Incorporating Privacy Into Systems Development Methodology Phil Moleski Director Corporate Information Technology Branch Saskatchewan Health
Incorporating Privacy Into Systems Development Methodology Agenda Health sector background information Current systems methodology at Sask. Health Overlay on systems methodology Security assessment considerations Evolving privacy framework
Saskatchewan Health “ Provincial Government Department responsible for the publicly funded health system in Saskatchewan” “ Roughly 1 million clients and $2.9 billion in forecast expenditures for 2005 –2006” Incorporating Privacy Into Systems Development Methodology
Saskatchewan Health Sector Department 13 Regional Health Authorities Cancer Agency Independent Professionals (Doctors, etc.) Various smaller funded agencies Incorporating Privacy Into Systems Development Methodology
Major IT Organizations in the Health Sector Corporate Information Technology Branch (CITB) Health Information Solutions Centre (HISC) Regional Health Authorities (RHA’s) Cancer Agency Incorporating Privacy Into Systems Development Methodology
Corporate Information Technology Branch Internally Department Focused IT infrastructure Systems Development Environment Claims and Health Registration Applications Incorporating Privacy Into Systems Development Methodology
Health Information Solutions Centre (HISC) Health Sector network, help desk and & IT solutions to support service delivery Focus on Clinical Applications Electronic Health Record Lead Provincial IT/IM Planning, Architecture and Standards for Health Sector Information products and services
Regional Health Authorities (RHAs) & others (Cancer Agency etc.) Internal IT focus on their organizations CIO Forum Incorporating Privacy Into Systems Development Methodology
Privacy Framework within Provincial Government –Exec. Director, Access and Privacy Branch, Saskatchewan Justice – Privacy Policy Framework with Goals, Objectives, and Performance Measures Incorporating Privacy Into Systems Development Methodology
Privacy Framework within Provincial Government Incorporating Privacy Into Systems Development Methodology -principles adapted for Saskatchewan from the CSA, Model Code for the Protection of Personal Information – Q , p. vii
Privacy Framework within Provincial Government Incorporating Privacy Into Systems Development Methodology Accountability Purpose Limiting Consent Collection Use and Disclosure Retention Accuracy Safeguards Openness Access Compliance Eleven principles
Privacy Framework within Saskatchewan Health –Deputy Minister –Privacy Officer –CIO Forum – Privacy Subcommittee Incorporating Privacy Into Systems Development Methodology
What Happens now?
While formally including privacy as part of the systems development methodology is a work in progress, Incorporating Privacy Into Systems Development Methodology “Protecting the privacy of information with appropriate security has always been and remains a top priority for Saskatchewan Health”
Incorporating Privacy Into Systems Development Methodology CITB Systems Development Methodology Phase 1 System Need Definition Phase 2 Conceptual Design Phase 3 Application System Architecture Phases 4&5 Application & Infrastructure Phases 6 & 7 Implementation Ongoing Operations
Incorporating Privacy Into Systems Development Methodology CITB Systems Development Methodology Phases 4&5 Application & Infrastructure Phases 6 & 7 Implementation Ongoing Operations Macro Plan Security Privacy Impact Interfaces Conceptual Architecture Phase 1 System Need Definition
Incorporating Privacy Into Systems Development Methodology CITB Systems Development Methodology Phase 1 System Need Definition Phase 2 Conceptual Design Phase 3 Application System Architecture Phases 6 & 7 Implementation Ongoing Operations Business/Data Flows Functionality Data elements Technology Security Privacy Project plan Phase 2 Conceptual Design
Incorporating Privacy Into Systems Development Methodology CITB Systems Development Methodology Phase 1 System Need Definition Phase 2 Conceptual Design Phase 3 Application System Architecture Phases 4&5 Application & Infrastructure Phases 6 & 7 Implementation Ongoing Operations Phase 3 Application System Architecture Physical database Features Business /Data Flows Security Tables & Processes Project Plan
Incorporating Privacy Into Systems Development Methodology CITB Systems Development Methodology Phase 1 System Need Definition Phase 2 Conceptual Design Phase 3 Application System Architecture Phases 4&5 Application & Infrastructure Phases 6 & 7 Implementation Ongoing Operations Phases 4&5 Application & Infrastructure Development Application system Acceptance Test Results Implementation Plan Operations Service Level Hardware/Network Plan
Incorporating Privacy Into Systems Development Methodology CITB Systems Development Methodology Phase 1 System Need Definition Phase 2 Conceptual Design Phase 3 Application System Architecture Phases 4&5 Application & Infrastructure Phases 6 & 7 Implementation Ongoing Operations Phases 6 & 7 Implementation User Sign –off User Training Security Certificates System Governance Design/ Next Steps Support Procedures
