best practices for privacy protection
play

Best Practices for Privacy Protection Renee B Barrette Direct - PowerPoint PPT Presentation

Best Practices for Privacy Protection Renee B Barrette Direct ctor of r of Pol olicy City ty o of B Brampto ton Privacy Ev Event November 2 23, , 2017 Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information


  1. Best Practices for Privacy Protection Renee B Barrette Direct ctor of r of Pol olicy City ty o of B Brampto ton Privacy Ev Event November 2 23, , 2017 Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca

  2. Agenda • Who We Are • Legislative Requirements for Privacy • Privacy Risks and How to Mitigate Privacy Risks • Recent Privacy Investigations Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca

  3. Who We Are Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca

  4. IPC Mandate and Role Established in 1988 Commissioner is appointed by and reports to Legislative Assembly MISSI SSION : We champion and uphold the public’s right to know and to privacy MAND NDATE : o resolve access to information appeals and privacy complaints o review and approve information practices o conduct research, deliver education and guidance on access and privacy issues o comment on proposed legislation, programs and practices Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca

  5. IPC’s Legislation • Freedom of Information and Protection of Privacy Act ( FIPPA ) • over 300 provincial institutions such as ministries, provincial agencies, boards, commissions, community colleges and universities • Municipal Freedom of Information and Protection of Privacy Act ( MFIPPA ) • over 1,200 organizations such as municipalities, police, school boards, conservation authorities, transit commissions • Personal Health Information Protection Act ( PHIPA ) • individuals and organizations involved in delivery of health care services, including hospitals, pharmacies, laboratories, doctors, dentists and nurses Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca

  6. MFIPPA The purposes of MFIPPA are: • to provide a a ri right o of f acce access to i information under the control of institutions in accordance with the principles that o information should be available to the public o access exemptions should be limited and specific o access decisions should be reviewed independently of government • to protect ect t the e privacy acy o of i individual als with respect to personal information about themselves held by institutions and to provide individuals with a right of access to that information Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca

  7. Legislative Requirements for Privacy Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca

  8. Fair Information Practices • Accountability • Accuracy • Identifying Purposes • Safeguards • Consent • Openness • Limiting Collection • Individual Access • Limiting Use, Disclosure, • Challenging Compliance Retention Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca

  9. Key Obligations under MFIPPA • legal authority to collect • data minimization • notice to data subjects • retention • safeguards • give person access to their own PI Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca

  10. Personal Information • Personal information is any re record rded information t that i is identifiable t to a an individual • The act lists examples of personal information • This fact sheet provides guidance about how the IPC interprets the term “personal information” Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca

  11. What is a record? A record is any r record o of i information h however er r recorded ed, whether in printed form, on film, by electronic means or otherwise and includes, for example: • correspondence • memorandum • plans • maps • drawings, diagrams, pictorial or graphic work • photographs, film, microfilm, sound records, videotape Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca

  12. Privacy Obligations Under MFIPPA MFIPPA sets out rules for the collection , use , and disclosure of personal information You can only disclose personal To collect personal You can only use personal information: information, it must be: information for: • with consent • expressly authorized by • the purpose it was collected statute • for a consistent purpose • a consistent purpose or with • used for the purposes of law consent (preferably • to comply with legislation enforcement, or in writing) • for law enforcement • necessary to the proper • for health and safety reasons administration of a lawfully authorized activity • for compassionate reasons Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca

  13. Privacy Obligations Under MFIPPA Cont’d Cont’d Security of Personal Information rules Information must be No use unless Information must be retained protected • accurate • if used by an institution, • it must be protected it must be retained for from inadvertent • up to date at least on year disclosure and unauthorized access Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca

  14. Privacy Risks and Risk Mitigation Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca

  15. Total Privacy Complaints Opened Per Year 277 277 350 350 266 266 300 300 250 250 170 170 200 200 150 150 100 100 50 50 0 2006 2006 2011 2011 2016 2016 Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca

  16. Privacy Breach A privacy breach occurs when personal information is collected, retained, and used or disclosed in ways that are not in accordance with MFIPPA Among the most common breaches of personal privacy is the unauthorized disclosure of personal information, such as: - sending communications to the wrong recipient due to human error - improper records destruction procedures - loss or theft of unsecured electronic devices, such as laptop computers, digital cameras, or portable storage devices (USB sticks) - unauthorized access (snooping, hacking) Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca

  17. Snooping into records Harms caused by personal information snooping: • discrimination, stigmatization, psychological or economic harm • individuals withholding or falsifying information • loss of trust or confidence in the public system • cost and time in dealing with privacy breaches • legal liabilities and proceedings Sanctions for unauthorized access can include: • investigation by privacy oversight bodies • prosecution for offences • statutory or common law actions • discipline by employers • discipline by regulatory bodies Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca Information and Privacy Commissioner of Ontario | www.ipc.on.ca

Recommend


More recommend