Embed Size (px)
Citation preview
Public Sector Case Studies:
THE ESTABLISHMENT OF A
PRIVACY OFFICEPRIVACY OFFICE
2
AGENDAAGENDA
Introduction to the ONTARIO WORKPLACE SAFETY & INSURANCE BOARD (WSIB)WSIB)
Evolution of the WSIB PRIVACY OFFICEWSIB PRIVACY OFFICE
Building a corporate PRIVACY PRIVACY INFRASTRUCTUREINFRASTRUCTURE
3
The Workplace Safety and Insurance Board The Workplace Safety and Insurance Board An Overview An Overview
The Workplace Safety and Insurance Board (WSIB) began as the Workmen's Compensation Board in 1915 through an Act of the Ontario Legislature
The system of no-fault collective liability provides fair compensation for injured workers and their families, while spreading individual costs among employers
Today, the WSIB administers some 340,000 claims with a staff of 4,293 located throughout Ontario
A total of 201,272 Ontario employers are covered by the WSIB
4
ENABLING LEGISLATION
WORKPLACE SAFETY and INSURANCE ACT (WSIA)– Provides for legislative authority for the collection, use, Provides for legislative authority for the collection, use,
retention and disclosure of informationretention and disclosure of information
FREEDOM OF INFORMATION and PROTECTION OF PRIVACY ACT (FIPPA)– Provides the right of access to information under the Provides the right of access to information under the
control of institutionscontrol of institutions– Protects the privacy of individuals with respect to personal Protects the privacy of individuals with respect to personal
information about themselves held by institutions and information about themselves held by institutions and provides individuals with a right of access to that provides individuals with a right of access to that informationinformation
5
CHANGE DRIVERS
WCBWCB WSIBWSIB (1998)(1998)
– VISION: THE ELIMINATION OF ALL WORKPLACE THE ELIMINATION OF ALL WORKPLACE INJURIES and ILLNESSESINJURIES and ILLNESSES
– WISB now oversees Ontario’s system of workplace WISB now oversees Ontario’s system of workplace safety education and trainingsafety education and training
– Greater support of research efforts in the study of Greater support of research efforts in the study of occupational disease and workplace safetyoccupational disease and workplace safety
– Emphasis on early and safe return to workEmphasis on early and safe return to work
New technologies implementedNew technologies implemented
Increased outsourcing of business processesIncreased outsourcing of business processes
6
Health Professionals
Pharmacies
Alternate Service Providers
Employers
APPLICATION SYSTEMS, TELEPHONE FAX, MAIL, EMAIL, INTERNET
Hospitals
Researchers Safe Workplace Associations
(SWAS)