Incorporating Privacy Into Systems Development Methodology CITB Systems Development Methodology Phase 1 System Need Definition Phase 2 Conceptual Design Phase 3 Application System Architecture Phases 4&5 Application & Infrastructure Phases 6 & 7 Implementation Ongoing Operations Problem Logs Change Management Privacy Management
Incorporating Privacy Into Systems Development Methodology How does the systems development methodology and privacy fit together? - still learning - completed several projects with privacy built into the project plan - lots of work, start early
Incorporating Privacy Into Systems Development Methodology CITB Systems Development Methodology Phase 1 System Need Definition (Requirements) Phase 2 Conceptual Design Phase 3 Application System Architecture (Detailed Design) Phases 4&5 Application & Infrastructure (Development) Phases 6 & 7 Implementation Ongoing Operations
Incorporating Privacy Into Systems Development Methodology Systems Development Methodology Requirements Design Detailed Design High Level Privacy Assessment Development Implementation Operations Legal & Policy Drafting Agreements Execute Agreements Detailed Privacy Assessment
Incorporating Privacy Into Systems Development Methodology Privacy Assessment High Level Privacy Impact Assessment -may identify changes needed to the business or existing law. High Level Privacy Assessment
Incorporating Privacy Into Systems Development Methodology Legal and Policy Is it good public policy? Will it stand up to Public Scrutiny? Will it stand up to Audit (good management practices)? Is it legal? What are the questions that need to be asked? Legal & Policy
Incorporating Privacy Into Systems Development Methodology Legal and Policy Making good public policy decisions includes addressing the Legal, Public Scrutiny, and Audit perspectives. In summary: Legal & Policy
Incorporating Privacy Into Systems Development Methodology Legal and Policy Creating and changing provincial law Legal & Policy
Incorporating Privacy Into Systems Development Methodology Privacy Assessment Detailed Privacy Impact Assessment -Final document for audit purposes -Addresses all of the principles in the privacy framework Detailed Privacy Assessment
Incorporating Privacy Into Systems Development Methodology Drafting Agreements Documents that outline the flow of information between one or more trustees of the information for a particular purpose including any conditions that apply. Drafting Agreements
Incorporating Privacy Into Systems Development Methodology Creating Policy Education Culture Drafting Agreements Drafting Agreements
Incorporating Privacy Into Systems Development Methodology Executing Agreements It’s (implementation?) time when the agreements are signed!! Execute Agreements
Incorporating Privacy Into Systems Development Methodology Systems Development Methodology Requirements Design Detailed Design High Level Privacy Assessment Development Implementation Operations Legal & Policy Drafting Agreements Execute Agreements Detailed Privacy Assessment ? ?
Incorporating Privacy Into Systems Development Methodology Staffing and Project Considerations Project Manager Business/Systems Analyst Policy/Legal Analyst
Incorporating Privacy Into Systems Development Methodology Project Structure Project Management Office Business Stream Technical Stream Policy and Legal Project Steering Committee
Summary thoughts Addressing privacy is good management and helps documenting the answers to the questions: Just because we can do something, “Should we?” What happens if something goes wrong? Incorporating Privacy Into Systems Development Methodology
Privacy Security
Security assessment considerations Incorporating Privacy Into Systems Development Methodology What is the appropriate security in response to the privacy requirements? Security Controls Environment Classification Information Classification
Security assessment considerations Incorporating Privacy Into Systems Development Methodology Security Controls Authentication Authorization Encryption Integrity Availability Accountability
Security assessment considerations Incorporating Privacy Into Systems Development Methodology Environment Classification Un-trusted Semi-Trusted Trusted
Security assessment considerations Incorporating Privacy Into Systems Development Methodology Information Classification Public Internal Confidential Restricted
Security Classification Matrix Incorporating Privacy Into Systems Development Methodology
Security Assessment Review - A document that outlines how well the proposed solution meets the requirements for privacy and security - Outlines the security factors, the unmitigated risks, and the mitigated risks of proceeding - Buy versus build - Companion document to the Privacy Impact Assessment
Incorporating Privacy Into Systems Development Methodology Documents Attached PIA Templates Security Cube Security Assessment Templates
Incorporating Privacy Into Systems Development Methodology Documents Attached Order of use - Determine business requirements - Fill in PIA - Use the Cube document based on the PIA - Fill in the SAR document based on the proposed technical solution
Incorporating Privacy Into Systems Development Methodology Questions