Presentation is loading. Please wait.

Presentation is loading. Please wait.

Incorporating Privacy Into Systems Development Methodology Phil Moleski Director Corporate Information Technology Branch Saskatchewan Health

Published byGarry Morris Modified over 8 years ago

Similar presentations

Presentation on theme: "Incorporating Privacy Into Systems Development Methodology Phil Moleski Director Corporate Information Technology Branch Saskatchewan Health"— Presentation transcript:

1 Incorporating Privacy Into Systems Development Methodology Phil Moleski Director Corporate Information Technology Branch Saskatchewan Health Pmoleski@health.gov.sk.ca

2 Incorporating Privacy Into Systems Development Methodology Agenda Health sector background information Current systems methodology at Sask. Health Overlay on systems methodology Security assessment considerations Evolving privacy framework

3  Saskatchewan Health “ Provincial Government Department responsible for the publicly funded health system in Saskatchewan” “ Roughly 1 million clients and $2.9 billion in forecast expenditures for 2005 –2006” Incorporating Privacy Into Systems Development Methodology

4  Saskatchewan Health Sector Department 13 Regional Health Authorities Cancer Agency Independent Professionals (Doctors, etc.) Various smaller funded agencies Incorporating Privacy Into Systems Development Methodology

5 Major IT Organizations in the Health Sector  Corporate Information Technology Branch (CITB)  Health Information Solutions Centre (HISC)  Regional Health Authorities (RHA’s)  Cancer Agency Incorporating Privacy Into Systems Development Methodology

6  Corporate Information Technology Branch Internally Department Focused IT infrastructure Systems Development Environment Claims and Health Registration Applications Incorporating Privacy Into Systems Development Methodology

7  Health Information Solutions Centre (HISC) Health Sector network, help desk and & IT solutions to support service delivery Focus on Clinical Applications Electronic Health Record Lead Provincial IT/IM Planning, Architecture and Standards for Health Sector Information products and services

8  Regional Health Authorities (RHAs) & others (Cancer Agency etc.) Internal IT focus on their organizations CIO Forum Incorporating Privacy Into Systems Development Methodology

9  Privacy Framework within Provincial Government –Exec. Director, Access and Privacy Branch, Saskatchewan Justice – Privacy Policy Framework with Goals, Objectives, and Performance Measures Incorporating Privacy Into Systems Development Methodology

10  Privacy Framework within Provincial Government Incorporating Privacy Into Systems Development Methodology -principles adapted for Saskatchewan from the CSA, Model Code for the Protection of Personal Information – Q830.1996, p. vii

11  Privacy Framework within Provincial Government Incorporating Privacy Into Systems Development Methodology Accountability Purpose Limiting Consent Collection Use and Disclosure Retention Accuracy Safeguards Openness Access Compliance Eleven principles

12  Privacy Framework within Saskatchewan Health –Deputy Minister –Privacy Officer –CIO Forum – Privacy Subcommittee Incorporating Privacy Into Systems Development Methodology

13 What Happens now?

14 While formally including privacy as part of the systems development methodology is a work in progress, Incorporating Privacy Into Systems Development Methodology “Protecting the privacy of information with appropriate security has always been and remains a top priority for Saskatchewan Health”

15 Incorporating Privacy Into Systems Development Methodology  CITB Systems Development Methodology Phase 1 System Need Definition Phase 2 Conceptual Design Phase 3 Application System Architecture Phases 4&5 Application & Infrastructure Phases 6 & 7 Implementation Ongoing Operations

16 Incorporating Privacy Into Systems Development Methodology  CITB Systems Development Methodology Phases 4&5 Application & Infrastructure Phases 6 & 7 Implementation Ongoing Operations Macro Plan Security Privacy Impact Interfaces Conceptual Architecture Phase 1 System Need Definition

17 Incorporating Privacy Into Systems Development Methodology  CITB Systems Development Methodology Phase 1 System Need Definition Phase 2 Conceptual Design Phase 3 Application System Architecture Phases 6 & 7 Implementation Ongoing Operations Business/Data Flows Functionality Data elements Technology Security Privacy Project plan Phase 2 Conceptual Design