LMR Service
Providers
WSIB Employees Working Outside the
Office
WSIB Contracted Specialty
Clinics
7
January 1, 2002 Program Privacy GroupJanuary 1, 2002 Program Privacy Group
– Developed the capacity to implement Privacy Impact Assessments
– Completed PIAs for key strategic projects
– Educated project teams through privacy presentations
– BUILT PRIVACYPRIVACY AWARENESS WITH SENIOR MANAGEMENT
MAKING THE CASE FOR A PRIVACYPRIVACY OFFICE
8
DASHBOARD VIEW OF PRIVACY COMPLIANCEPRIVACY COMPLIANCE
ACCOUNTABILITY …………………………………… SAMPLE
IDENTIFYING PURPOSES ………………………… SAMPLE
CONSENT……………………………………………….. SAMPLE
LIMITING COLLECTION…………………………….. SAMPLE
LIMITING USE, DISCLOSURE & RETENTION SAMPLE
ACCURACY……………………………………………… SAMPLE
SAFEGUARDS…………………………………………. SAMPLE
OPENNESS…………………………………………….. SAMPLE
INDIVIDUAL ACCESS……………………………….. SAMPLE
CHALLENGING COMPLIANCE…………………… SAMPLE
9
ACCOUNTABILITY
Requirement * In Place InProgress
Not inPlace
ColorCode
ColorCode
ColorCode
1. You assignaccountability forcompliance with theseprinciples to a specificperson or group of peoplein your company.
2. You make availablethe identity and contactinformation of the personor group of people in yourorganization who areaccountable forcompliance withestablished privacyprinciples
3. You develop and thenimplement specificprivacy policies andprocedures
*Source: Information and Privacy Commissioner/Ontario (IPC)- Privacy Diagnostic Tool
10
PRIVACYPRIVACY IS ON THE CORPORATE MAP
July 1, 2002 WSIB PRIVACY OFFICEWSIB PRIVACY OFFICE
– Legal Services Division
– Integrated FOI Program
– Full service ACCESS and PRIVACY OFFICE
– Multidisciplined team
• FOI Co-ordinator, business specialists, security
architect, project management experience
11
TEAMWORKTEAMWORK
““NEVER DOUBT THAT A SMALL GROUP OF NEVER DOUBT THAT A SMALL GROUP OF
THOUGHTFUL, COMMITTED PEOPLE CAN THOUGHTFUL, COMMITTED PEOPLE CAN
CHANGE THE WORLD. INDEED, IT IS CHANGE THE WORLD. INDEED, IT IS
THE ONLY THING THAT EVER HAS”.THE ONLY THING THAT EVER HAS”.
12
PRIVACY OFFICE RELATIONSHIPS
LEGAL SERVICESLEGAL SERVICES
SECURITYSECURITY
ARCHITECTUREARCHITECTURE
BUSINESSBUSINESS
CONTRACTED SERVICE PROVIDERSCONTRACTED SERVICE PROVIDERS
PRIVACYPRIVACY
OFFICEOFFICE
RESEARCHERSRESEARCHERS
13
CORPORATE PRIVACYPRIVACY FRAMEWORK
FO
I PR
OG
RA
M
Govern
an
ce
Ris
k
Assessm
en
ts &
R
isk M
gm
t
Ed
ucatio
n &
Aw
are
ness
- FIPPAACCESSRequests
- Researchrequests
- WSIB PrivacyDesignPrinciples
- Security Polices
- OperationalConfidentialityPolicies
- Privacy ImpactAssessments
- Privacy DiagnosticTool
- Privacy Audits/Reviews
- Internal Portal
- Desktop Tools
- TrainingPrograms
- Presentations
14
WSIB PRIVACYPRIVACY DESIGN PRINCIPLES
Compliance with the Privacy Design Principles is mandatory (FIPPA) for all project staff and consultants
Purpose: Help staff and consultants doing projects understand
and meet the WSIB’s privacy obligations with respect to the design and implementation of any type of WSIB project
Enhance WSIB privacy compliance by ensuring legislated privacy requirements are met from project concept to business integration upon completion of the project.
15
Applying the PRIVACY ConceptPRIVACY Concept to a Project:
WSIB Project & Program Privacy Design Principles
Project Initiation– Terms of Reference
• Initial Privacy Security Screening Assessent
• 1st step in identifying privacy requirements
– Business Case
16
PRIVACY PRIVACY Review Process
Initial Privacy Screening Assessment: A questionnaire to determine if there are possible privacy
implications,requiring a more detailed privacy review of the project
To be completed at the conceptual phase of a project. » Is there personal information (as defined by FIPPA)
collected, used, disclosed and retained?» Who collects it? » How is it Collected?» Where does it go? (ie. Does it cross Ontario/Canadian
borders?» How is it transmitted to external parties? (e-mail,fax)» Will the data be retained? If so, for how long?» Who will have access to the information? » What is the legislative authority for the collection, use
and disclosure of personal information?
17
PRIVACYPRIVACY Impact Assessments
What is a PIA?• A PIA is a process that measures both legislative
compliance (I.e. FIPPA, WSIA) and considers the broader privacy implications of a given proposal.
Purpose• The function of a PIA is to ensure that privacy
risks associated with a given proposal are properly identified and addressed wherever possible, and that decision makers have been informed of these risks and the options available to mitigate them.
18
TheThe PIA PIA in the PROJECT LIFE CYCLE
CONCEPT and PLANNING– Project Definition
• Initial PIA
– Conceptual Design• Privacy & Security Requirements
DETAILED DESIGN & IMPLEMENTATION• Interim PIAs
POST IMPLEMENTATION• Final PIA
19
TheThe PIA PIA in the PROJECT LIFE CYCLE
The Privacy Impact Assessment Process provides for: More detailed definition of privacy
requirements
Integration of privacy requirements into project
Assurance reporting to project and business management
20
POSITIONING & COMMUNICATIONPRIVACYPRIVACY
PRIVACY IS NOT JUST ABOUT COMPLYING WITH LEGISLATION
PRIVACYPRIVACY IS ABOUT:
BUILDING TRUSTED RELATIONSHIPS
GOOD BUSINESS PRACTICE
21
22
23
QUESTIONS/COMMENTS?
24
SPEAKER CONTACT INFORMATION
Laurisa TkachenkoDirector, Privacy Office
Workplace Safety & Insurance Board
200 Front Street West, 20th floor
Tel: (416) 344-3685
email: [email protected]
