Integrating the Principles Information Management Access and Privacy

Integrating the Principles Information Management Access and Privacy Monday, April 20, 2015 Nanaimo, BC Julie Luckevich, MLIS, CIAPP-P Eclaire Solutions Inc Introduction Todays theme: Bridging Privacy, Information Governance and Records Management Part I: Comparing the concepts of Information Management (IM) and Privacy

Part II: Using the Maturity Models (2 case studies) Recap / Questions Part 1 IM and Privacy Information Management Access and Privacy How did we get here? Information Management General Services Privacy

OECD Guidelines (late 70s) Administration (USA) (1950s) CSAs Privacy Principles, the ARMAs Generally Accepted Recordkeeping Principles, the Principles (formerly GARP) 8 Principles Uses Information Governance Maturity Model (IGMM) (c2009)

Model Code (early 90s) AICPA/CICA Generally Accepted Privacy Principles (GAPP) 10 Principles Uses the CICA Privacy Maturity Model (c2007) Access and Privacy Program Focus Internal and external Policies, procedures Privacy Culture FOI Process

Auditing /Compliance Privacy Impact Assessments Preventing breaches Information Management Program Focus Internal only Policies, procedures Findability throughout life cycle User acceptance Class. and Retention Auditing /Compliance

Archiving IM vs. Privacy In common Unique to Privacy Program management Consent / Withdrawing (policies and procedures) Accountability Availability / Access Compliance Retention and Disposition

/ Limiting retention Accuracy and Integrity Protection / Safeguards Transparency / Openness consent Identifying the purposes for collection Limiting collection Recordkeeping and Privacy: How they compare Principle the Principles (ARMA)

CSA Model Privacy Code 1. Accountability Focus on Personal Documentation More proactive - 8. Transparency / Openness

available Information available to public Recordkeeping and Privacy: How they compare Principle 2. Identifying purposes for collection the Principles (ARMA)

CSA Model Privacy Code Core Privacy Concept 3. Consent / Withdrawal of consent 4. Limiting collection

Core Privacy Concept Core Privacy Concept Recordkeeping and Privacy: How they compare Principle the Principles (ARMA)

CSA Model Privacy Code 5. Use / Limiting use, disclosure and retention of personal information Use limited to 5. Retention / Limiting use, disclosure and retention of personal information

Retention 5. Disposition / Limiting use, disclosure of personal information Disposition Valid business use Based on 4 values Secure destruction purpose; limited disclosure

Limiting retention Varies - only as long as needed, or +/- 1 year Limiting retention, or anonymizing Recordkeeping and Privacy: How they compare Principle the Principles (ARMA) 6. Integrity / Accuracy

Integrity 7. Protection / Safeguards Protection, incl. confidentiality Secure destruction CSA Model Privacy Code Accuracy Safeguards (logical, physical, procedural) Secure destruction

Recordkeeping and Privacy: How they compare Principle the Principles (ARMA) CSA Model Privacy Code 9. Availability / Individual Access Availability to

Availability to the 10. Compliance / Challenging Compliance Internal External (based on the organization compliance individual rights of the individual)

A linear view of the life cycle Privacy Purpose New purpose Consents New consent Limit collection Disclosure (FOI) Audit access by Apply safeguards, staffincluding encryption Privacy Impact Assessments Collec

Collec t Recordkeeping Classify Assign retention Use De-identify Anonymize for research purposes Keep some PI past retention date Secure destruction Store

Dispos e Destro y Move location New records created Migrate media Secure Capture legacy data

destruction Purge transitory Transitory records destroyed (training) Part I Recap Core concepts of privacy Similarities and differences of Information Management (IM) and Privacy program priorities Activities at various point of the life cycle Part 2 Case Studies Privacy Practices Report

IM program elements inc0rporated into the Privacy gap analysis Information Management Priorities Report Privacy program elements incorporated into the IM gap analysis Case Study 1: Privacy Practices Report Scenario Large upper tier municipality. Recently merged public health and social services departments represent all Health Information Custodians as defined in legislation (Ontarios

PHIPA Ontario), 2000+ employees Gap Analysis maturity CICAs GAPP privacy model Case study 1: Privacy Practices Report Methodology Many disparate sources of information Challenge was to bring it all together into a coherent narrative Personal Information Bank (PIB) unknown

repository search Assessment of current practices using the Generally Accepted Privacy Principles (GAPP) framework Report compiled from all sources, integrating departmental records management and privacy concerns/risks (note: well-established RM program) Case study 1: Privacy Practices Report, contd Methodology, contd Rated the Department against each of the 73 criteria in the CICA Privacy Maturity Model For each criteria, one of five values was assigned (ad hoc, repeatable, defined, managed, or optimized) Level 3 of defined was used as the benchmark

