16 Draft PIA Policy - Roles • Public body • Head is responsible for compliance with the privacy provisions of ATIPP Act. • Departments have ultimate responsibility for compliance with the privacy provisions of the ATIPP Act. • The Sr, Exec. responsible for ensuring that a PIA is completed in accordance with this policy if necessary. • PIAs to be approved by the Head, or by a person designated in writing by him or her to review and approve PIAs. • PIAs involving information technology Projects or initiatives should also be approved by Memorial’s Privacy Officer, or by a person designated in writing by her to review and approve PIAs. Strictly Confidential 17 Draft PIA Policy - Roles • Office of the ATIPP Coordinator GNL • Developing and maintaining the privacy impact assessment process and procedures. • Ensuring that the process and procedures are understood throughout the Government of Newfoundland and Labrador and the broader public sector. • Changes to PIA Policy and related processes and procedures subject to the approval of the minister responsible for the ATIPP Office. • Memorial University Privacy Officer • Approval of privacy impact assessments, in cooperation with responsible Department(s) • Incorporate PIAs into Memorial’s project management standards, • Continued leadership and key resource for developing privacy capacities at Memorial University Strictly Confidential 18 Draft PIA Policy - Roles • Project Manager • Conducting the PIA, or ensuring that it is conducted • Overseeing the PIA process • If the Project does not have a Project Manager assigned, the manager who otherwise carries day-to-day responsibility for the Project is responsible • The Project Manager to undertake PIAs in accordance with the relevant PIA procedures and best practices approved by Memorial University Privacy Officer. Strictly Confidential 19 Analytical Phases of a PIA • Phase 1: Project Initiation • • • • • • Overall scope of the PIA determined Appropriate tools are selected or developed Collection and organization of information about the project Selection of the people and skill sets. Establishment of the PIA team and a PIA work plan Retention of external expertise if required. • Phase 2: Data Flow Analysis • Flow of personal information into, with the in, and out of data repositories and systems that are part of the project is examined. • Phase 3: Privacy Risk Analysis • Data flow analysis is assessed in the context of compliance requirements, privacy principles, the sensitivity and volume of the personal information involved, and other factors. • Risk factors and mitigation measures. • Phase 4: Report Preparation Strictly Confidential 20 Operational Stages of a PIA 1. Complete Privacy Checklist (all projects) 2. Determine need for PIA • • • Privacy checklist guides decision Decision rendered by project steering committee, OR Any department involved in Project can force a PIA 3. Project manager assembles PIA team • PIA team assembles documentation and information 4. PIA team determines need for outside expertise • • Should not be required for most PIAs, but… … Consider for very complex or sensitive PIAs 5. Conduct PIA using PIA Template 6. Prepare a report of findings and PIA implementation plan 7. Report and implementation plan approved by participating departments and Privacy Officer 8. Put implementation plan into effect and proceed with project Strictly Confidential 21 Timing Considerations • Total elapsed time in working days • ‘Easy’ PIA • • • • the project is of limited scope low volumes of personal information involved personal information is not particularly sensitive. 21-91 working days • ‘Hard’ PIA • • • • the project is of wide scope large volumes of personal information at least some personal information is very sensitive 34-140 working days • Completion times will decrease with PIA experience Strictly Confidential 22 PIAs and Project Management • PIA process should be integrated as much as possible with project management processes • important to understand where privacy risks might arise as soon as possible in project planning • Complete privacy checklist before the project charter is approved if possible • For IT projects, PIA is usually best done between the completion of the business analysis and the completion of application data models • For non-IT projects, PIA should be completed after PI requirements reasonably well-known but before any part of the project involving PI is rendered operational. Strictly Confidential 23 PIA Team • One or more representatives with specific privacy and security expertise (these will often be different people), including client department Privacy Coordinator • Project manager(s) (from the larger project team) • IT staff, including staff from the Memorial’s CIO or equivalent and external vendors, as appropriate • Reps from business areas within the client department(s) that will supply, collect, use, or disclose personal information involved in the project • Legal counsel if necessary, but the lawyer’s involvement can often be limited to specific legal questions • Communications staff, if the project is likely to have a high public profile or if privacy risks are likely to become public Strictly Confidential 24 PIAs and Security • PIAs and TRA's • A privacy impact assessment