Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy Legislation and Standards in Canada The Demand for Privacy Alec Campbell, Principal Excela Associates Inc. Distinguished Associate, Bell PCE

Published byCordelia Bryant Modified over 9 years ago

Similar presentations

Presentation on theme: "Privacy Legislation and Standards in Canada The Demand for Privacy Alec Campbell, Principal Excela Associates Inc. Distinguished Associate, Bell PCE"— Presentation transcript:

1 Privacy Legislation and Standards in Canada The Demand for Privacy Alec Campbell, Principal Excela Associates Inc. Distinguished Associate, Bell PCE alec@excela.info 780-945-0123

2 Compliance Requirements 24 privacy laws in Canada today  15 provincial/territorial public sector laws (incl 2 municipal in SK & ON)  1 federal public sector law (Privacy Act)  1 federal private sector law (PIPEDA)  3 provincial private sector laws (BC, AB, QC)  4 provincial healthcare sector laws (AB, SK, MB, ON)

3 Trust requirements Epidemic of breaches  SK - ISM data tapes with insurance data  GoC - CRA laptops with taxation data  GoC - HRDC data matching with almost everything  BC - surplus sales with social services data  AB – employee security clearances with personal financial info  ON & AB – various personal health information  ON – federal PC’s personal phone records  Massive US breaches – credit card information, travel details, correspondence, aggregated PI, others

4 Trust requirements Epidemic of breaches – Just the first trimester of 2006  Jan 1: “Car thief walked away with the medical records of 365,000 patients across Oregon and Washington.”  Jan 27: “ChoicePoint Hit With Record $15 Million FTC Penalty”  Jan 27: “Medical records stolen from courier in Langley BC”  Mar 8: “BC Minister offers plan to address health-data ‘screw-up’”  Mar 9: “Edmonton police rapped for improper CPIC use”  Mar 9: “Hacker hits B.C. government computers”  Mar 13: “Another mess for CIBC: Confidential papers sent to wrong firm”  Mar 27: “4,000 BC Hydro employees info at risk after B&E”  Apr 10: “Tax agency mailed personal data to wrong addresses”  Apr 10: “Personal data stolen from Bank of Canada CSB accounts” Winners/HomeSense: 47.5 million credit card numbers stolen in database breach.

5 Trust requirements E-services initiatives threatened by privacy and security concerns Identity theft a major issue  According to the FTC, ID theft cost American consumers $5bn and businesses $48bn in 2005 Identification and authentication are critical  Biometrics  Electronic signature standards Post-911  Communications monitoring  Surveillance

6 Risk Management Requirements Identify the risks associated with privacy breaches and failures  Legal liability, loss of stakeholder trust, loss of political credibility, financial costs  Privacy impact assessments Mitigate the risks identified  Minimize the likelihood of occurrence  Minimize the severity of the impacts  Maximize learning from occurrences

7 Management Issues Security  Privacy ≠ Security, Security > Privacy  Some security measures are not compatible with privacy  Security and privacy should be addressed in tandem, especially as they relate to information management  Like privacy, security is a risk management issue – you can reduce security risks but you cannot eliminate them  Security requires regular reviews and audits

8 Management Issues Information technology  ‘Privacy by design’: privacy is a design consideration, not an obstacle Privacy architecture and technical standards  Privacy must be built in at the start Retrofitting privacy measures to existing IT applications can be very expensive Often need a PIA to identify privacy issues and approaches  Must have adequate security to support privacy, but security ≠ privacy  Privacy enhancing technology

9 Management Issues Incident Response  A weakness in most organizations  Poor incident response increases severity of incident & consequences  Must ensure that decisions are made quickly, by the right people  Slow incident response & notification can be a problem with contractors and outsourcers  When and how do you notify victims of breaches?

10 Selected Strategic Issues E-services  Policy, standards to generate & maintain trust in electronic services involving personal information PIA policy  Should have clear, explicit requirements for PIAs  PIA is heart of the privacy risk assessment process Privacy architecture and technical standards  Critical element of IT privacy strategy, but often overlooked  Link security and privacy standards

11 Selected Strategic Issues Privacy enhancing technologies  In their infancy, but show great potential Search encrypted database without decryption Automatically anonymize a dataset to the minimum extent necessary Locally authenticate biometric identifiers Incident response procedures  Most organizations have poor privacy incident response, which exacerbates the severity of the incident  Learn from the security field Incident notice requirements  Increasing pressure to notify victims of privacy breaches  Over 30 state laws proposed in US

12 Elements of a Strategic Framework Legislation  Comprehensive, up to date, practical Policy  Rules should be mandatory but general  Commitment to legislative requirements should be explicit  Specifies accountability Standards  Mandatory specifications for technical issues, like database design, user authentication, security, file management, QA procedures, etc.  Use national or international standards where possible

