Public Sector Case Studies:THE ESTABLISHMENT OF A
PRIVACY OFFICEPRIVACY OFFICE
2
AGENDAAGENDA
Introduction to the ONTARIO WORKPLACE SAFETY & INSURANCE BOARD (WSIB)WSIB)
Evolution of the WSIB PRIVACY OFFICEWSIB PRIVACY OFFICE
Building a corporate PRIVACY PRIVACY INFRASTRUCTUREINFRASTRUCTURE
3
The Workplace Safety and Insurance Board The Workplace Safety and Insurance Board An Overview An Overview
The Workplace Safety and Insurance Board (WSIB) began as the Workmen's Compensation Board in 1915 through an Act of the Ontario Legislature
The system of no-fault collective liability provides fair compensation for injured workers and their families, while spreading individual costs among employers
Today, the WSIB administers some 340,000 claims with a staff of 4,293 located throughout Ontario
A total of 201,272 Ontario employers are covered by the WSIB
4
ENABLING LEGISLATION
WORKPLACE SAFETY and INSURANCE ACT (WSIA)– Provides for legislative authority for the collection, use, Provides for legislative authority for the collection, use,
retention and disclosure of informationretention and disclosure of information
FREEDOM OF INFORMATION and PROTECTION OF PRIVACY ACT (FIPPA)– Provides the right of access to information under the Provides the right of access to information under the
control of institutionscontrol of institutions– Protects the privacy of individuals with respect to personal Protects the privacy of individuals with respect to personal
information about themselves held by institutions and information about themselves held by institutions and provides individuals with a right of access to that provides individuals with a right of access to that informationinformation
5
CHANGE DRIVERS
WCBWCB WSIBWSIB (1998)(1998)– VISION: THE ELIMINATION OF ALL WORKPLACE THE ELIMINATION OF ALL WORKPLACE
INJURIES and ILLNESSESINJURIES and ILLNESSES– WISB now oversees Ontario’s system of workplace WISB now oversees Ontario’s system of workplace
safety education and trainingsafety education and training– Greater support of research efforts in the study of Greater support of research efforts in the study of
occupational disease and workplace safetyoccupational disease and workplace safety– Emphasis on early and safe return to workEmphasis on early and safe return to work
New technologies implementedNew technologies implemented Increased outsourcing of business processesIncreased outsourcing of business processes
6
Health Professionals
Pharmacies
Alternate Service Providers
Employers
APPLICATION SYSTEMS, TELEPHONE FAX, MAIL, EMAIL, INTERNET
Hospitals
Researchers Safe Workplace Associations
(SWAS)
LMR Service
Providers
WSIB Employees Working Outside the
Office
WSIB Contracted Specialty
Clinics
7
January 1, 2002 Program Privacy GroupJanuary 1, 2002 Program Privacy Group
– Developed the capacity to implement Privacy Impact Assessments
– Completed PIAs for key strategic projects– Educated project teams through privacy
presentations– BUILT PRIVACYPRIVACY AWARENESS WITH SENIOR
MANAGEMENT
MAKING THE CASE FOR A PRIVACYPRIVACY OFFICE
8
DASHBOARD VIEW OF PRIVACY COMPLIANCEPRIVACY COMPLIANCE
ACCOUNTABILITY …………………………………… SAMPLEIDENTIFYING PURPOSES ………………………… SAMPLECONSENT……………………………………………….. SAMPLELIMITING COLLECTION…………………………….. SAMPLELIMITING USE, DISCLOSURE & RETENTION SAMPLEACCURACY……………………………………………… SAMPLESAFEGUARDS…………………………………………. SAMPLEOPENNESS…………………………………………….. SAMPLEINDIVIDUAL ACCESS……………………………….. SAMPLECHALLENGING COMPLIANCE…………………… SAMPLE