18 Incorporating Privacy Into Systems Development Methodology  CITB Systems Development Methodology Phase 1 System Need Definition Phase 2 Conceptual Design Phase 3 Application System Architecture Phases 4&5 Application & Infrastructure Phases 6 & 7 Implementation Ongoing Operations Phase 3 Application System Architecture Physical database Features Business /Data Flows Security Tables & Processes Project Plan

19 Incorporating Privacy Into Systems Development Methodology  CITB Systems Development Methodology Phase 1 System Need Definition Phase 2 Conceptual Design Phase 3 Application System Architecture Phases 4&5 Application & Infrastructure Phases 6 & 7 Implementation Ongoing Operations Phases 4&5 Application & Infrastructure Development Application system Acceptance Test Results Implementation Plan Operations Service Level Hardware/Network Plan

20 Incorporating Privacy Into Systems Development Methodology  CITB Systems Development Methodology Phase 1 System Need Definition Phase 2 Conceptual Design Phase 3 Application System Architecture Phases 4&5 Application & Infrastructure Phases 6 & 7 Implementation Ongoing Operations Phases 6 & 7 Implementation User Sign –off User Training Security Certificates System Governance Design/ Next Steps Support Procedures

21 Incorporating Privacy Into Systems Development Methodology  CITB Systems Development Methodology Phase 1 System Need Definition Phase 2 Conceptual Design Phase 3 Application System Architecture Phases 4&5 Application & Infrastructure Phases 6 & 7 Implementation Ongoing Operations Problem Logs Change Management Privacy Management

22 Incorporating Privacy Into Systems Development Methodology How does the systems development methodology and privacy fit together? - still learning - completed several projects with privacy built into the project plan - lots of work, start early

23 Incorporating Privacy Into Systems Development Methodology  CITB Systems Development Methodology Phase 1 System Need Definition (Requirements) Phase 2 Conceptual Design Phase 3 Application System Architecture (Detailed Design) Phases 4&5 Application & Infrastructure (Development) Phases 6 & 7 Implementation Ongoing Operations

24 Incorporating Privacy Into Systems Development Methodology Systems Development Methodology Requirements Design Detailed Design High Level Privacy Assessment Development Implementation Operations Legal & Policy Drafting Agreements Execute Agreements Detailed Privacy Assessment

25 Incorporating Privacy Into Systems Development Methodology Privacy Assessment High Level Privacy Impact Assessment -may identify changes needed to the business or existing law. High Level Privacy Assessment

26 Incorporating Privacy Into Systems Development Methodology Legal and Policy Is it good public policy? Will it stand up to Public Scrutiny? Will it stand up to Audit (good management practices)? Is it legal? What are the questions that need to be asked? Legal & Policy

27 Incorporating Privacy Into Systems Development Methodology Legal and Policy Making good public policy decisions includes addressing the Legal, Public Scrutiny, and Audit perspectives. In summary: Legal & Policy

28 Incorporating Privacy Into Systems Development Methodology Legal and Policy Creating and changing provincial law Legal & Policy

29 Incorporating Privacy Into Systems Development Methodology Privacy Assessment Detailed Privacy Impact Assessment -Final document for audit purposes -Addresses all of the principles in the privacy framework Detailed Privacy Assessment

30 Incorporating Privacy Into Systems Development Methodology Drafting Agreements Documents that outline the flow of information between one or more trustees of the information for a particular purpose including any conditions that apply. Drafting Agreements

31 Incorporating Privacy Into Systems Development Methodology Creating Policy Education Culture Drafting Agreements Drafting Agreements

32 Incorporating Privacy Into Systems Development Methodology Executing Agreements It’s (implementation?) time when the agreements are signed!! Execute Agreements

33 Incorporating Privacy Into Systems Development Methodology Systems Development Methodology Requirements Design Detailed Design High Level Privacy Assessment Development Implementation Operations Legal & Policy Drafting Agreements Execute Agreements Detailed Privacy Assessment ? ?