is not the same thing as a security threat and risk assessment (TRA), but … • Privacy and security must be considered in the same breath. • Privacy considerations will sometimes constrain security options • Security is an essential prerequisite for privacy protection. • Privacy and security measures influence each other in ways that may not be fully appreciated at the beginning of a project. • Planned for eventual integration of PIA and TRA processes • Not right away; requires development of privacy and security policy and procedures first • Ensure security personnel involved in every PIA • Ensure privacy personnel involved in every TRA • Pursue security standards compliance Strictly Confidential 25 Contracts • When project involves external vendors or contractors, an important part of the PIA is the assessment of the relevant contractual provisions. • When a public body outsources any aspect of the management of personal information, it must ensure that the contractor provides a degree of privacy protection that is at least equivalent to the protection provided by the public body itself. • In general, the responsibility for privacy protection under the ATIPP Act cannot be delegated by a public body to a contractor. • The public body must therefore ensure that the contractor meets the obligations to which the public body is bound. Strictly Confidential 26 Essential Privacy Terms • Privacy: not defined in legislation or regulations • What is privacy? [general discussion and consensus] Strictly Confidential 27 Essential Security Terms • Personal identification (identity verification) • Done once during user registration • Enrolment • Done once for each online service or programme a registered user is authorised to access • Authentication • Done each time a user logs into a system • Authorisation • Checked each time a user accesses an online service or programme • Accounting (auditing) • Done via audit logs or audit trails that record who does what when Strictly Confidential 28 Privacy & Security Contrasted • • • • • • • • • Accountability Consent Limiting Collection Limiting Use, Disclosure, Retention Accuracy Security Safeguards Openness Individual Access Challenging Compliance Privacy • Confidentiality • (e.g.: User authentication & authorization) • Data Integrity • (e.g.: non-repudiation, audit trails) • System Availability Strictly Confidential Security 29 Privacy & Security Contrasted Security Privacy Collection Limitation, Data Quality, Purpose Specification Use Limitation, Security Safeguards, Openness Individual Access Accountability Access Controls (Confidentiality, Data Integrity, Availability), Authentication, Authorization, Non repudiation Shared Practices Data Quality & Integrity, Accuracy) Security Safeguards Individual Access (availability) Use Limitation (Authorization) Strictly Confidential 30 Why Perform a Privacy Impact Analysis? Consider a hypothetical Memorial project: Project 1: Unified Database of Addresses for all Memorial staff, students, academics, researchers, alumni • shared by all departments) • benefits: eliminate duplication, effort, reduce cost, etc. • Ask yourself these questions: • Does each project have a privacy impact? • Can the impact be lessened? • Is the residual impact too high? [general discussion and consensus] Strictly Confidential 31 Why Perform a Privacy Impact Analysis? • Privacy analysis has many factors • It is difficult to know when the analysis is complete without some pre-existing framework or checklist to refer to • Need a framework for the analysis Strictly Confidential 32 A Framework for Privacy Impact Analysis …cont. ATIPP creates a privacy protection scheme that the government must follow to protect an individual’s right to privacy. The scheme includes rules regarding personal information: • • • • • • • • • • collection, retention, use, disclosure and disposal in its custody or control. If an individual feels his/her privacy has been compromised by a government institution, he/she may complain to the Information and Privacy Commissioner who may investigate the complaint. Individuals who are given access to their personal information have the right to request correction of that information where they believe there may be an error or omission. Where this request is refused, individuals may require that a statement of disagreement be attached to the information. Individuals may also require that all parties to whom the information has been disclosed in the preceding year be notified of the correction or statement of disagreement. Strictly Confidential 33 A Framework for Privacy Impact Analysis • Privacy Principles: • Canadian Standards Association’s Model Code for the Protection of Personal Information • Code was published in March 1996 as a national standard for Canada. It upholds ten basic privac principles constitute a widely recognised and principled approach to data protection in Canada. • Ten privacy principles: 1. Accountability for personal information 2. Identifying the purposes for collection, use and disclosure of personal info 3. Consent 4. Limiting collection of personal information 5. Limiting use, disclosure and retention of personal information. 