Integrating the Principles Information Management Access and Privacy

Integrating the Principles Information Management  Access and Privacy

Integrating the Principles Information Management Access and Privacy Monday, April 20, 2015 Nanaimo, BC Julie Luckevich, MLIS, CIAPP-P Eclaire Solutions Inc Introduction Todays theme: Bridging Privacy, Information Governance and Records Management Part I: Comparing the concepts of Information Management (IM) and Privacy

Part II: Using the Maturity Models (2 case studies) Recap / Questions Part 1 IM and Privacy Information Management Access and Privacy How did we get here? Information Management General Services Privacy

OECD Guidelines (late 70s) Administration (USA) (1950s) CSAs Privacy Principles, the ARMAs Generally Accepted Recordkeeping Principles, the Principles (formerly GARP) 8 Principles Uses Information Governance Maturity Model (IGMM) (c2009)

Model Code (early 90s) AICPA/CICA Generally Accepted Privacy Principles (GAPP) 10 Principles Uses the CICA Privacy Maturity Model (c2007) Access and Privacy Program Focus Internal and external Policies, procedures Privacy Culture FOI Process

Auditing /Compliance Privacy Impact Assessments Preventing breaches Information Management Program Focus Internal only Policies, procedures Findability throughout life cycle User acceptance Class. and Retention Auditing /Compliance

Archiving IM vs. Privacy In common Unique to Privacy Program management Consent / Withdrawing (policies and procedures) Accountability Availability / Access Compliance Retention and Disposition

/ Limiting retention Accuracy and Integrity Protection / Safeguards Transparency / Openness consent Identifying the purposes for collection Limiting collection Recordkeeping and Privacy: How they compare Principle the Principles (ARMA)

CSA Model Privacy Code 1. Accountability Focus on Personal Documentation More proactive - 8. Transparency / Openness

available Information available to public Recordkeeping and Privacy: How they compare Principle 2. Identifying purposes for collection the Principles (ARMA)

CSA Model Privacy Code Core Privacy Concept 3. Consent / Withdrawal of consent 4. Limiting collection

Core Privacy Concept Core Privacy Concept Recordkeeping and Privacy: How they compare Principle the Principles (ARMA)

CSA Model Privacy Code 5. Use / Limiting use, disclosure and retention of personal information Use limited to 5. Retention / Limiting use, disclosure and retention of personal information

Retention 5. Disposition / Limiting use, disclosure of personal information Disposition Valid business use Based on 4 values Secure destruction purpose; limited disclosure

Limiting retention Varies - only as long as needed, or +/- 1 year Limiting retention, or anonymizing Recordkeeping and Privacy: How they compare Principle the Principles (ARMA) 6. Integrity / Accuracy

Integrity 7. Protection / Safeguards Protection, incl. confidentiality Secure destruction CSA Model Privacy Code Accuracy Safeguards (logical, physical, procedural) Secure destruction

Recordkeeping and Privacy: How they compare Principle the Principles (ARMA) CSA Model Privacy Code 9. Availability / Individual Access Availability to

Availability to the 10. Compliance / Challenging Compliance Internal External (based on the organization compliance individual rights of the individual)

A linear view of the life cycle Privacy Purpose New purpose Consents New consent Limit collection Disclosure (FOI) Audit access by Apply safeguards, staffincluding encryption Privacy Impact Assessments Collec

Collec t Recordkeeping Classify Assign retention Use De-identify Anonymize for research purposes Keep some PI past retention date Secure destruction Store

Dispos e Destro y Move location New records created Migrate media Secure Capture legacy data

destruction Purge transitory Transitory records destroyed (training) Part I Recap Core concepts of privacy Similarities and differences of Information Management (IM) and Privacy program priorities Activities at various point of the life cycle Part 2 Case Studies Privacy Practices Report

IM program elements inc0rporated into the Privacy gap analysis Information Management Priorities Report Privacy program elements incorporated into the IM gap analysis Case Study 1: Privacy Practices Report Scenario Large upper tier municipality. Recently merged public health and social services departments represent all Health Information Custodians as defined in legislation (Ontarios

PHIPA Ontario), 2000+ employees Gap Analysis maturity CICAs GAPP privacy model Case study 1: Privacy Practices Report Methodology Many disparate sources of information Challenge was to bring it all together into a coherent narrative Personal Information Bank (PIB) unknown

repository search Assessment of current practices using the Generally Accepted Privacy Principles (GAPP) framework Report compiled from all sources, integrating departmental records management and privacy concerns/risks (note: well-established RM program) Case study 1: Privacy Practices Report, contd Methodology, contd Rated the Department against each of the 73 criteria in the CICA Privacy Maturity Model For each criteria, one of five values was assigned (ad hoc, repeatable, defined, managed, or optimized) Level 3 of defined was used as the benchmark

