Privacy Impact Assessments (PIAs):

Similar documents
TransLink Video Surveillance & Audio Recording Privacy Statement

Privacy Impact Assessment (PIA) Tool

Breach Notification Assessment Tool

Privacy Policy GENERAL

UWC International Data Protection Policy

Privacy Policy on the Responsibilities of Third Party Service Providers

City of Victoria - Privacy Impact Assessment

PRIVACY NOTICE VOLUNTEER INFORMATION. Liverpool Women s NHS Foundation Trust

PRIVACY IMPACT ASSESSMENT

Privacy Impact Assessment

Data Protection Policy

Introduction to Personal Data Protection DCU Risk & Compliance Office October 2015

Ambition Training. Privacy Policy

Brasenose College ICT Systems Privacy Notice (v1.2)

Jefferies EMEA Privacy Notice

Building a Privacy Management Program

THE NEW GENERAL DATA PROTECTION REGULATION IMPLICATIONS FOR ENTERPRISES. Forum financier du Brabant wallon

Freedom of Information and Protection of Privacy (FOIPOP)

Policy Objectives (the Association) Privacy Act APPs Policy Application ACTU The Police Association Website

Policy on Privacy and Management of Personal Information

DATA PROTECTION POLICY

DATA PROTECTION POLICY THE HOLST GROUP

Cognizant Careers Portal Privacy Policy ( Policy )

Privacy Notice. General Information Protection Regulation ( GDPR )

Subject: Kier Group plc Data Protection Policy

Data Protection Policy

Privacy Policy Wealth Elements Pty Ltd

Privacy and Data Protection Policy

Order F19-04 OFFICE OF THE PREMIER. Celia Francis Adjudicator. January 29, 2019

FOOT LOCKER PRIVACY POLICY

You will see lots of references in the Checklist to the GDPR Pack if you would like to purchase this, go to

Privacy Notice - General Data Protection Regulation ( GDPR )

This policy also applies to personal information about you that the Federation collects from any other third party.

CNH Industrial Privacy Policy. This Privacy Policy relates to our use of any personal information you provide to us.

Office of John Howell MP Data Protection Policy

Information Security Data Classification Procedure

PRIVACY POLICY 1. ABOUT THIS POLICY

1 Privacy Statement INDEX

GROUP ASSURANCE EDUCATION GUARDIAN BENEFITS CLAIM FORM

DEPARTMENT OF JUSTICE AND EQUALITY. Data Protection Policy

CNH Industrial will use your personal information for a number of purposes including the following:

Adkin s Privacy Information Notice for Clients, Contractors, Suppliers and Business Contacts

Architecture and Standards Development Lifecycle

ADMA Briefing Summary March

Registration Statement Form 13(N) Extraprovincial Cooperative Association

Introduction to the Personal Data (Privacy) Ordinance

ma recycle GDPR Privacy Policy .com Rely and Comply... Policy Date: 24 May 2018

Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors

NOTE: The first appearance of terms in bold in the body of this document (except titles) are defined terms please refer to the Definitions section.

Cognizant Careers Portal Terms of Use and Privacy Policy ( Policy )

GENERAL PRIVACY POLICY

Information Security Strategy

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

NWQ Capital Management Pty Ltd. Privacy Policy. March 2017 v2

Welcome to the new BC Bid!

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

Data Protection Policy

Polemic is a business involved in the collection of personal data in the course of its business activities and on behalf of its clients.

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

UWTSD Group Data Protection Policy

Notification Form. Code of Practice for Soil Amendments

The City of Mississauga may install Closed Circuit Television (CCTV) Traffic Monitoring System cameras within the Municipal Road Allowance.

Privacy Policy Manhattan Neighborhood Network Policies 2017

DATA PROTECTION IN RESEARCH

University Privacy Campaign. Introduction to the Personal Data (Privacy) Ordinance

VIACOM INC. PRIVACY SHIELD PRIVACY POLICY

Government data matching and the Privacy Act 1988 (Cth)

The West End Community Trust Privacy Policy

VISTRA (CYPRUS) LTD. PRIVACY NOTICE

Introduction to the Personal Data (Privacy) Ordinance

1. Introduction and Overview 3

Community Development and Recreation Committee

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

VISTRA NETHERLANDS PRIVACY NOTICE

Putting It All Together:

Data Protection Policy

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

NCG Carlisle College Privacy Statement

Privacy Breach Policy

PRIVACY NOTICE. 1.2 We may obtain or collect your Personal Data from various sources including but not limited to:

Xpress Super may collect and hold the following personal information about you: contact details including addresses and phone numbers;

PayThankYou LLC Privacy Policy

Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ):

Our privacy statement Who are we? Your acceptance of this statement Changes to this privacy statement What is personal data?