6. Accuracy of personal information 7. Safeguards for the protection of personal information 8. Openness about personal information management practices 9. Individual access to personal information 10.Challenging compliance • Government privacy and security directives Strictly Confidential 34 A Framework for Privacy Impact Analysis • Canadian Standards Association’s Model Code for the Protection of Personal Information • • • Code was published in March 1996 as a national standard for Canada. Code upholds ten basic privacy principles. These core principles constitute a widely recognised and principled approach to data protection in Canada. Ten privacy principles: 1. Accountability for personal information 2. Identifying the purposes for collection, use and disclosure of personal info 3. Consent 4. Limiting collection of personal information 5. Limiting use, disclosure and retention of personal information. 6. Accuracy of personal information 7. Safeguards for the protection of personal information 8. Openness about practices concerning the management of personal information 9. Individual access to personal information 10.Challenging compliance Strictly Confidential 35 Privacy Tool Set • • • • • • PIAs are not always needed Some projects only need simple PIAs Some projects need Extended PIAs Extended PIAs can be a lengthy and challenging undertaking How to determine whether a PIA is needed? If needed, how to determine whether a simple one will suffice or whether an extended PIA is needed? Strictly Confidential 36 Privacy Tool Set Tool set consists of two tools: • A privacy compliance checklist contains a series of about 40 multiple-choice questions in a workbook that automatically computes a score and advises whether a PIA should be performed • If a PIA is indicated, a PIA template helps the user though the process with a predefined template and a set of yes/no questions for the use to answer • • an attached workbook automatically scores responses and advises on whether potential problems remain If the Messages and Warnings indicate a Extended PIA is suggested the user can use the Supplementary Considerations component of the PIA Template. Strictly Confidential 37 Process Start Complete Mandatory Privacy Compliance Checklist Potential privacy compliance issues or privacy risk factors? Yes Complete PIA template Strictly Confidential No Privacy Assessment Concluded Implement privacy measures No Project Exceeds privacy risk thresholds? Extended PIA Yes 38 Timing • • • PIA may result in changes and adjustments needing to be made to the project design, and possibly to the project plan as well. PIA may identify issues that represent significant project risk (such as the possibility of non-compliance by data sources). Therefore advisable to undertake the privacy analysis as early as practicable in the project life-cycle. • This means that the process should be performed preferably as part of the Concept Phase, and no later than the Definition Phase. Strictly Confidential 39 Who Performs the Analysis? • As is the case with PIAs themselves, the analysis needs to be performed by the project team, i.e., the operational segment of Memorial University that is responsible for the project as a whole. Strictly Confidential 40 Information Gathering • • The process should preferably be performed as part of Concept Phase, and no later than Definition Phase. Caveat: only limited documentation will be available during early stages of a project, and there will be uncertainty about the project's scope and the features of the intended system Strictly Confidential 41 Economy of Effort Toolset determines whether a project’s potential privacy impact is high, moderate, low, or none: Projects that have No Privacy-Impact: • Project team begins the Privacy Checklist • Privacy Checklist indicates that no further action is required. • Request for approval of the project can be accompanied by a declaration that the proposal is compliant with I&IT Directive para. 21, in that an appropriate form of assessment has concluded that no PIA is required. Projects that have a Low to Moderate Privacy Impact: • Project team completes the Privacy Checklist • Privacy Checklist will suggest need for a PIA • Project team completes the PIA Template Projects that have a High Privacy Impact: • Project team completes the Privacy Checklist • Privacy Checklist will suggest need for a PIA • Project team completes the PIA Template • PIA Template will suggest need for an extended PIA Strictly Confidential 42 Start Complete Mandatory Privacy Compliance Checklist Toolset Minimises Effort No-Privacy-Impact Project (only part of the checklist needs to be completed) Low-Privacy-Impact Potential Project privacy compliance Privacy Assessment Concluded issues or privacy risk Implement privacy measures No factors? Moderate Privacy-Impact No Yes Project Complete PIA template Project Exceeds privacy risk thresholds? Extended PIA Yes High-Privacy-Impact Project Strictly Confidential 43 Provisional Nature of the Analysis • Determination of No, Low or High Privacy Impact is provisional, not final: • • • as the project is articulated from conception, through definition and planning to implementation, its profile may evolve from Low-PII to High-PII, or from High-PII to Low-PII, particularly if key aspects that caused it to be ranked so highly are later withdrawn; and PIA process