A Deep Dive into the Privacy Landscape

Similar documents
Mandatory Reporting and Breach Notification Changes to PHIPA and what you need to know

Data Integration and Big Data In Ontario Brian Beamish Information and Privacy Commissioner of Ontario

A PHIPA Update from the IPC

What to do When Faced With a Privacy Breach: Guidelines for the Health Sector. ANN CAVOUKIAN, Ph.D. COMMISSIONER

The Personal Health Information Protection Act

Your Privacy. Ontario s Information and Privacy Commissioner.

Opening the Door Hospitals & FOI. Applying PHIPA and FIPPA to Personal. Information: Guidance for Hospitals.

Information Sharing Drivers and Recommendations. Sherry Liang. Assistant Commissioner. Big Picture Issues The Regulators Perspective October 3, 2015

Reporting a Privacy Breach to the Commissioner

The Impact of New Technology in Health Care on Privacy

Compliance with Personal Health Information Protection Act

DUTIES OF A CUSTODIAN

PERSONAL HEALTH INFORMATION PROTECTION ACT (PHIPA) Frequently Asked Questions (FAQ s) Office of Access and Privacy

Report of the Information & Privacy Commissioner/Ontario. Review of the Cardiac Care Network of Ontario (CCN):

Privacy Toolkit for Social Workers and Social Service Workers Guide to the Personal Health Information Protection Act, 2004 (PHIPA)

Overview of Privacy Legislation in Ontario

AN OVERVIEW OF FIPPA for FACULTY, INSTRUCTORS & ADMINISTRATORS. Information and tips on how to keep you FIPPA FRIENDLY

EXAMINATION OF BRITISH COLUMBIA HEALTH AUTHORITY PRIVACY BREACH MANAGEMENT

PRIVACY AND ANTI-SPAM CODE FOR OUR ORGANIZATION

June 19, The Honourable Dave Levac Speaker of the Legislative Assembly of Ontario. Dear Speaker,

Security Risk Analysis

YORK REGION DISTRICT SCHOOL BOARD. Policy and Procedure #158.0, Information Access and Privacy Protection

Privacy and Management of Health Information

Report of the Information & Privacy Commissioner/Ontario. Review of Cancer Care Ontario:

PRIVACY AND ANTI-SPAM CODE FOR OUR DENTAL OFFICE Please refer to Appendix A for a glossary of defined terms.

FCSRMC 2017 HIPAA PRESENTATION

PRIVACY BREACH GUIDELINES

SUMMARY OF IPC/O s PHIPA DECISIONS (current to August 29, 2017)

Snooping Rights and Responsibilities

Healthcare Privacy Officer on Evaluating Breach Incidents A look at tools and processes for monitoring compliance and preserving your reputation

Teleworking and access to ECHA IT systems

Privacy and Security Training for Connecting Ontario. PACE Cardiology April, 2017

Health Care Provider Guide Digital Health Drug Repository. Version: V 3.0

POPULATION DATA BC. Privacy in Health Research. Caitlin Pencarrick Hertzman Population Data BC University of British Columbia CFRI, April 2012

Charting a Course for the Future

Chapter 9 Legal Aspects of Health Information Management

2018 Employee HIPAA Orientation (EHO) Handbook

Eastern Ontario Development Program

PRIVACY BREACH MANAGEMENT GUIDELINES. Ministry of Justice Access and Privacy Branch

Information Privacy and Security

Security Risk Analysis and 365 Days of Meaningful Use. Rodney Gauna & Val Tuerk, Object Health

CIRCLE OF CARE. Ann Cavoukian, Ph.D. Information and Privacy Commissioner, Ontario, Canada

Infection Prevention and Control Lapse Disclosure Guidance Document

RFID and Privacy in Health Care: Guidance for Health Care Providers

Getting Ready for Ontario s Privacy Legislation GUIDE. Privacy Requirements and Policies for Health Practitioners

FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY A. 38

VHA Privacy Policy Training FY VHA Privacy Office

Health Information Privacy Policies and Procedures

PRIVACY BREACH MANAGEMENT POLICY

HIPAA THE PRIVACY RULE

pic National Prescription Drug Utilization Information System Database Privacy Impact Assessment

