Integrating the Principles Information Management Access and Privacy
Integrating the Principles Information Management Access and Privacy Monday, April 20, 2015 Nanaimo, BC Julie Luckevich, MLIS, CIAPP-P Eclaire Solutions Inc Introduction Todays theme: Bridging Privacy, Information Governance and Records Management Part I: Comparing the concepts of Information Management (IM) and Privacy
Part II: Using the Maturity Models (2 case studies) Recap / Questions Part 1 IM and Privacy Information Management Access and Privacy How did we get here? Information Management General Services Privacy
OECD Guidelines (late 70s) Administration (USA) (1950s) CSAs Privacy Principles, the ARMAs Generally Accepted Recordkeeping Principles, the Principles (formerly GARP) 8 Principles Uses Information Governance Maturity Model (IGMM) (c2009)
Model Code (early 90s) AICPA/CICA Generally Accepted Privacy Principles (GAPP) 10 Principles Uses the CICA Privacy Maturity Model (c2007) Access and Privacy Program Focus Internal and external Policies, procedures Privacy Culture FOI Process
Auditing /Compliance Privacy Impact Assessments Preventing breaches Information Management Program Focus Internal only Policies, procedures Findability throughout life cycle User acceptance Class. and Retention Auditing /Compliance
Archiving IM vs. Privacy In common Unique to Privacy Program management Consent / Withdrawing (policies and procedures) Accountability Availability / Access Compliance Retention and Disposition
/ Limiting retention Accuracy and Integrity Protection / Safeguards Transparency / Openness consent Identifying the purposes for collection Limiting collection Recordkeeping and Privacy: How they compare Principle the Principles (ARMA)
CSA Model Privacy Code 1. Accountability Focus on Personal Documentation More proactive - 8. Transparency / Openness
available Information available to public Recordkeeping and Privacy: How they compare Principle 2. Identifying purposes for collection the Principles (ARMA)
CSA Model Privacy Code Core Privacy Concept 3. Consent / Withdrawal of consent 4. Limiting collection
Core Privacy Concept Core Privacy Concept Recordkeeping and Privacy: How they compare Principle the Principles (ARMA)
CSA Model Privacy Code 5. Use / Limiting use, disclosure and retention of personal information Use limited to 5. Retention / Limiting use, disclosure and retention of personal information
Retention 5. Disposition / Limiting use, disclosure of personal information Disposition Valid business use Based on 4 values Secure destruction purpose; limited disclosure
Limiting retention Varies - only as long as needed, or +/- 1 year Limiting retention, or anonymizing Recordkeeping and Privacy: How they compare Principle the Principles (ARMA) 6. Integrity / Accuracy
Recordkeeping and Privacy: How they compare Principle the Principles (ARMA) CSA Model Privacy Code 9. Availability / Individual Access Availability to
Availability to the 10. Compliance / Challenging Compliance Internal External (based on the organization compliance individual rights of the individual)
A linear view of the life cycle Privacy Purpose New purpose Consents New consent Limit collection Disclosure (FOI) Audit access by Apply safeguards, staffincluding encryption Privacy Impact Assessments Collec
Collec t Recordkeeping Classify Assign retention Use De-identify Anonymize for research purposes Keep some PI past retention date Secure destruction Store
Dispos e Destro y Move location New records created Migrate media Secure Capture legacy data
destruction Purge transitory Transitory records destroyed (training) Part I Recap Core concepts of privacy Similarities and differences of Information Management (IM) and Privacy program priorities Activities at various point of the life cycle Part 2 Case Studies Privacy Practices Report
IM program elements inc0rporated into the Privacy gap analysis Information Management Priorities Report Privacy program elements incorporated into the IM gap analysis Case Study 1: Privacy Practices Report Scenario Large upper tier municipality. Recently merged public health and social services departments represent all Health Information Custodians as defined in legislation (Ontarios
PHIPA Ontario), 2000+ employees Gap Analysis maturity CICAs GAPP privacy model Case study 1: Privacy Practices Report Methodology Many disparate sources of information Challenge was to bring it all together into a coherent narrative Personal Information Bank (PIB) unknown
repository search Assessment of current practices using the Generally Accepted Privacy Principles (GAPP) framework Report compiled from all sources, integrating departmental records management and privacy concerns/risks (note: well-established RM program) Case study 1: Privacy Practices Report, contd Methodology, contd Rated the Department against each of the 73 criteria in the CICA Privacy Maturity Model For each criteria, one of five values was assigned (ad hoc, repeatable, defined, managed, or optimized) Level 3 of defined was used as the benchmark