9
ACCOUNTABILITYRequirement * In Place In
ProgressNot inPlace
ColorCode
ColorCode
ColorCode
1. You assignaccountability forcompliance with theseprinciples to a specificperson or group of peoplein your company.
2. You make availablethe identity and contactinformation of the personor group of people in yourorganization who areaccountable forcompliance withestablished privacyprinciples
3. You develop and thenimplement specificprivacy policies andprocedures
*Source: Information and Privacy Commissioner/Ontario (IPC)- Privacy Diagnostic Tool
10
PRIVACYPRIVACY IS ON THE CORPORATE MAP
July 1, 2002 WSIB PRIVACY OFFICEWSIB PRIVACY OFFICE
– Legal Services Division– Integrated FOI Program – Full service ACCESS and PRIVACY OFFICE– Multidisciplined team
• FOI Co-ordinator, business specialists, security architect, project management experience
11
TEAMWORKTEAMWORK
““NEVER DOUBT THAT A SMALL GROUP OF NEVER DOUBT THAT A SMALL GROUP OF
THOUGHTFUL, COMMITTED PEOPLE CAN THOUGHTFUL, COMMITTED PEOPLE CAN
CHANGE THE WORLD. INDEED, IT IS CHANGE THE WORLD. INDEED, IT IS
THE ONLY THING THAT EVER HAS”.THE ONLY THING THAT EVER HAS”.
12
PRIVACY OFFICE RELATIONSHIPS
LEGAL SERVICESLEGAL SERVICES
SECURITYSECURITY
ARCHITECTUREARCHITECTURE
BUSINESSBUSINESS
CONTRACTED SERVICE PROVIDERSCONTRACTED SERVICE PROVIDERS
PRIVACYPRIVACY
OFFICEOFFICE
RESEARCHERSRESEARCHERS
13
CORPORATE PRIVACYPRIVACY FRAMEWORK
FOI PRO
GRAM
Governance
Risk Assessm
ents &
Risk Mgm
t
Education & Aw
areness
- FIPPAACCESSRequests- Research
requests
- WSIB PrivacyDesignPrinciples- Security Polices- Operational
ConfidentialityPolicies
- Privacy ImpactAssessments- Privacy Diagnostic
Tool- Privacy Audits/
Reviews
- Internal Portal- Desktop Tools- Training
Programs- Presentations
14
WSIB PRIVACYPRIVACY DESIGN PRINCIPLES
Compliance with the Privacy Design Principles is mandatory (FIPPA) for all project staff and consultants
Purpose: Help staff and consultants doing projects understand and
meet the WSIB’s privacy obligations with respect to the design and implementation of any type of WSIB project
Enhance WSIB privacy compliance by ensuring legislated privacy requirements are met from project concept to business integration upon completion of the project.
15
Applying the PRIVACY ConceptPRIVACY Concept to a Project:
WSIB Project & Program Privacy Design Principles
Project Initiation– Terms of Reference
• Initial Privacy Security Screening Assessent• 1st step in identifying privacy requirements
– Business Case
16
PRIVACY PRIVACY Review Process
Initial Privacy Screening Assessment: A questionnaire to determine if there are possible privacy
implications,requiring a more detailed privacy review of the project
To be completed at the conceptual phase of a project. » Is there personal information (as defined by FIPPA)
collected, used, disclosed and retained?» Who collects it? » How is it Collected?» Where does it go? (ie. Does it cross Ontario/Canadian
borders?» How is it transmitted to external parties? (e-mail,fax)» Will the data be retained? If so, for how long?» Who will have access to the information? » What is the legislative authority for the collection, use and
disclosure of personal information?
17
PRIVACYPRIVACY Impact Assessments
What is a PIA?• A PIA is a process that measures both legislative
compliance (I.e. FIPPA, WSIA) and considers the broader privacy implications of a given proposal.
Purpose• The function of a PIA is to ensure that privacy risks
associated with a given proposal are properly identified and addressed wherever possible, and that decision makers have been informed of these risks and the options available to mitigate them.
18
TheThe PIA PIA in the PROJECT LIFE CYCLE
CONCEPT and PLANNING– Project Definition
• Initial PIA– Conceptual Design
• Privacy & Security Requirements DETAILED DESIGN & IMPLEMENTATION
• Interim PIAs POST IMPLEMENTATION
• Final PIA
19
TheThe PIA PIA in the PROJECT LIFE CYCLE
The Privacy Impact Assessment Process provides for: More detailed definition of privacy
requirements Integration of privacy requirements into
project Assurance reporting to project and
business management
20
POSITIONING & COMMUNICATIONPRIVACYPRIVACY
PRIVACY IS NOT JUST ABOUT COMPLYING WITH LEGISLATION
PRIVACYPRIVACY IS ABOUT:
BUILDING TRUSTED RELATIONSHIPS
GOOD BUSINESS PRACTICE
21
22
23
QUESTIONS/COMMENTS?
24
SPEAKER CONTACT INFORMATION
Laurisa TkachenkoDirector, Privacy OfficeWorkplace Safety & Insurance Board200 Front Street West, 20th floorTel: (416) 344-3685email: [email protected]