may uncover information that is inconsistent with the provisional conclusions reached during the Privacy Compliance Checklist, resulting in revisions and change in the PIA process. Therefore, it is essential that project manager remains sensitive throughout the project life-cycle to the possibility that the Privacy Compliance may need to be re-visited, or that the PIA Process Specification (step 3 above) may need to be revised at some later point in the project life-cycle. Strictly Confidential 44 Privacy Checklist • • • • • Rapid, easily completed exercise to determine whether a full PIA is required Focused on legislative compliance Checklist approach; requires little or no privacy expertise Can be automated for basic expert system functions Proposed version based on automated Alberta Privacy Planning Tool, to be demonstrated • Recommend adaptation of Alberta tool for Newfoundland, but need to consider: • IT infrastructure • Adaptation cost • Time required • Benefits of automated checklist: • • • • Fast recommendations Thorough responses Consistency in evaluation of risk factors Reduced labour overhead for preliminary privacy reviews Strictly Confidential 45 Privacy Checklist • • Institutions have compliance obligations in relation to privacy law, Privacy Checklist provides institutions with convenient means to check and document compliance with ATIPP. Checklist is [currently] an Excel workbook that includes three main spreadsheets. • • • • a checklist spreadsheet containing about 40 multiple choice questions. a short approvals form a scoring spreadsheet that calculates a score based on answers provided on the checklist spreadsheet. a warnings and suggestions spreadsheet Strictly Confidential 46 Privacy Checklist …cont. • • • • • • Questions are all multiple choice Questions are designed to be straightforward and readily understood Multiple-choice answers are designed to be objective (i.e., evidence-based rather than based on opinion) Privacy-protective answers receive a positive score Answers that may pose privacy problems receive a negative score “Don’t know” is usually scored as negatively as the most negative available choice Strictly Confidential 47 Scoring in the Checklist Scoring is calculated automatically Scoring has several steps: • Answer to each multi-choice question is assigned a positive or negative score (questions, answers, and scores on subsequent slides) • Weighting factors may increase the positive or negative score under certain circumstances (e.g.: the project collects a certain type of data but does not use it or disclose it) • All the scores (both positive and negative) are summed to calculate a raw score • Raw score is normalized to a score of zero to 100: • Worst possible score is mapped to zero • Best possible raw score is mapped to 100 Strictly Confidential 48 Results of Checklist Recommendations are automatically made as to whether the PIA template needs to be completed. PIA template will need to be completed: • • • • if the normalized score is less than the established threshold or if there are more positively scored answers than negatively scored answers, or If project, as indicated by answers given, involves the outsourcing of personal information management functions or If project, as indicated by answers given, involves disclosure of identifiers (i.e., identifying numbers or symbols) or fingerprints PIA template may need to be completed: • • If project, as indicated by answers to specific questions, is a large one If project, as indicated by answers given, involves collection of identifiers (i.e., identifying numbers or symbols) or fingerprints Strictly Confidential 49 Checklist Scoring • The Scorings embedded in the checklist to assess compliance vulnerabilities have been provided as examples of default settings and are by way of example. • The Scorings in the checklist can been modified by Memorial’s Privacy Officer based on use and experience and might not reflect the numbers provided in the version currently being commented on by Enterprise Privacy Strategy participants: you. Strictly Confidential 50 Questions in the Checklist (sample) • Will the project collect, store, use or disclose personal information about identifiable individuals? • • • • Yes [-3] No [+3] Unknown [-3] Other (please elaborate) [-3] If user is certain that no personal information about any identifiable individual will be collected, used, or disclosed, they are advised that the checklist is complete. Strictly Confidential 51 Strictly Confidential 52 PIA Template • • • • • Use of template helps to ensure consideration of all major factors Focused on risk assessment, not just legislative compliance Even with the template, PIA requires judgment and expertise No universally recognized format or template for PIAs Most jurisdictions that are active in privacy impact assessment use templates; may or may not be mandatory • Content of template should be a responsibility of the ATIPP office, with input from departments and staff from the CIO • Proposed template based on British Columbia template • Similar legislation • Includes some elements from Alberta template, to address corporate issues • Revised to ensure compatibility with Newfoundland legislation Strictly Confidential 53 Questions Strictly Confidential 54