Student Orientation: HIPAA Health Insurance Portability & Accountability Act

Working with Information Governance INFORMATION GOVERNANCE REFRESHER TRAINING WORK BOOK

HIPAA Privacy & Security

Report Published under Section 48(2) of the Personal Data (Privacy) Ordinance (Cap. 486) Report Number: R

Freedom of Information and Protection of Privacy

HIPAA Education Program

New Employee Orientation HIPAA Privacy. Marcia Matthias, MJ, RHIA, CHPC Corporate Director, Health Information/Privacy Officer

Investigation Report H2017-IR-02 Investigation into multiple alleged unauthorized accesses of health information at South Health Campus

INVESTIGATION REPORT

Routine Disclosure Plan

Safeguarding Healthcare Information. By:

Your Health Information and Your Privacy in Our Office

Food Safety Protocol, 2018

Cybersecurity of Voting Machines

Advanced HIPAA Communications and University Relations

It s 10 o clock. Do you know where your data are?

NOTICE OF PRIVACY PRACTICES

Updated FY15 Dignity Health General Compliance Education for Staff Module 2

Mobile Device Use: Increasing Privacy and Security Awareness for Nurse Practitioners

The Personal Health Information Act (PHIA) Access and Privacy Office

The University of Toledo. Corporate Compliance and HIPAA Training. Presented by: The Compliance and Privacy Office

Recommendation One. GNWT Response

A Privacy Compliance Checklist: Organizing for Privacy Management

PRIVACY IMPACT ASSESSMENT (PIA) For the

Overview. COTBC Practice Standards for Managing Client Information, Tel: (250) Toll-Free BC: 1 (866) Fax: (250)

Staff member: an individual in an employment relationship with CYM or a contractor who is paid for services to CYM.

OHA Primer: A Practical Guide for Hospital Records Management Programs

Mandatory Reporting A process

HIPAA Training

HIPAA Privacy Training for Non-Clinical Workforce

Preparing for the upcoming 2016 HIPAA audits: Lessons and examples from past breaches and fines

Ontario Caregiver Recognition Act. The Right of Caregivers to Access Health Information of Relatives with Mental Health and Addiction Issues

Privacy and Security For Teammates

HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

Your Health Information and Your Privacy in Our Facility

The Privacy & Security of Protected Health Information

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

GDPR Records Management Policy

Safety at UofT. By Azher Siddiqui, Case Manager, Community Safety Office

AUDIT DEPARTMENT UNIVERSITY MEDICAL CENTER HIPAA COMPLIANCE. For the period October 2008 through May JEREMIAH P. CARROLL II, CPA Audit Director

Data Sharing Consent/Privacy Practice Summary

WHAT IS HIPAA? HIPAA is the ELECTRONIC transmission of Three programs have been enacted to date Privacy Rule April 2004

PRIVACY IMPACT ASSESSMENT (PIA) For the

Report on Violation of Code of Conduct for Members of Council: Councillor Doug Ford

A general review of HIPAA standards and privacy practices 2016

Office of the Australian Information Commissioner

Study Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information

Information Governance: The Refresher Module (Revision and Update)

IVAN FRANKO HOME Пансіон Ім. Івана Франка

Transcription:

A Deep Dive into the Privacy Landscape David Goodis Assistant Commissioner Information and Privacy Commissioner of Ontario Canadian Institute Advertising & Marketing Law January 22, 2018

Who is the Information and Privacy Commissioner? Brian Beamish appointed by Ontario Legislature (March 2015) 5 year term reports to the Legislature, not government or minister ensures independence as government watchdog

Ontario s Legislative Framework Public Sector Health Sector Private Sector Government organizations e.g. ministries, agencies, hospitals, universities, cities, police, schools, hydro Individuals, organizations delivering health care e.g. hospitals, pharmacies, labs, doctors, dentists, nurses Private sector businesses engaged in commercial activities Freedom of Information and Protection of Privacy Act (FIPPA) Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) Personal Health Information Protection Act (PHIPA) Personal Information Protection and Electronic Documents Act (PIPEDA) IPC/O oversight IPC/O oversight Privacy Commissioner of Canada oversight