All values of ad hoc and repeatable, and some values of defined were identified as gaps Assessments reviewed with program manager Case study 1: GAPP Criteria & Maturity Levels Case study 1: Another way to do it AICPA/CICA Privacy Risk Assessment Tool Excel-based Consists of a scoring input template (10 separate, individual files for up to 10 different evaluators)
a scoring summary that automatically updates using the scores from the 10 templates Reports the 5 levels of the privacy maturity model into low risk, medium risk and high risk Generates numeric values, more quantitative approach Resources lacking for this approach Case study 1: Another way to do it 2 = ad hoc + 8 = managed + repeatable
optimized 5 = defined Case study 1: Sample survey results Case study 1: Sample survey results Case study 1: Putting it all together GAPP Principle re: Use 5.2.3 Disposal, Destruction and Redaction of Personal Information: Personal information no longer retained is anonymized, disposed of, or destroyed in a manner that prevents loss, theft, misuse, or unauthorized
access. The Records Management and Privacy Practices Policies cover the secure disposal of confidential and personal information respectively. Procedures for the secure destruction of paper records are well established. Procedures for the secure disposal of personal health information are lacking for electronic records. Level: Ad Hoc Case study 1: Privacy Practices Report Final report and recommendations Gap Analysis Online Survey Several other appendices Review of relevant IPC orders
Encryption of mobile devices (IPC order) Verified Personal Information Banks Some risks and concerns were communicated verbally Case study 2: IM Priorities Report Scenario Small lower tier municipality, with well-developed privacy processes but lacking corporate IM program Gap Analysis ARMAs Information Governance Maturity Model, supplemented by
Model Code Privacy Principles and the CICA Privacy Maturity Model Case study 2: IM Priorities Report Methodology Previous consultants report reviewed 13 recommendations needed to be updated/validated and did not include access and privacy Decision to overlay privacy program components into ARMAs Information Governance Maturity Model, using CICAs
Privacy Maturity Model 65 criteria Level 3 of essential chosen as the benchmark Case study 2: IM Priorities Report Methodology, contd Created Gap Analysis collection tool based on ARMA Added in privacy-related criteria Added three privacy principles: Personal Information Ownership Privacy Principle Protection of Privacy Principle Access to Information Principle
Detailed recommendations, with dependencies 1 page strategic plan 1 page short term work plan Case study 2: ARMA Criteria & Maturity Levels Case study 2: ARMA Criteria & Maturity Levels Case study 2: ARMA Criteria & Maturity Levels Sample IM recommendations incorporating privacy Create an Information Management and Privacy
High Level Work Plan Recap / Questions Core concepts of privacy Similarities and differences of Information Management (IM) and Privacy programs priorities 2 Case Studies Lessons learned from using a Maturity Model Thank you for sharing your time with me. Julie Luckevich, MLIS, CIAPP-P Eclaire Solutions Inc [email protected]
Romans 2:1-6, 17-20; 3:1-3 Had transferred promise to serve as elect nation, guardians of God's Word, and conduit of Messiah as permanent spiritual favor. Favored nation status meant more to them than salvation itself, jealously.
Pharmaceutical Sector Country Profiles WHO Experience Dr Gilles Forte Dr Richard Laing Essential Medicines and Health Products Department WHO HQ WHO Medium Term Strategic Plan 2008-2013 Strategic Objective (SO-11) : To ensure improved access, quality and use of medical products...
Day-night cycle - Adds diverse lighting conditions and makes the world feel more dynamic and living. There are plenty of different zone that give the world a more diverse appearance and makes it more interesting. It also gives the player...
Projected shapefiles from BASINS database. Also do for landuse. Needed to add From LBJ Area Cataloging Unit BASINS Models SWAT HSPF QUAL2E PLOAD ONLY FOR PENNSYLVANIA Source: Nonpoint Source Pollution in the Mission Basin GIS in Water Resources exercise Source:...
Solar PV Basics. Currently, subsidies are crucial for the development of solar PV Not . suggesting that subsidies are . inappropriate . or that solar PV is the only category of energy resource that enjoys subsidies or gives rise to...
Ready to download the document? Go ahead and hit continue!