Dwarchprivcy.ppt Our People Government for the 21st Century Doing Business Differently...
-
date post
18-Dec-2015 -
Category
Documents
-
view
216 -
download
0
Transcript of Dwarchprivcy.ppt Our People Government for the 21st Century Doing Business Differently...
1
dwarchprivcy.ppt
Our People
Government for the 21st Century
Doing Business Differently
Infrastructure
Meeting the Challenges of Privacy in the
Ontario Government
David Wallace
Head Architect
Office of Corporate Chief Strategist
Ontario Government
1st Annual Privacy & Security Conference
November 10, 2000
2
dwarchprivcy.ppt
Our People
Government for the 21st Century
Doing Business Differently
Infrastructure
Agenda
Introduction
I&IT Strategy
E-Government, E-Business and Privacy
3
dwarchprivcy.ppt
Our People
Government for the 21st Century
Doing Business Differently
Infrastructure
Introduction
4
dwarchprivcy.ppt
Our People
Government for the 21st Century
Doing Business Differently
Infrastructure
“…a public sector organization is a complex organization…”
Introduction
5
dwarchprivcy.ppt
Our People
Government for the 21st Century
Doing Business Differently
Infrastructure
Government Context - Key Drivers
Customer service Performance measurement Alternative service delivery Government efficiency Economic growth Inter-jurisdictional linkages Sectoral reform
Introduction
6
dwarchprivcy.ppt
Our People
Government for the 21st Century
Doing Business Differently
Infrastructure
E-Government and E-Business
• Production Systems
• Ensure utility is provided for ministry service continuity
• Ongoing application development & maintenance
Keeping the lights on
• Governance & Accountability
• Organization and Staffing
• Infrastructure
• Policies and Standards
• Smart Cards
I & IT Strategy
• Removal of economic barriers
• Transforming government
• Provision of security and privacy protection
• Enabling full participation in digital economy
E-business &
E-government
• ServiceOntario
• Ontario Business Connects
• Regional Delivery Restructuring
• Integrated Justice
• Land Information Ontario
• Mobile Communi-cations
OPS
Business
Initiatives
• Education
• Health
• Justice
• Welfare
• Land / Resource Mgmt
Sectoral
Reform
• Strengthened economy
• Improved Government Service
• Healthy Population
• Vibrant Communities
• Learning, Wellness & Self-reliance
• Safe & Just Social Environment
• Responsible Government
• etc.
Outcomes
THE BEST PLACE TO LIVE, WORK AND DO BUSINESS
Introduction
7
dwarchprivcy.ppt
Our People
Government for the 21st Century
Doing Business Differently
Infrastructure
I&IT Strategy
8
dwarchprivcy.ppt
Our People
Government for the 21st Century
Doing Business Differently
Infrastructure
I&IT STRATEGY + BUSINESS INITIATIVES RETHINKING GOVERNMENT
Business initiatives and I&IT are leading us to rethink government
Information technology allows us to rethink how we do business
We foresee fundamental changes in how we deliver services and how Canadians live, work and do business
Governments have a responsibility to enhance democracy in the digital age
I&IT Strategy
9
dwarchprivcy.ppt
Our People
Government for the 21st Century
Doing Business Differently
Infrastructure
I & IT Strategy Overview MBC approved I & IT Strategy in February, 1998 Investment plan to increase the I & IT capacity of the
Ontario Public Service (OPS) $100 million expenditure planned over 4 years to build a
common infrastructure
Common infrastructure
Vision
OrganizationStandards
Accountability
Governance
Policies
I&IT Strategy
10
dwarchprivcy.ppt
Our People
Government for the 21st Century
Doing Business Differently
Infrastructure
I&IT Strategy Common Infrastructure
IntegratedNetwork
CommonHelp Desk
EnterpriseI&IT
Architecture
StandardizedDesktops
End-to-EndSecurity
Directories &Messaging
ClientAccess
IntegratedInformation
ApplicationEnvironment
The Enterprise Architecture is the over-arching framework for the I&IT Strategy Common Infrastructure Projects
I&IT Strategy
11
dwarchprivcy.ppt
Our People
Government for the 21st Century
Doing Business Differently
Infrastructure
Privacy
Elements of Ontario’s Enterprise Architecture
Program & Service Design
MandatesClients
Services
WorkDesign
Processes
Workflow
Organization
Roles
LocationsResources
Events
SystemDesign
Domains
Nodes
InfrastructureComponents
ApplicationFunction
Information
InterfacesArchitecture enables thealignment and validation of I&IT solutions to business requirements that incorporate privacy as part of their designs
I&IT Strategy
Privacy, Security, Auditability and Control are separate but overlapping and interdependent constructs… i.e., Privacy can
not be assured without Security.