Introduction to the Personal Data (Privacy) Ordinance

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

Privacy Policy... 1 EU-U.S. Privacy Shield Policy... 2

HOW WE USE YOUR INFORMATION

Data Processing Agreement DPA

Red Flags/Identity Theft Prevention Policy: Purpose

Office Properties Income Trust Privacy Notice Last Updated: February 1, 2019

Emergency Management BC Update

Technical Requirements of the GDPR

PRIVACY NOTICE ST BENEDICT S HOSPICE SUNDERLAND, LTD

Vistra International Expansion Limited PRIVACY NOTICE

VISTRA ZURICH AG - PRIVACY NOTICE

Data Protection Policy

General Legal Requirements under the Act and Relevant Subsidiary Legislations. Personal data shall only be processed for purpose of the followings:

Transcription:

Privacy Impact Assessments (PIAs): What, Who, Why, When, How and Where Jeannette Van Den Bulk and Troy Taillefer Presentation to the LGMA on October 17, 2013

Information and Privacy Commissioner is an independent Officer of the Legislature Elizabeth Denham is B.C. s Information and Privacy Commissioner The Office of the Information and Privacy Commissioner (OIPC): conducts reviews and investigations to ensure compliance with the FOIPP Act mediates FOI disputes comments on FOI and privacy implications of proposed legislative schemes or public body programs 2

Legislation, Privacy and Policy Branch of the Office of the Chief Information Officer (OCIO) What we do: Responsible for the Freedom of Information and Protection of Privacy Act (FOIPPA), Personal Information Protection Act (PIPA), Document Disposal Act (DDA), and Electronic Transactions Act (ETA) and all policy, standards and directives that flow from them. Leading strategic privacy initiatives across government Establishing government policy, standards and guidelines on access and privacy issues Providing services, training, support and leadership to assist ministries and other public bodies in complying with the FOIPP Act * As of October 1 we have processed 392 Ministry PIAs in 2013, with a projection of over 500 by year end. 3

1. Understand the purpose and value of a Privacy Impact Assessment (PIA) What Who Why 2. Understand the PIA Process When How Where 3. PIA Resources 4

PIAs are a lot of work for no useful purpose PIAs only stop us from implementing useful programs; they do nothing to enable them PIAs result in increased costs for proposed initiatives PIAs cause initiatives to be redesigned and delayed 5

An assessment that is conducted by a public body to determine if a current or proposed enactment, system, project program or activity meets or will meet the requirements of Part 3 of this Act. (FOIPPA s. 69 (1)) A risk management tool that: identifies potential privacy issues and impacts, allowing correction and mitigation, thus avoiding costly program, service, or process redesign. 7

PIAs need to be done by: Ministries Other Public bodies A person who knows the initiative (e.g. program or system) well is often the best person to describe it and set out the information flows within the PIA Do not need to be a privacy expert 8

Applies to the public sector in BC: Ministries of the Province, Crown Corporations, Agencies, Boards, Commissions Local public bodies (local government bodies, health care bodies, municipal police and educational bodies) Governing bodies of professional organizations (e.g., teachers, doctors, nurses, lawyers, engineers) 9

Amendments to the FOIPP Act in 2011 made it a legal requirement for ministries and other public bodies to conduct PIAs in accordance with the directions of the Minister responsible for this Act [69 (5) and (5.3)] Section 69 (5) The head of a ministry must conduct a privacy impact assessment in accordance with the directions of the minister responsible for this Act. Section 69 (5.3) The head of a public body that is not a ministry must conduct a privacy impact assessment in accordance with the directions of the minister responsible for this Act 10

A PIA is an information and risk management tool that helps you to: Meet and exceed legal requirements relating to privacy and access Mitigate privacy risk and loss of reputation and trust Examine your processes; make informed policy, operations and system design decisions Anticipate the public s reaction to a given initiative Prevent avoidable problems that: Result in regulatory repercussions Lead to public/client backlash Impact systems, processes or practices Educate and increase awareness of privacy issues 11

13 During the development phase of a new program, project, system, legislation, technology, or other initiative; OR Before the implementation of a significant change to an existing program, project, system, technology or information system, or legislation takes place; OR For all significant existing programs/initiatives Whether personal information is, is not, or could be collected, used or disclosed!

Personal information means recorded information about an identifiable individual other than contact information (Schedule 1 definition in the FOIPP Act) Examples of your personal information: Race, national/ethnic origin, skin colour Religious or political beliefs or associations Age, sex, sexual orientation, marital status Fingerprints, blood type, DNA information, biometrics Health care, educational, financial, criminal, employment history Opinions (unless it is your opinion about someone else) 14

Providing a service through a different medium (e.g. online) Development of a new blog or Facebook site to increase engagement Using service providers to deliver services Integrated service delivery involving more than one public body Marketing initiative involving the collection of customer information through contests and/or surveys Use of video surveillance for security purposes New enactment 15

The Ministry template for a PIA can be found on the OCIO s website http://www.cio.gov.bc.ca/cio/priv_leg/foippa/pia/pia_index.page Ministries are required to use this template Other public bodies may use it (but are not required to) and can modify the template to better suit their needs Private organizations may also use the template and modify it 16

Contact information for individual qualified to answer questions about the PIA Description/Purpose/Objective of the initiative Potential impacts of the proposal Details of any previous PIAs or privacy assessments done on the initiative Description of the elements of personal information that will be collected, used, and/or disclosed and the nature and sensitivity of the personal information Description of the linkages and flows of personal information 17

