1. 1 PRIVACY SUB-COMMITTEE UPDATE PSCIOC Meeting February 9, 2004 Chris Norman Executive Director, Ministry of Management Services, Government of B.C.

2. 2 Today  Background  Renewed terms of reference  Work plan & strategic approach  Privacy Architecture and collaborative opportunities  Next steps

3. 3 Context  Formed in 1999 in response to Lac Carling commitment  Accomplishments to date: –Model Cross Jurisdictional PIA Guidelines –User ID Authentication and Personal Privacy Presentation (PSCIOC Meeting, May 2002) –Partnerships and models for provincial private sector privacy legislation  Privacy Committee recently re-assessed its mandate, initiatives and priorities

4. 4 Renewed Terms of Reference Mission  Collaborate to promote joint solutions, facilitate the development of common privacy practices and act as a privacy enabler for the PSCIOC and the PSSDC  Emphasis on developing and sharing privacy solutions and concrete privacy tools (privacy impact assessments, privacy architectures, privacy codes, model contract language, PETs)  Ensure privacy is design objective for service delivery  Foster a harmonized approach to privacy legislation and standards  Facilitate communications between PSCIOC\PSSDC and Privacy Commissioners

5. 5 Strategic Approach  Move (a) from risk identification to risk mitigation and (b) from the exploration of alternatives to the development of deliverable designs and solutions  Three major themes for risk mitigation: 1.Legislation, policy and communications 2.Privacy design 3.Privacy solutions

6. 6 Update on PSCIOC Action Items ItemDescriptionLeadStatus 2.7Participate in shared authentication framework. IAA CommitteePending IAA progress 2.8 Develop common legislative templates (e.g. PIPAs ) Privacy Committee Completed 2.9 Facilitate Alberta’s privacy architecture work in other jurisdictions Privacy Committee In Progress 2.10 Support education and awareness through dialogue with IPCs Greg Georgeff, ON Michelle d’Auray, GoC In Progress Lac Carling 2.11 Pursue dialogue with NCSIP to identify areas of collaboration. Privacy Committee / NCSIP In Progress 2.12 Track and assess Privacy Enhancing Technologies. Privacy Committee Start date June 2004

7. 7 PSCIOC Action Plan 2.7 Shared Authentication Framework  Support for and collaboration with work of the IAA Sub- Committee  Ontario is continuing to provide PSCIOC leadership in this area  GoC (secure channel), Ontario, BC’s and Alberta’s comprehensive government authentication projects 2.8 Common Legislative Templates -Private Sector Privacy Acts  Develop and distribute common legislative templates (e.g., PIPA’s)  Alberta and BC legislation – partnership – provincial PIPA models

8. 8 PSCIOC Action Plan…2 2.9 Privacy Architecture  Facilitate the use of Alberta’s privacy architecture work in other jurisdictions (information and communications) –Alberta’s privacy architecture made available to all jurisdictions –GoC is assessing the feasibility of adapting the architecture for federal use –Continued analysis by Privacy Sub-Committee – assessments by each jurisdiction re:applicability 2.10 Support education and awareness through dialogue with IPC’s  First meeting held in November 2002 to further open dialogue – results mixed - Second meeting – Possibility of Lac Carling Panel  Contact/Communications with individual jurisdictions

9. 9 PSCIOC Action Plan …3 2.11 Pursue dialogue with NCSIP - Joint Sub-Committee Opportunities  Dialogue with NCSIP regarding identifying areas of partnership and collaborative opportunities  Second joint meeting in Victoria to discuss opportunities to work together on specific projects – may include other PSCIOC sub- committees (e.g., BC’s co-sponsored privacy/security conference)  On-going assessment and consultation with NCSIP on proposed Security Data Classification Guide (include IM community) 2.12 Privacy Enhancing Technologies  Track and assess Privacy Enhancing Technologies  Provide evaluation criteria for judging the need for, and value of, PETs  GoC, GoA and the Ontario OIPC are discussing possible approaches to PET extensions for PIAs and the Common Criteria

10. 10 New Proposed Privacy Workplan Deliverables Privacy Deliverable 1. Risk Identification – Refine PIAs  Members continue to refine PIA templates and share best practices (e., Audit Guide, e- learning tool, etc.) Priority M Lead GoC & Ont. 2. Privacy Toolbox - Communications  Establish toolbox for privacy risk mitigation include legislation, case law, research, guidelines, policies, best practices process, methodologies, training materials, contacts, solutions LAlta & BC

11. 11 New Proposed Privacy Workplan Deliverables… 2 DeliverablePriorityLead 3. Privacy Solutions Case Studies – Service Delivery  Study inter-jurisdictional initiatives to identify privacy issues and related solutions HGoC 3. Privacy Architecture  Assessment of GOA Privacy Architecture for applicability in other jurisdictions MAlta

12. 12 GoA’s Privacy Architecture  Premise: Information technology can be designed to mitigate privacy risks.  PIA’s identify privacy risks, but PIA’s alone don’t mitigate risks.  Privacy issues are made more complex by increasingly sophisticated information integration and management.  Privacy by Design requires coordinated if not consistent standards across the enterprise. GoA’s privacy architecture provides a model for consideration by other jurisdictions

13. 13 GoA Privacy Architecture Topics –Terminology – a common language for discussing privacy requirements, issues and solutions –Identification Keys - how will data subjects be uniquely identified? –Privacy Taxonomy - how should personal information and its uses be classified? –Data Sharing, Re-Use and Placement – to what extent can personal information be shared between departments and where should it be stored? –Data Transformation - rendering data anonymous, at varying levels of anonymity as appropriate for its purpose

14. 14 What is requested today of the PSCIOC? Requesting endorsement of : 1. Revised mandate that highlights: –“Privacy enabler” direction and partnerships –Continued expert advisory/support role –Enhanced support role for PSSDC (still report to PSCIOC) 2. Strategic approach, priorities and proposed work plan

15. 15 What is the Roadmap Ahead?  Privacy Committee to focus on: –Strategic alignment with PSCIOC & PSSDC priorities – targeted support role –Stronger linkages with authentication and security (and other) sub-committees –Preparing specific funding proposals and deliverables with detailed plans for next PSCIOC meeting (Lac Carling VIII)

16. 16 Final thoughts.. “Anyone who thinks the privacy issue has peaked is greatly mistaken. We are in the early stages of a sweeping change in attitudes that will fuel years of political battles and put once routine business practices under the microscope.” Forrester Research