SECURITY
AUDITABILITY AND CONTROL
PRIVACY
Security Architecture View : DependenciesI&IT Strategy
13
dwarchprivcy.ppt
Our People
Government for the 21st Century
Doing Business Differently
Infrastructure
Privacy Design Principles - Background Since the introduction of Ontario's Freedom of Information and
Protection of Privacy legislation (FIPPA), the potential impact of information technology (IT) upon both sides of the information/privacy equation has grown exponentially
The capacity of IT to collect, process, store and link information, including personal information, from separate government programs has increased the ability to manage, maintain and provide accurate information at the same time as it poses real and perceived risks to personal privacy.
As a result, a Privacy workshop was held in July 1998, to see how privacy should be further addressed in the EIA
Results of this workshop led to the formation of the Privacy Design Principles (PDPs) with Corporate Information and Privacy office
Review of EIA and Privacy Design Principles in June/July 1999 by IPC
PDPs part of Privacy Impact Assessment process in Dec. 1999
I&IT Strategy
14
dwarchprivcy.ppt
Our People
Government for the 21st Century
Doing Business Differently
Infrastructure
Objective of Privacy Design Principles
To ensure that the privacy of Ontario citizens is a fundamental component of the Government of Ontario's Enterprise Information and Information Technology Architecture (EIA).
I&IT Strategy
15
dwarchprivcy.ppt
Our People
Government for the 21st Century
Doing Business Differently
Infrastructure
Use Of Privacy Design Principles
Privacy Design Principles are one part of a two part process to ensure that new initiatives meet privacy protection requirements (second part - privacy impact assessment)
By incorporating the privacy design principles, project proposals will be developed whose business and systems details conform to privacy objectives and which clearly identify any exceptional circumstances
These principles provide a framework to be used in the development and ongoing refinement of the EIA and will help ensure the protection of personal information for citizens in Ontario
Examples - Smartcard Project, Smart System for Health, Business Transformation Project...
I&IT Strategy
16
dwarchprivcy.ppt
Our People
Government for the 21st Century
Doing Business Differently
Infrastructure
Security Architecture Building Blocks and Linkage to Privacy Design Principles
Conceptual Security Architecture
Security Policy and Security Standards
Security Life Cycle Process
Security Principles
Logical Security Architecture ModelPrivacyDesign
Principles
I&IT Strategy
17
dwarchprivcy.ppt
Our People
Government for the 21st Century
Doing Business Differently
Infrastructure
Privacy Principles : Ten Privacy Categories
1. ACCOUNTABILITY
2. IDENTIFY PURPOSE FOR COLLECTING PERSONAL INFORMATION
3. LIMIT COLLECTION OF PERSONAL INFORMATION
4. OBTAINING CONSENT
5. LIMIT USE, DISCLOSURE, AND RETENTION OF PERSONAL INFORMATION
6. ACCURACY OF PERSONAL INFORMATION
7. SAFEGUARDING PERSONAL INFORMATION
8. OPENNESS
9. CLIENT ACCESS TO PERSONAL INFORMATION
10. CHALLENGING COMPLIANCE
I&IT Strategy
18
dwarchprivcy.ppt
Our People
Government for the 21st Century
Doing Business Differently
Infrastructure
E-Government,E-Business and Privacy
19
dwarchprivcy.ppt
Our People
Government for the 21st Century
Doing Business Differently
Infrastructure
Strategic Directions for E-Government Several levels of strategy being developed:
Digital Economy Electronic Government Electronic Service Delivery
The Digital Economy strategy will: create positive environment for e-business growth lead by example through electronic government approve framework for provincial private sector privacy law communicate sustained vision and foster public awareness
The E-Government strategy will: use the I&IT investment to support government priorities implement widespread use of electronic service delivery to
government clients (businesses and individuals) encourage increased citizen participation in government
processes (e.g.,developing policy options)
E-Government, E-Business and Privacy
20
dwarchprivcy.ppt
Our People
Government for the 21st Century
Doing Business Differently
Infrastructure
The Electronic Service Delivery Strategy will: focus on improving service quality to individuals and
businesses by using electronic delivery systems develop electronic services that are:
• client-focused
• integrated
• accessible and
• cost-effective
Major emphasis on use of Internet, intranets and extranets to deliver high-quality services to external clients and change internal processes