Analysis of the FOIPPA authorities allowing collection, use, and/or disclosure for the initiative Description of procedures in place to enable an individual to correct or annotate their personal information Analysis of security and storage of personal information Description of retention of personal information PIA signed off by individuals with primary responsibility for privacy (and security where relevant) on the initiative 18

Public bodies can send their PIAs to the OIPC to the attention of the Commissioner by: Email at info@oipc.bc.ca; Letter to PO Box 9038 Stn Prov Govt Victoria, BC V8W 9A4 19

Public body initiatives that involve data-linking or a common or integrated program or activity must notify the OIPC at an early stage of development as required by s. 69(5.5) of FOIPPA If your initiative involves either data-linking or a common or integrated program you must submit your PIA to the OIPC for review and comment [s. 69(5.4)] 20

OIPC Phone: 250 387-5629 Email: info@oipc.bc.ca Website: http://www.oipc.bc.ca/ 21 Legislation, Privacy and Policy, OCIO Privacy and Access Helpline: 250 356-1851 Email: Privacy.Helpline@gov.bc.ca Website: http://www.cio.gov.bc.ca/cio/priv_leg

PIA Template http://www.cio.gov.bc.ca/local/cio/priv_leg/documents/foippa/pia_form.doc PIA Initiative Update Template http://www.cio.gov.bc.ca/local/cio/priv_leg/documents/foippa/pia_initiativeupdate.doc 23

25

Example: The Ministry of Underwater Archaeology will be setting up a blog as a new citizen engagement tool. The Ministry will use its existing website as the platform. Blog posts will be written by ministry staff and invited experts, and comments will be welcome from citizens. 26

Examples: Name, age, address, email, phone number, educational history, employment history, health information, financial information, photos, comments on a blog, or information specific to a subject area, like stumpage totals, fish license numbers, or visitor centre stats. 27

28

29

30

31

32

Risk Mitigation Table Risk Mitigation Strategy Likelihood Impact 1. Employees could access personal information and use or disclose it for personal purposes Oath of Employment Low High 2. Request may not actually be from client (i.e. their email address may be being used by someone else) Implementation of identification verification procedures Low High 3. Client s personal information is compromised when being transferred to the service provider Transmission is encrypted and over a secure line Low High 4. Inherent risks in sending personal information to a client via email Policy developed to inform clients of risk and ask if they would like the information via a different medium, such as through the mail Medium Medium 33

In order to allow individuals the ability to exercise their information rights with knowledge of how their information will be used, they must be notified of the collection. Section 27(2) of the FOIPP Act requires that the individual from whom personal information is being collected is told: (a) the purpose for collecting it, (b) the legal authority for collecting it, and (c) the title, business address and business telephone number of an officer or employee of the public body who can answer the individual's questions about the collection. 34

35 Personal information is collected by the Ministry of Parapsychology under the authority of s. 26(c) of the Freedom of Information and Protection of Privacy Act for the purposes of evaluating their ghost hunting initiative. Should you have any questions about the collection of this personal information please contact: Ghost Buster Analyst 123 Nice Street Anywhere, BC Phone: 250-131-3131

Example: Document encryption User access profiles: need-to-know role-based access Audit logs 36

1 year rule Reasonable opportunity for access Minimum standard Do you have an approved schedule? How will records be kept in the meantime? Ministry Records Officer 37

PIAs are a lot of work for no useful purpose PIAs only stop us from implementing useful programs; they do nothing to enable them PIAs result in increased costs for proposed initiatives PIAs cause initiatives to be redesigned and delayed 38

PIAs serve many useful purposes Address privacy concerns and ensure privacy compliance Assist in implementing privacy-enhancing initiatives Increase awareness and understanding of privacy issues within the organization PIAs enable new privacy enhanced initiatives and prevent potential privacy disasters that could result in loss of public confidence and trust PIAs can be used to avoid costs, surprises and embarrassment by building in privacy at the design stage. PIAs conducted in the design phase allow any privacy issues to be identified, addressed, changed or mitigated. 39

40

Legislation, Privacy and Policy Branch policies, guidelines and forms: http://www.cio.gov.bc.ca/cio/priv_leg/foippa/guides_forms/guide_index.page? List of Ministry Information Security Officers: http://www.cio.gov.bc.ca/cio/informationsecurity/miso/miso.page List of Records Officers: http://www.gov.bc.ca/citz/iao/records_mgmt/contact_us/ministry_records_officers.html The Freedom of Information and Protection of Privacy Act: http://www.bclaws.ca/eplibraries/bclaws_new/document/id/freeside/96165_00 BC Office of the Information and Privacy Commissioner: http://www.oipc.bc.ca/ Early notice and PIA procedures for public bodies: http://www.oipc.bc.ca/guidance-documents/1434 41

OIPC Phone: 250 387-5629 Email: info@oipc.bc.ca Website: http://www.oipc.bc.ca/ OCIO Privacy and Access Helpline 250 356-1851 Privacy.Helpline@gov.bc.ca 42

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback