A Privacy Compliance Checklist: Organizing for Privacy Management

Size: px

Start display at page:

Download "A Privacy Compliance Checklist: Organizing for Privacy Management"

Barrie Piers Harmon
5 years ago
Views:

1 Help with FOIP!! vember 2007 A Privacy Compliance Checklist: Organizing for Privacy Management (Combines Organizational Privacy Measures and Personal Information Holding checklists) Introduction The following checklist can be employed within government institutions or local authorities to ensure that the basic elements of a privacy framework are in place within the institution. The checklist is divided into four key areas of activity: 1. Organizational Measures 2. Aligning business processes to privacy requirements 3. Training and awareness 4. Monitoring, evaluations and modification. The four areas complement each other and should all be completed to ensure comprehensive privacy management. Please note that this checklist is not considered a substitution for ensuring compliance with applicable legislation or with the Overarching Personal Information Privacy Framework for Executive Government. The checklist is intended to ask relevant, highlevel, questions to prompt review and, perhaps, further improvements within your institution. For additional information or assistance in using the checklist, please contact the Access and Privacy Branch at or AccessPrivacyJustice@gov.sk.ca.

2 Privacy Compliance Checklist Organizing for Page 2 of 11 Part 1 Organizational Measures Roles and Responsibilities To ensure compliance with access and privacy legislation, institutions should implement a number of organizational measures including defining roles and responsibilities for actions and decisions related to access and privacy. 1. Has your institution named a Privacy Officer/ FOIP Coordinator or otherwise determined who is responsible for: a. Leading the institution s privacy initiatives? b. Managing access to information requests when they arrive? c. Responding to enquiries from the public, conducting internal privacy investigations, working with the Information and Privacy Commissioner in the event of reviews or investigations, leading in the development of policy and procedures, and generally being accountable for the institution s access and privacy practices and compliance? 2. Are roles and responsibilities of others defined and understood? All employees have a role to play and have responsibilities regarding protection of privacy and access to records. For example, the head is accountable for decisions and obligations under the law. Management should ensure policy exists and is followed. Staff should understand and comply with policy. All should be prepared to ask for assistance from the Privacy Officer/ FOIP Coordinator as needed. Depending upon the size of the organization, it may be helpful to establish an access and privacy committee with representation from different areas and interests within the department. The roles and responsibilities for managing access and privacy should be outlined in written policy or procedure. For example, staff should know what will happen when an Access to Information request arrives in the institution or what to do in the event of a privacy breach. For more information on Roles and Responsibilities, see the on-line

3 Privacy Compliance Checklist Organizing for Page 3 of 11 access and privacy training at Recommended model: The Access and Privacy Officer A senior official should be appointed to deliver and/ or manage a program/ office with combined responsibility for access and privacy. The senior official should be able to bring issues/ reports directly to the attention of the head or permanent head (Deputy Minister, CEO, Chair, etc.) All staff should understand the role of the central office. The public should be able to contact this office with requests for information, questions and concerns. The office should also be the prime contact with the Office for the Information and Privacy Commissioner. Privacy Officer should be made known to the public, others w that you have the roles and responsibilities defined, it is important to raise awareness of the function. 3. Does the staff know who to contact if they have questions about access and privacy? One of the advantages of a centralized access and privacy function is the ability to develop expertise and experience that can be shared with the rest of the organization. Take steps to ensure that the organization is aware of this role by: Ensuring the Access/ Privacy Officer is a senior official with a presence at executive meetings (or a spokesperson). Developing an Information Management web site on the Intranet. Promoting the service in s, newsletters, etc. to the organization. 4. Does the public know who to contact if they have questions about access and privacy? The following can be effective in promoting the process, including the existence of a Privacy Officer/ FOIP Coordinator: o Place contact information on the Internet. o Educate staff about the role of the Privacy Officer/ FOIP Coordinator, so they can inform the public as necessary. o Include information about the Privacy Officer/ FOIP Coordinator in brochures, posters, etc. including program-specific brochures and general brochures about the department or agency.

4 Privacy Compliance Checklist Organizing for Page 4 of 11 Consider a three tiered process for managing complaints: Tier 1 Program/ local As much as possible, question, concerns, complaints should be handled by the staff most familiar with the program/ application. Tier 2 Privacy Officer If issues cannot be addressed locally, they should be elevated to the institution s Privacy Officer. Tier 3 OIPC - If the issues cannot be resolved within the government institution or local authority, individuals should be informed of their right to go to the Information and Privacy Commissioner. 5. Is information about the organization s handing of personal information available to the public? Consider for example: Place a privacy statement on the Internet (government institutions should use the Government of Saskatchewan Internet Privacy Statement available from the or ITO. Place all policies (or summaries) involving personal information on the Internet or elsewhere. Making policies available on request. Discussing those policies as needed. 6. Is a process in place to allow individuals to request access to their own personal information and to request changes to that information? Individuals should be able to informally access their own records with little difficulty. An Access to Information request may be necessary in some circumstances. 7. Does the Privacy Officer/ FOIP Coordinator serve as the key contact with the Office of the Information and Privacy Commissioner for formal reviews and investigations and for informal matters? Having a single point of contact with the Office of the Information and Privacy Commissioner will simplify the process and will help improve knowledge of access and privacy law and practice.

5 Privacy Compliance Checklist Organizing for Page 5 of 11 Part 2 Aligning business practices with privacy requirements With the basic governance/ administrative structure in place, it s time to align business practices with good privacy practices and the law. The following questions will help get you started. Do an Inventory 8. Do you know where personal information is collected, used, disclosed or otherwise maintained in your institution? The first step in ensuring you are privacy compliant is to determine if and where you have personal information or personal health information. (See s. 24 of FOIP, 23 of LAFOIP or 2(m) of HIPA as applicable for definitions.) Create a list of all personal information holdings (databases, paper files, file banks, etc.) where personal information exists i.e. make an inventory. Then, apply each of the questions that follow to each instance of personal information identified above.

6 Privacy Compliance Checklist Organizing for Page 6 of 11 Have policy for all personal information collection, use and disclosure 9. Does written policy, procedure or similar documentation exist describing the purposes for collection and the acceptable uses and disclosures of the personal information? In particular, is the document clearly written so that staff can understand what they can and cannot do with the personal information? The policy should address or help satisfy the following: o The purposes for collection are documented; o That only necessary personal information is collected; o The legal authority for collection is confirmed; o Individuals are informed of the purposes for collection, use and disclosure; o That consent is collected from individuals where practicable and the consent is documented. o That access to personal information by staff is limited to those who need-toknow the information for an authorized purpose. o That personal information is only used or disclosed for authorized purposes. If yes, assemble the documentation and proceed to the next question. If no, this should become a priority. Contact the for additional information about what to include in the policy. 10. Can the purposes for use or disclosure be satisfied with deidentified personal information? If yes, the policy should reference where de-identified information should be used. 11. Is the policy compliant with FOIP, LAFOIP or HIPA, as appropriate? The Information and Privacy Commissioner s (OIPC) Privacy Impact Assessment work sheets for FOIP, LAFOIP and HIPA (available at the OIPC web site) ask a number of questions that can be useful for this review. If yes, continue to the next question.

7 Privacy Compliance Checklist Organizing for Page 7 of 11 If no, amend the policy as necessary. Review/ Develop Safeguards It is vitally important that the personal information in your organization is protected. 12. Are physical, technical, organizational safeguards in place to protect the information? If yes, assemble the documentation. (In government, consider if the information has been classified pursuant to the Classification Guide for Information Protection? Do the safeguards comply with the ITO Security Controls for Protection of Personal Information guidelines or similar standards?) If no, make this a priority.