34 Incorporating Privacy Into Systems Development Methodology Staffing and Project Considerations Project Manager Business/Systems Analyst Policy/Legal Analyst

35 Incorporating Privacy Into Systems Development Methodology Project Structure Project Management Office Business Stream Technical Stream Policy and Legal Project Steering Committee

36 Summary thoughts Addressing privacy is good management and helps documenting the answers to the questions: Just because we can do something, “Should we?” What happens if something goes wrong? Incorporating Privacy Into Systems Development Methodology

37 Privacy Security

38 Security assessment considerations Incorporating Privacy Into Systems Development Methodology What is the appropriate security in response to the privacy requirements? Security Controls Environment Classification Information Classification

39 Security assessment considerations Incorporating Privacy Into Systems Development Methodology Security Controls Authentication Authorization Encryption Integrity Availability Accountability

40 Security assessment considerations Incorporating Privacy Into Systems Development Methodology Environment Classification Un-trusted Semi-Trusted Trusted

41 Security assessment considerations Incorporating Privacy Into Systems Development Methodology Information Classification Public Internal Confidential Restricted

42 Security Classification Matrix Incorporating Privacy Into Systems Development Methodology

43 Security Assessment Review - A document that outlines how well the proposed solution meets the requirements for privacy and security - Outlines the security factors, the unmitigated risks, and the mitigated risks of proceeding - Buy versus build - Companion document to the Privacy Impact Assessment

44 Incorporating Privacy Into Systems Development Methodology Documents Attached PIA Templates Security Cube Security Assessment Templates

45 Incorporating Privacy Into Systems Development Methodology Documents Attached Order of use - Determine business requirements - Fill in PIA - Use the Cube document based on the PIA - Fill in the SAR document based on the proposed technical solution

46 Incorporating Privacy Into Systems Development Methodology Questions

Download ppt "Incorporating Privacy Into Systems Development Methodology Phil Moleski Director Corporate Information Technology Branch Saskatchewan Health"

Similar presentations

SYSTEM OF EVALUATION AND MANAGEMENT CONTROL RESULTS-BASED BUDGETING THE CHILEAN EXPERIENCE Heidi Berner H Head of Management Control Division Budget Office,

SYSTEM OF EVALUATION AND MANAGEMENT CONTROL RESULTS-BASED BUDGETING THE CHILEAN EXPERIENCE Heidi Berner H Head of Management Control Division Budget Office,
<<Date>><<SDLC Phase>>

<<Date>><<SDLC Phase>>
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.
Data-Sharing and Governance Consultation ANALYSIS OF RESPONSES.

Data-Sharing and Governance Consultation ANALYSIS OF RESPONSES.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
Project Initiation Meeting Presented By: > > Office of the Chief Information Officer >

Project Initiation Meeting Presented By: > > Office of the Chief Information Officer >
April 2, 2013 Longitudinal Data system Governance: Status Report Alan Phillips Deputy Director, Fiscal Affairs, Budgeting and IT Illinois Board of Higher.

April 2, 2013 Longitudinal Data system Governance: Status Report Alan Phillips Deputy Director, Fiscal Affairs, Budgeting and IT Illinois Board of Higher.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Tackling the Policy Challenges of Health Information Exchange Carol Diamond, MD, MPH Managing Director, Markle Foundation.

Tackling the Policy Challenges of Health Information Exchange Carol Diamond, MD, MPH Managing Director, Markle Foundation.
Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Public Sector Case Studies: THE ESTABLISHMENT OF A PRIVACY OFFICE.

Public Sector Case Studies: THE ESTABLISHMENT OF A PRIVACY OFFICE.
MnSCU Audit Reports Presentation to the MnSCU Audit Committee Office of the Legislative Auditor September 21, 2004.

MnSCU Audit Reports Presentation to the MnSCU Audit Committee Office of the Legislative Auditor September 21, 2004.
Chapter 3 Internal Controls.

Chapter 3 Internal Controls.
Outline Validation Objectives Why an IA-CMM? Validation Results

Outline Validation Objectives Why an IA-CMM? Validation Results
WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ Identity and Privacy: the.

WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ Identity and Privacy: the.
Case Study: Five ways to energize your information security program By Jim Reiner, ISO, HIPAA Security Manager 1 2 3 4 5 County of.

Case Study: Five ways to energize your information security program By Jim Reiner, ISO, HIPAA Security Manager County of.
Strategic Planning for Statistics in Australia PARIS21/UNESCAP Forum on Strategic Planning for Statistics in South-East Asian Countries – Bangkok, June.

Strategic Planning for Statistics in Australia PARIS21/UNESCAP Forum on Strategic Planning for Statistics in South-East Asian Countries – Bangkok, June.
1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.

1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.

Similar presentations

Ads by Google