All values of ad hoc and repeatable, and some values of defined were identified as gaps Assessments reviewed with program manager Case study 1: GAPP Criteria & Maturity Levels Case study 1: Another way to do it AICPA/CICA Privacy Risk Assessment Tool Excel-based Consists of a scoring input template (10 separate, individual files for up to 10 different evaluators)

a scoring summary that automatically updates using the scores from the 10 templates Reports the 5 levels of the privacy maturity model into low risk, medium risk and high risk Generates numeric values, more quantitative approach Resources lacking for this approach Case study 1: Another way to do it 2 = ad hoc + 8 = managed + repeatable

optimized 5 = defined Case study 1: Sample survey results Case study 1: Sample survey results Case study 1: Putting it all together GAPP Principle re: Use 5.2.3 Disposal, Destruction and Redaction of Personal Information: Personal information no longer retained is anonymized, disposed of, or destroyed in a manner that prevents loss, theft, misuse, or unauthorized

access. The Records Management and Privacy Practices Policies cover the secure disposal of confidential and personal information respectively. Procedures for the secure destruction of paper records are well established. Procedures for the secure disposal of personal health information are lacking for electronic records. Level: Ad Hoc Case study 1: Privacy Practices Report Final report and recommendations Gap Analysis Online Survey Several other appendices Review of relevant IPC orders

Encryption of mobile devices (IPC order) Verified Personal Information Banks Some risks and concerns were communicated verbally Case study 2: IM Priorities Report Scenario Small lower tier municipality, with well-developed privacy processes but lacking corporate IM program Gap Analysis ARMAs Information Governance Maturity Model, supplemented by

Model Code Privacy Principles and the CICA Privacy Maturity Model Case study 2: IM Priorities Report Methodology Previous consultants report reviewed 13 recommendations needed to be updated/validated and did not include access and privacy Decision to overlay privacy program components into ARMAs Information Governance Maturity Model, using CICAs

Privacy Maturity Model 65 criteria Level 3 of essential chosen as the benchmark Case study 2: IM Priorities Report Methodology, contd Created Gap Analysis collection tool based on ARMA Added in privacy-related criteria Added three privacy principles: Personal Information Ownership Privacy Principle Protection of Privacy Principle Access to Information Principle

Detailed recommendations, with dependencies 1 page strategic plan 1 page short term work plan Case study 2: ARMA Criteria & Maturity Levels Case study 2: ARMA Criteria & Maturity Levels Case study 2: ARMA Criteria & Maturity Levels Sample IM recommendations incorporating privacy Create an Information Management and Privacy

(IMAP) Working Group This group tasked with developing a priority ranking of outstanding PIAs based on risk Develop a corporate-wide privacy policy (if not in corporate-wide IM policy) Continue to complete Privacy Impact Assessments on high priority processes/programs Case study 2: High Level Strategic Plan Case study 2:

High Level Work Plan Recap / Questions Core concepts of privacy Similarities and differences of Information Management (IM) and Privacy programs priorities 2 Case Studies Lessons learned from using a Maturity Model Thank you for sharing your time with me. Julie Luckevich, MLIS, CIAPP-P Eclaire Solutions Inc [email protected]

250-882-2398

Recently Viewed Presentations

  • Romans 01 - In Search Of Truth

    Romans 01 - In Search Of Truth

    Romans 2:1-6, 17-20; 3:1-3 Had transferred promise to serve as elect nation, guardians of God's Word, and conduit of Messiah as permanent spiritual favor. Favored nation status meant more to them than salvation itself, jealously.
  • Atomic Theory - Weebly

    Atomic Theory - Weebly

    Dalton's Atomic Theory All matter is made of extremely small particles called atoms. All atoms of a given element are identical (mass, physical and chemical properties).
  • Data Abstraction and Encapsulation

    Data Abstraction and Encapsulation

    Data Abstraction and Encapsulation ... Type Systems
  • Limits of a Superpower - Mrs. French's Website

    Limits of a Superpower - Mrs. French's Website

    Essential Questions. Analyze the continuities and changes that occurred in U.S foreign policy during the the 1970's. To what extent did policy change, to what extent did it stay the same?
  • PowerPoint Presentation

    PowerPoint Presentation

    Pharmaceutical Sector Country Profiles WHO Experience Dr Gilles Forte Dr Richard Laing Essential Medicines and Health Products Department WHO HQ WHO Medium Term Strategic Plan 2008-2013 Strategic Objective (SO-11) : To ensure improved access, quality and use of medical products...
  • Creating Vast Game Worlds - Experiences from Avalanche Studios

    Creating Vast Game Worlds - Experiences from Avalanche Studios

    Day-night cycle - Adds diverse lighting conditions and makes the world feel more dynamic and living. There are plenty of different zone that give the world a more diverse appearance and makes it more interesting. It also gives the player...
  • Basins-> Swat -> Hspf

    Basins-> Swat -> Hspf

    Projected shapefiles from BASINS database. Also do for landuse. Needed to add From LBJ Area Cataloging Unit BASINS Models SWAT HSPF QUAL2E PLOAD ONLY FOR PENNSYLVANIA Source: Nonpoint Source Pollution in the Mission Basin GIS in Water Resources exercise Source:...
  • Economic Framework for Assessing Solar PV

    Economic Framework for Assessing Solar PV

    Solar PV Basics. Currently, subsidies are crucial for the development of solar PV Not . suggesting that subsidies are . inappropriate . or that solar PV is the only category of energy resource that enjoys subsidies or gives rise to...