Strategic Directions for E-Government (2)
E-Government, E-Business and Privacy
21
dwarchprivcy.ppt
Our People
Government for the 21st Century
Doing Business Differently
Infrastructure
“The Race Is On…”
E-readiness promises tremendous benefits: » for businesses: market leadership, competitive edge,
branding» for citizens: access to better products, better prices,
more choices, better jobs » for the public sector: quality service, integration,
accessibility THE RACE IS ON -- we must act NOW by:
» encouraging e-business in the private sector, and ensuring that Ontarians have the skills and confidence to excel in the new economy,
» using new technologies to make public sector service delivery and system management faster, more accessible, effective, and responsive,
» addressing security and privacy concerns
“…Public policy makers need to foster the growth of the network... We need to ensure that our citizens have the means, the tools, the skills and the desire to be part of the Network Economy. If not, then our citizens risk being the have-nots of the new economic order…[W]e need to build trust for users, establish ground rules, and enhance the infrastructure...” Jean C. Monty,
President and CEO BCE Inc. and Bell Canada
E-Government, E-Business and Privacy
22
dwarchprivcy.ppt
Our People
Government for the 21st Century
Doing Business Differently
Infrastructure
Legal Framework in Ontario
Already in place: FIPPA and MFIPPA laws for the public sector
• apply to provincial public sector, municipalities, local boards, agencies and commissions; do not apply to universities, hospitals, etc.
New statute developed this year: Electronic Commerce Act in force October 16/00 Purpose of new statute to:
• promote the use of IT in commercial and other transactions• remove legal uncertainties about how the courts will treat
electronic documents • allow for use of electronic signatures• remove statutory barriers that affect electronic
communication (particularly where paper documents appear to be required now)
E-Government, E-Business and Privacy
23
dwarchprivcy.ppt
Our People
Government for the 21st Century
Doing Business Differently
Infrastructure
Legal Framework in Ontario (2)
Legislative action being considered: Legislation on privacy protection of personal
information in private and non-profit sectors Legislation/regulations on protection of personal health
information and facilitation of data sharing when appropriate to meet program requirements
Provincial legislation to protect personal information will help build public confidence and give Ontario a head start in the digital economy
E-Government, E-Business and Privacy
24
dwarchprivcy.ppt
Our People
Government for the 21st Century
Doing Business Differently
Infrastructure
Legal Framework in Ontario (3)
To enable business competitiveness and ensure consumer trust, Ontario is proposing new privacy legislation applicable to private and non-profit sectors that is
consent-driven (i.e., consistent with federal Bill C-6) focused on the protection of personal information
as a means of building confidence in the digital economy
grounded in fair information practices as reflected in the CSA Privacy Standard, which has broad support from industry, consumer groups, and governments
flexible, in that it could allow for sectoral codes (e.g. for credit reporting) to replace the obligations set out in the general law as necessary
E-Government, E-Business and Privacy
25
dwarchprivcy.ppt
Our People
Government for the 21st Century
Doing Business Differently
Infrastructure
The Federal Legal Landscape
The Personal Information and Electronic
Documents Act (Bill C-6) a corner-stone of the federal government’s
Electronic Commerce Strategy will regulate privacy in the private sector, starting
with the federally-regulated private sector (banks, telecommunications, transport, etc.) and extending to all commercial activities in the provinces within 4 years unless the province enacts its own law
is based on a standard set of fair information principles: accountability, identifying purposes, consent, limiting collection, limiting use, disclosure and retention, accuracy, safeguards, openness, individual access, challenging compliance
E-Government, E-Business and Privacy
26
dwarchprivcy.ppt
Our People
Government for the 21st Century
Doing Business Differently
Infrastructure
Stepping up to E-Government
Pri
vacy
Pri
vacy
Pri
vacy
Security
Security
Security
Business Imperatives
Infrastructure Imperatives
Websites Static
Searchable & Dynamic pages
All ministries provide program information
Integration
with databases Some access to Internet searchable databases.