8 Privacy Compliance Checklist Organizing for Page 8 of 11 Contractual Safeguards with 3 rd Party Service Providers 13. If a third party (such as an outsourcing information technology firm) is employed to collect, use, disclose or otherwise manage the personal information, are appropriate privacy protection clauses included in the contract? If yes, assemble the documentation. If no, make this a priority. In government, apply the Personal Information Contract Checklist available from the, Saskatchewan Justice. Review/ Develop Retention and Destruction Personal information should not be retained longer than it needs to be (the longer you keep it the longer a potential risk (e.g. accidental disclosure) exists.) Short retention is preferred but that must be balanced against other requirements, such as ongoing administrative purposes. A formal records retention schedule should exist for all records. In government, that retention schedule is required pursuant to The Archives Act, Does an approved retention schedule exist for these records? Is it being followed? If yes, assemble the documentation. If no, begin development of an appropriate retention schedule, applying the Privacy Review for Retention Schedule Development form available from the Access and Privacy Branch, Saskatchewan Justice or the Government Records Branch, Saskatchewan Archives Board.

9 Privacy Compliance Checklist Organizing for Page 9 of Is a secure method used to dispose of old records, including paper, electronic, and other forms of records? If yes, assemble the documentation. If no, work with the records manager to ensure that all records containing personal information are securely disposed of either by transfer to the Archives or complete destruction. This is a high risk area for privacy violations. Poor disposal practices are the source of frequent privacy incidents across Canada.

10 Privacy Compliance Checklist Organizing for Page 10 of 11 Part 3 - Staff Training and Awareness 16. Have all staff received training in access and privacy matters? Is that training documented? If no, training should be a priority. Training staff regarding what can and cannot be done with personal information will significantly reduce any risk of privacy violations. Consider requiring that staff complete the on-line access and privacy training available at: Do all new staff receive access and privacy training as part of orientation? If no, it should become part of standard orientation. Consider making it a requirement for all new staff to complete the on-line access and privacy training available at: Part 4 Monitor, evaluation and adjust You now have an organizational structure in place to support access and privacy compliance, you know where personal information is and have appropriate policy and safeguards in place, and your staff is trained and knowledgeable. w you need to maintain the program, make sure it is working and make improvements as needed. 18. Is there a protocol in place for responding to a privacy breach? Employ the Privacy Breach Management Guidelines available from the Access and Privacy Branch. 19. Are Privacy Impact Assessments conducted on new or significantly revised programs or applications involving personal information? Any time a public body creates, modifies or reviews a program or activity that involves personal information or personal health information a review should be conducted to ensure the program is complaint with the law and the obligations of the public body to protect privacy have been met. A formal Privacy Impact Assessment may be appropriate if:

11 Privacy Compliance Checklist Organizing for Page 11 of 11 Privacy implications for the program or activity have not been considered in the past and/ or no legal review has been done. The project, program or application is complex in nature. There are concerns about the privacy implications of the project. The personal information is particularly sensitive. The project is high profile and will likely draw interest from the public. Significant changes are being made to an existing program. te: PIAs are not required in law but can be a helpful tool for program- or application-specific privacy reviews. Please contact the Access and Privacy Branch for more information. Refer to the Information and Privacy Commissioner website for a Privacy Impact Assessment checklist: Are Threat/ Risk Assessments conducted? The purpose of a Threat/Risk Assessment is to assess security threats and vulnerabilities, document existing security measures, and recommend improvements to mitigate identified risks. A Threat/Risk Assessment helps to improve the security of information thereby helping to protect privacy. te: Privacy and security are not the same thing. One can have security for data but not have rules in place regarding appropriate access, use or disclosure and thus have weak privacy protection. Similarly, one can have strong rules around privacy, but if no security is applied to the actual records or data, then the protection is weak. The two go hand-in-hand.

PRIVACY BREACH MANAGEMENT GUIDELINES. Ministry of Justice Access and Privacy Branch

PRIVACY BREACH MANAGEMENT GUIDELINES. Ministry of Justice Access and Privacy Branch Ministry of Justice Access and Privacy Branch December 2015 Table of Contents December 2015 What is a privacy breach? 3 Preventing privacy breaches 3 Responding to privacy breaches 4 Step 1 Contain the