13 Elements of a Strategic Framework Guidelines  Non-mandatory best practices  Should be as detailed as necessary  Allow flexibility to accommodate circumstances  Best at the procedural level Training and Awareness  Awareness programs critical for everyone, but especially for senior management and front-line workers  Specialized training for privacy coordinators and managers of sensitive programs

14 Selected Strategic Issues 1/2 E-services  Policy, standards to generate & maintain trust in electronic services involving personal information PIA policy  Should have clear, explicit requirements for PIAs  PIA is heart of the privacy risk assessment process Privacy architecture and technical standards  Critical element of IT privacy strategy, but often overlooked  Link security and privacy standards

15 Selected Strategic Issues 2/2 Privacy enhancing technologies  In their infancy, but show great potential Search encrypted database without decryption Automatically anonymize a dataset to the minimum extent necessary Locally authenticate biometric identifiers Incident response procedures  Most organizations have poor privacy incident response, which exacerbates the severity of the incident  Learn from the security field Incident notice requirements  Increasing pressure to notify victims of privacy breaches  Over 30 state laws proposed in US

16 Summary Compliance and trust requirements have made privacy a major public policy issue today Privacy by risk management:  assessment and mitigation Elements of privacy strategy:  Legislation  Policy  Standards  Guidelines  Training and awareness Selected strategic issues:  E-services  PIA policy  Privacy architecture & stds  Privacy enhancing technologies  Incident response procedures  Incident notice requirements

17 17 Privacy Impact Assessments What is a PIA?  A formal assessment of the privacy implications associated with a given project, initiative, or collection of records, usually in reference to applicable legislation or policy.

18 18 Privacy Impact Assessments PIAs have become a critical tool in privacy management  PIAs are proactive, not reactive  Well-suited to risk management  Provide evidence of due diligence Inspired by the environmental impact assessment Formal PIA processes have taken some time to develop, and there is still no widespread standard

19 19 Issues in PIA Planning and Preparation Why do it?  Due diligence If you have a privacy complaint later, having done a PIA will demonstrate efforts to protect privacy  Risk management PIA will identify potential privacy risks before they materialize, allowing you to take measures to prevent problems Risks: IPC inquiry costs, loss of stakeholder trust, bad publicity, cost of retroactive privacy measures, legal costs, etc.  Cost containment A PIA will often cost less than a privacy breach resulting from a failure to do the PIA.

20 20 Issues in PIA Planning and Preparation Who should do it?  Those who will be responsible for the project or initiative after it is up and running – they have to know the privacy issues  Involve all responsible business areas - actively  If it’s an IT project, make sure both IT and the business area are involved – not just the development team  If project is complex or it’s your first PIA, bring in a consultant – but you should not need a consultant for every PIA.  PIA findings should be approved by the senior manager responsible for the project

21 21 Issues in PIA Planning and Preparation When to do it?  As early in project planning as possible Need to know PI data elements and flows to complete  For IT projects, make it part of the system design phase  For administrative and management projects, do PIA after process design but before implementation  Need for PIA, or lack thereof, should be part of the project proposal or business case.

Download ppt "Privacy Legislation and Standards in Canada The Demand for Privacy Alec Campbell, Principal Excela Associates Inc. Distinguished Associate, Bell PCE"

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Red Flag Rules: What they are? & What you need to do

Red Flag Rules: What they are? & What you need to do
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
Sept. 2012 Topics of interest & risk in our industry today Christine Scaini Compliance Consultant Market Conduct Compliance.

Sept Topics of interest & risk in our industry today Christine Scaini Compliance Consultant Market Conduct Compliance.
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.

The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.
RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.

RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.
IDENTITY THEFT & THE RED FLAGS RULE Presented by Brady Keith, Assistant General Counsel CREDIT MANAGEMENT SERVICES, INC.

IDENTITY THEFT & THE RED FLAGS RULE Presented by Brady Keith, Assistant General Counsel CREDIT MANAGEMENT SERVICES, INC.
Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.

Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.
Mark S. Hayes – Blake, Cassels & Graydon LLP Privacy and Security – Some Observations Mark S. Hayes, Blake, Cassels & Graydon LLP 7th CACR Privacy and.

Mark S. Hayes – Blake, Cassels & Graydon LLP Privacy and Security – Some Observations Mark S. Hayes, Blake, Cassels & Graydon LLP 7th CACR Privacy and.
Data Classification & Privacy Inventory Workshop

Data Classification & Privacy Inventory Workshop
Environmental Management Systems An Overview With Practical Applications.

Environmental Management Systems An Overview With Practical Applications.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
The Australian/New Zealand Standard on Risk Management

The Australian/New Zealand Standard on Risk Management
IT Security Challenges In Higher Education Steve Schuster Cornell University.

IT Security Challenges In Higher Education Steve Schuster Cornell University.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Information Commissioner’s Office: data protection Judith Jones Senior Policy Officer Strategic Liaison – public security 16 November 2011.

Information Commissioner’s Office: data protection Judith Jones Senior Policy Officer Strategic Liaison – public security 16 November 2011.

Similar presentations

Ads by Google