ElectronicTransactions
Electronic Storefronts/ Catalogues (POOL, MNR)End-to-end transactions accessing legacy systems through middleware are in development (OBC, MTO)
Our People new organization - new skills - clear accountability
Enterprise Architecture
Standardized desktop, End to end SecurityIntegrated Network, Common Help Desk
Directories and Messaging
Information IntegrationCoordinated Client Access
Standardized Application Env.
Next GenerationEnterprise
Full businesspartner
participation
Social Services Business Transformation Integrated Justice
27
dwarchprivcy.ppt
Our People
Government for the 21st Century
Doing Business Differently
Infrastructure
Appendix
Ontario Government’s Enterprise Architecture Privacy Design Principles
28
dwarchprivcy.ppt
Our People
Government for the 21st Century
Doing Business Differently
Infrastructure
PDP#1 - Accountability
Privacy Principle
Ontario government ministries and agencies are accountable for personal information that is under their custody or control.
Design Principle
Ministries/agents will designate an individual(s) to be accountable for the privacy of personal information.
29
dwarchprivcy.ppt
Our People
Government for the 21st Century
Doing Business Differently
Infrastructure
PDP#2 - Identifying The PurposeFor Collecting Personal Information
Privacy PrincipleMinistries and agencies will identify the purpose for which personal information is collected at or before the time the information is collected.
Design Principle Organizations must clearly identify and document the
purpose(s) for which they collect personal information. The identification of collection purposes must be conducted
in a systematic and evidence based fashion Attention must also be paid to all instances where personal
information is disclosed regularly to other programs.
30
dwarchprivcy.ppt
Our People
Government for the 21st Century
Doing Business Differently
Infrastructure
PDP#3 - Limits For Collecting Personal Information
Privacy PrincipleFIPPA prohibits the collection of personal information unless the collection is expressly authorized by statute, used for law enforcement or is necessary for the proper administration of a lawfully authorized activity.
Design Principle Limits on the collection of personal information must be incorporated into
the design of information systems Privacy impact assessment for significant changes Common multi-program identifiers must be avoided for use with
unrelated programs. Distinct identifiers for unrelated programs Design strategies that are based on data subject anonymity or
pseudonymity are the preferred approach for applications that aggregate data from multiple programs for data mart/warehouse business analysis.
31
dwarchprivcy.ppt
Our People
Government for the 21st Century
Doing Business Differently
Infrastructure
PDP#4 - Obtaining Consent Privacy Principle
While consent is not the only authority by which to collect, use and disclose personal information, obtaining consent will often be the preferred approach.
Design Principle An information management system should be designed to capture the
subject's consent or lack of consent to the collection, use or disclosure of their personal information.
The design of the technology used in any interaction with clients should include the ability to identify whether consent was provided/ whether it was required
Consent can be provided by traditional methods such as a signature on a mandated form, or through technology such as access cards or kiosks (assumed consent has been given for the use of the personal information).
32
dwarchprivcy.ppt
Our People
Government for the 21st Century
Doing Business Differently
Infrastructure
PDP#5 - Limits For Using, Disclosing,and Retaining Personal Information
Privacy PrinciplePersonal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as specifically authorized by law. Personal information only retained until fulfilment of those purposes.
Design Principle It cannot be assumed that where an individual has provided personal information
for one purpose, the information may be used or shared for an unrelated purpose. Information systems must be designed to ensure this FIPPA requires that where personal information is used or disclosed for purposes
other than those described in the Directory of Records, the circumstances use or disclosure must be attached or linked to the personal information.
Data matching, or the aggregation of personally identifiable information is only permitted in compliance with the MBC Data Matching Directive
33
dwarchprivcy.ppt
Our People
Government for the 21st Century
Doing Business Differently
Infrastructure
PDP# 6 - Keeping Personal Information Accurate
Privacy PrinciplePersonal information should be accurate, complete and timely. The individual who provides the personal information must have access to the data kept on file about them.
Design Principle Information systems should be designed to ensure that personal
information can be accessed and corrected upon request Technology should have the ability to identify when data has been
changed or modified, by whom and for what reason Where a history of correction transactions is be retained, the technology
should be designed so that this historical information is not routinely disclosed to persons other than the data subject.
34
dwarchprivcy.ppt
Our People
Government for the 21st Century
Doing Business Differently
Infrastructure
PDP#7 - Safeguarding Personal Information
Privacy PrinciplePersonal information shall be protected by security safeguards appropriate to the sensitivity of the information and the risks to both data subjects and the government inherent in the information management architecture
Design Principle Organizations should conduct information classification reviews to determine
the appropriate level of security to be applied to personal information. The level of security is dependent upon the sensitivity of the information, value to authorized programs, and its value to unauthorized access
Methods to protect personal information could include: – data encryption– access controls– remote access two-way user authentication– log in and password management– risks assessments
35
dwarchprivcy.ppt
Our People
Government for the 21st Century
Doing Business Differently
Infrastructure
PDP#8 - Openness Privacy Principle
Ministries/agencies shall be open about the policies and procedures that apply to the management of personal information. Policies and practices relating to the management of personal information shall be readily available. This principle is essential to the operation of principle #1 and principle #2
Design Principle An information system involving personal information should be transparent, so that
individuals can verify how their information is being collected, used or disclosed When requested, ministries and agencies should be able to provide a full description
of all circumstances where disclosing personal information to third parties Who has the authority to access what information and for what purpose must be
clearly identified. Change in the policy and the technology must also be available upon request.
Consequently, information system changes must be clearly documented and readily available, unless to do so would reveal details about security-related activities.
36
dwarchprivcy.ppt
Our People
Government for the 21st Century
Doing Business Differently
Infrastructure
PDP#9 - Clients Will Have Access to their Personal Information
Privacy PrincipleUpon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of their information and have it amended as appropriate
Design Principle Information systems should be able to provide an individual with copies of
the personal information that is kept on files stored Information systems must be designed to facilitate access by individuals to
their personal information retained on the system, except where such access is not permitted under privacy or other legislation
Individuals have the right to disagree and to correct their personal information and must be able to amend or annotate any personal information that is subject to disagreement regarding accuracy. The system must also have the capacity to notify third parties.
37
dwarchprivcy.ppt
Our People
Government for the 21st Century
Doing Business Differently
Infrastructure
PDP# 10 - Challenging Compliance Privacy Principle
An individual shall be able to address a challenge concerning compliance with privacy requirements to a designated individual(s)
Design Principle Ministries and agencies are accountable personal information under
their custody or control and must respond to inquiries raised The use of agents or outsourcing does not reduce this obligation Compliance issues may be raised directly with individual
ministries/agencies or the IPC Information systems should be designed so that transactions can be
traced; history of transactions should be retained for audit purposes, privacy complaints or for requests from an individual
38
dwarchprivcy.ppt
Our People
Government for the 21st Century
Doing Business Differently
Infrastructure
WWW.CIO.GOV.ON.CA