All values of ad hoc and repeatable, and some values of defined were identified as gaps Assessments reviewed with program manager Case study 1: GAPP Criteria & Maturity Levels Case study 1: Another way to do it AICPA/CICA Privacy Risk Assessment Tool Excel-based Consists of a scoring input template (10 separate, individual files for up to 10 different evaluators)

a scoring summary that automatically updates using the scores from the 10 templates Reports the 5 levels of the privacy maturity model into low risk, medium risk and high risk Generates numeric values, more quantitative approach Resources lacking for this approach Case study 1: Another way to do it 2 = ad hoc + 8 = managed + repeatable

optimized 5 = defined Case study 1: Sample survey results Case study 1: Sample survey results Case study 1: Putting it all together GAPP Principle re: Use 5.2.3 Disposal, Destruction and Redaction of Personal Information: Personal information no longer retained is anonymized, disposed of, or destroyed in a manner that prevents loss, theft, misuse, or unauthorized

access. The Records Management and Privacy Practices Policies cover the secure disposal of confidential and personal information respectively. Procedures for the secure destruction of paper records are well established. Procedures for the secure disposal of personal health information are lacking for electronic records. Level: Ad Hoc Case study 1: Privacy Practices Report Final report and recommendations Gap Analysis Online Survey Several other appendices Review of relevant IPC orders

Encryption of mobile devices (IPC order) Verified Personal Information Banks Some risks and concerns were communicated verbally Case study 2: IM Priorities Report Scenario Small lower tier municipality, with well-developed privacy processes but lacking corporate IM program Gap Analysis ARMAs Information Governance Maturity Model, supplemented by

Model Code Privacy Principles and the CICA Privacy Maturity Model Case study 2: IM Priorities Report Methodology Previous consultants report reviewed 13 recommendations needed to be updated/validated and did not include access and privacy Decision to overlay privacy program components into ARMAs Information Governance Maturity Model, using CICAs

Privacy Maturity Model 65 criteria Level 3 of essential chosen as the benchmark Case study 2: IM Priorities Report Methodology, contd Created Gap Analysis collection tool based on ARMA Added in privacy-related criteria Added three privacy principles: Personal Information Ownership Privacy Principle Protection of Privacy Principle Access to Information Principle

Detailed recommendations, with dependencies 1 page strategic plan 1 page short term work plan Case study 2: ARMA Criteria & Maturity Levels Case study 2: ARMA Criteria & Maturity Levels Case study 2: ARMA Criteria & Maturity Levels Sample IM recommendations incorporating privacy Create an Information Management and Privacy

(IMAP) Working Group This group tasked with developing a priority ranking of outstanding PIAs based on risk Develop a corporate-wide privacy policy (if not in corporate-wide IM policy) Continue to complete Privacy Impact Assessments on high priority processes/programs Case study 2: High Level Strategic Plan Case study 2:

High Level Work Plan Recap / Questions Core concepts of privacy Similarities and differences of Information Management (IM) and Privacy programs priorities 2 Case Studies Lessons learned from using a Maturity Model Thank you for sharing your time with me. Julie Luckevich, MLIS, CIAPP-P Eclaire Solutions Inc [email protected]

250-882-2398

Recently Viewed Presentations

  • Human Anatomy Introduction - kau

    Human Anatomy Introduction - kau

    Human Anatomy Introduction What is Anatomy? Study of the STRUCTURE of the Human Body Closely related to PHYSIOLOGY! Physiology is the study of the FUNCTION of the human body Divisions of Anatomy Gross Anatomy Structures that can be seen with...
  • Accounting 3603

    Accounting 3603

    Examine the policies, procedures, and standards for approving, modifying, testing, and documenting the changes. Review a complete set of final documentation materials for recent program changes, including test procedures and results. Review the procedures used to restrict logical access to...
  • THE ARYANS AND THE CASTE SYSTEM - mrdowling.com

    THE ARYANS AND THE CASTE SYSTEM - mrdowling.com

    THE ARYANS AND THE CASTE SYSTEM. The British controlled part or all of the Indian subcontinent from 1612 to 1947. The British thought that caste members believed they would have to live out their lives in a particular caste in...
  • Submit your Cuesta College admissions application

    Submit your Cuesta College admissions application

    Standardized, clear, and concise format for personalized financial aid offers. Better understanding of the costs of college before making a final decision on where to enroll. Identifies the types and amounts of aid qualified for and allows for easy comparison...
  • Building a Comprehensive Compliance Program

    Building a Comprehensive Compliance Program

    Kentucky Consumer Protection Act. Maine Notice of Risk to Personal Data. Maryland Personal Information Protection Act. Massachusetts Regulations of Business Practice and Consumer Protection Act. Massachusetts Standards for the Protection of Personal Information. Michigan Identify Theft Protection Act. Michigan Consumer...
  • PowerPoint Presentation

    PowerPoint Presentation

    C3 REVISION - CHAPTER 2 - WATER. KEY WORDS: Hard water. Soapless. detergents. Scale. Temporary hard water. Permanent hard water. Ion-exchange column. Water ...
  • Treatment of Symptoms of the Menopause: An Endocrine

    Treatment of Symptoms of the Menopause: An Endocrine

    When moderate or severe, the hot flash rapidly becomes generalized, lasts from 2 to 4 minutes, and can be associated with profuse perspiration, palpitations, or anxiety. Triggers include spicy food or alcohol. At night, vasomotor instability manifests as hot flashes...
  • DAY 1: EVIDENCE of evolution

    DAY 1: EVIDENCE of evolution

    Evolution is the unifying principle of biology.. We study biology to determine the commonalities of life, in order to more clearly understand its diversity. Understanding evolution opens the door to such clarity.