Mission and Mandate MISSION: We champion and uphold the public s right to know and right to privacy MANDATE: resolve access to information appeals and privacy complaints review and approve information practices conduct research, deliver education and guidance on access and privacy issues comment on proposed legislation, programs and practices

Privacy Threats

Common Privacy Breaches 1. Insecure disposal of records records in paper format intended for shredding are recycled insecure disposal of hard drives 2. Mobile and portable devices lost or stolen, unencrypted devices such as laptops, USB keys 3. Unauthorized access snooping by otherwise authorized staff, malware (e.g. ransomware)

Ransomware what is ransomware? how computers get infected phishing attacks software exploits how to protect your organization administrative, technological measures e.g. employee training, limiting user privileges, software protections how to respond to incidents

Big Data key issues and best practices when conducting big data initiatives involving personal information considerations for each stage of a big data project, including collection integration analysis profiling

Reducing Risk of Privacy Breaches

De-identification key issues when de-identifying personal information risk-based, step-by-step process to assist organizations to de-identify key issues when publishing release models types of identifiers re-identification attacks IPC wins global privacy award for excellence in research (International Conference of Data Protection and Privacy Commissioners, Hong Kong 2017)

Reducing Risk of Privacy Breaches Best Practices Administrative Technical Physical privacy and security policies auditing compliance with rules privacy and security training data minimization confidentiality agreements Privacy Impact Assessments strong authentication and access controls detailed logging, auditing, monitoring strong passwords, encryption patch and change management firewalls, anti-virus, antispam, anti-spyware protection against malicious code Threat Risk Assessments, ethical hacks controlled access to premises controlled access to locations within premises where PI is stored access cards and keys ID, screening, supervision of visitors NOTE when determining appropriate safeguards consider sensitivity and amount of information number and nature of people with access to the information threats and risks associated with the information

Planning for Success: Privacy Impact Assessment Guide tools to identify privacy impacts and risk mitigation strategies step-by-step advice on how to conduct a PIA not required by legislation, but considered privacy best practice

How to Respond to Privacy Breach

Responding to a Privacy Breach 1. Contain Breach initial investigation notify police if theft or other criminal activity 2. Evaluate Risks personal information involved? cause and extent of breach individuals affected possible harm? 3. Notify affected individuals Privacy Commissioner 4. Prevent Future Breaches security audit review of policies and practices, staff training, 3P service contracts OPC Resource: Key Steps for Organizations in Responding to Privacy Breaches https://www.priv.gc.ca/en/privacy-topics/privacy-breaches/respond-to-a-privacy-breach-atyour-business/gl_070801_02/

What to do When Faced with a Privacy Breach PHIPA sets out the rules that health information custodians must follow when collecting, using, disclosing, retaining and disposing of personal health information guidance to health information custodians when faced with a privacy breach

Privacy Breach Protocol Guide implementing a privacy breach protocol, as a best practice, helps identify privacy risks, potential and actual breaches guidance on what organizations should do when faced with a breach

Commissioner s Response to Privacy Breach

IPC Breach Reporting no mandatory breach reporting to IPC under FIPPA/MFIPPA mandatory breach reporting to IPC for health information as of October 1, 2017 s. 12(3) of PHIPA and related regulations we receive reports under all three statutes 102 public sector self-reported (2016) 233 health sector self-reported (2016) more learned from complainants, media

What Happens when the IPC Reviews a Breach IPC may: ensure adequate containment, notification interview appropriate individuals review the organization s position on the breach ask for status report of actions taken by the organization review and give advice on current policies report with recommendations (rarely order)

Questions?

HOW TO CONTACT US Information and Privacy Commissioner of Ontario 2 Bloor Street East, Suite 1400 Toronto, Ontario, Canada M4W 1A8 Phone: (416) 326-3333 / 1-800-387-0073 TDD/TTY: 416-325-7539 Web: www.ipc.on.ca E-mail: info@ipc.on.ca Media: media@ipc.on.ca / 416-326-3965

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback