This document summarizes a presentation given by Brian Hamilton on privacy, security, and access to data. It discusses the role of the Office of the Information and Privacy Commissioner of Alberta in overseeing privacy laws and reviewing research proposals. It outlines how the office analyzes information sharing and big data initiatives to ensure privacy is protected. Tips are provided for developing privacy controls and gaining approval, including conducting a privacy impact assessment and developing expertise in privacy principles.
1. Privacy, Security &
Access to Data
Cyber Summit 2015
Brian Hamilton, Director, Compliance and Special InvestigationsSeptember 28, 2015
2. Agenda
• Privacy laws enable your success
• How do privacy regulators analyze
information sharing/analytics/big data
initiatives?
• Regulatory challenges
• Tips for success in working with privacy
regulators
3. Office of the Information and
Privacy Commissioner of Alberta
• Commissioner – Jill Clayton
• an officer of the Legislative Assembly
• independent of government
• Oversight of Alberta’s access to
information and privacy laws:
• Freedom of Information and Protection of Privacy Act
• Personal Information Protection Act
• Health Information Act
• Provincial government is responsible for
legislation
5. How we intersect with research
• Health Research Ethics Boards
• File their approvals with us
• Duty to review research proposals and assess whether
adequate safeguards are in place
• Privacy Impact Assessment review
• Especially data matching
• Recommended for multi-stakeholder initiatives
• Investigations
• Unusual, most people aren’t aware, or have consented
• access to data without agreement
6. Privacy is an enabler
• Privacy regulators understand benefits of
information sharing and analytics
• Advancement of science, health
• Convenience
• Harmonized, coordinated, targeted services
• Efficiency, cost containment
• Privacy statutes allow appropriate information
sharing and data matching
• Privacy ensures your success
• We are in the freedom of information business
7. Things privacy laws allow you to do
(as long as you do it right)
• Research
• Planning
• Resource allocation
• Policy development
• Quality improvement
• Auditing
• Evaluation
• Data matching
• Share personal information for service delivery
8. How we analyze initiatives
• Who are you?
• Nature of organizations
• Jurisdiction
• What are you doing?
• What personal information will you collect, use or disclose?
• Research, data matching
• Is it legal?
• Analysis of legal authorities
• How are you managing risk?
• Information security
• Agreements, policies
• Incident response plans
• Regular review of controls
• Training
9. Key Privacy Controls
(for big data initiatives)
• Governance, policies, training
• Access controls
• Need to know, least amount principle
• Consent (where necessary)
• Openness, transparency, notification
• Retention and disposition
• Only keep information as long as necessary
• Incident response
• Privacy laws use reasonableness test
• Controls do not need to be perfect
10. Challenges
for the new data scientist
• We live in a federation and have international
partners
• Managing privacy among multiple stakeholders
(governance)
• Transparency
• Managing consent, citizen expectations
• Trans border legal demands
• Bureaucratic fear, uncertainty and doubt
11. Tips for success
• Talk to us
• We are happy to consult on any initiative
• Early consultation prevents last-minute pitfalls
• Build privacy into your initiative from the start
• Last-minute, bolt-on privacy is expensive and inefficient
• Engage the public
• Transparency assuages fear
• Conduct a privacy impact assessment
• Our Office is pleased to review and provide comments
• Consider making your PIA public
• Develop privacy expertise
12. Curriculum
for the new data scientist
• Privacy principles
• Privacy risk assessment and mitigation
strategies
• Information security
• Access to information
• Records management
• Agreements and contracts
13. OIPC sponsored research on
information sharing
Government Information Sharing
Is Data Going Out of the Silos, Into the Mines?
•http://
www.oipc.ab.ca/Content_Files/Files/Publications/Repor
•Case studies
•Citizen expectations
•Examining risk in data sharing projects
13
14. Free PIA training
• Calgary: October 16
• Edmonton: October 15
• www.oipc.ab.ca for more info.
16. THANK YOU!
Brian Hamilton
Director, Compliance and Special Investigations
Office of the Information and Privacy Commissioner, Alberta
bhamilton@oipc.ab.ca
www.oipc.ab.ca
780.422.6860