Assessing Privacy

and Security Risks

via the PIA Process

Marjorie Platero

Anne Overton

May 8, 2014

Overview

• Our unique perspective as federal

regulator

• Privacy impact assessment

• Threat and risk assessment

• Technology & privacy can co-exist

http://www.privacyawarenessweek.org/resources.html

Technological Innovations

“We got more than we bargained for…”

matchoncard.com

Privacy Impact Assessments

• Making Good Decisions

• Privacy Risk Management

• Accountability

• Compliance

TRA Terminology Term Definition

Assets Tangible or intangible things

Threats Potential event that could cause injury

Vulnerabilities An attribute that increases the likelihood of a

threat, compromise or severity of injury

Safeguards Decreases the likelihood of a threat,

compromise or severity of injury

Residual Risk Remaining risk after applying safeguards

Confidentiality Information must not be disclosed to

unauthorized individuals

Integrity Accuracy and completeness of assets

Availability Usable on demand to support program delivery

Enterprise Risk Management

Project Management Framework

Software Development Lifecycle

others…

TRA Process

identify

ASSETS

1

identify

THREATS

to

2

which have

VULNERABILITIES

but also existing

SAFEGUARDS

3

Calculate

RESIDUAL

RISKS

4 RECOMMEND

actions to MITIGATE

unacceptable

RESIDUAL RISKS

5

TRA

Risk Assessment

Internal Environment

Objective Setting

Event Identification

Risk Assessment

Risk Response

Control Activities

Info & Communication

Monitoring

Entity

-level

Div

ision

Busin

ess U

nit

Subsid

iary

X PIA

TRA

Activity

COSO Enterprise Risk

Management Framework

PIA & TRA – how do they work together?

PIA TRA

Overview and PIA

Initiation

Preparation Phase

Analyse PI flows Identify assets

Identify privacy risks

Assess privacy

compliance

Assess threats

Assess vulnerabilities

Calculate residual

risk

Summarize analysis

Make

recommendations

Make

recommendations

PIA TRA

Safeguards

Overlap Process – GoC Example

Assessing privacy & security risks

Partners

Third-

parties

Clients

SysA

SysB

Remote

End-to-end data flow

Clients

Multiple output

channels

Multiple input

channels

Manual

Process

Manual

Process

Assessing privacy & security risks

Partners

Third-

parties

Clients

Remote

Employees

Secure File

Transfer

SysA Web

portal

Employees

SysB

A recent example

Scope of

PIA

Scope of

TRA

? ?

?

End-to-end

information

flow

PIA & TRA Scope

TRA PIA

1 to 1

TRA PIA

1 to many

PIA

TRA PIA

many to 1

TRA PIA

many to

many

TRA TRA PIA

New technology – assessing risks

How does it work?

How do we implement it?

How do we integrate it?

How do we secure it?

What does it do?

What are we going to do with it?

Should we do it? (4 part test)

How do we do it in a privacy-

sensitive & compliant way?

How do we protect the data?

We want to use Technology A to ….

BUSINESS

PRIVACY IT & SECURITY

Key Takeaways

• Work with business, privacy, security and

technical experts

• Coordinate risk management activities

• Define scope

• Leverage work already done

• Consolidate risk action plan

www.priv.gc.ca

@privacyprivee

1-800-282-1376