Information Management – Access and Privacy Monday, April 20, 2015 Nanaimo, BC Julie Luckevich, MLIS, CIAPP-P Eclaire Solutions Inc.

Slides:



Advertisements
Similar presentations
The Impact of Auditing on Records Management Risk and Compliance Susan B. Whitmire, CRM, FAI Manager, Enterprise Records and Information Management BlueCross.
Advertisements

Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,
Corporate Records Management (Practitioner) Information Governance Policy Team NHS Connecting for Health.
Process and Procedure Documentation. Agenda Why document processes and procedures? What is process and procedure documentation? Who creates and uses this.
What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.
Further Education Support Service (FESS) FESS Equality Action Planning Framework: Supporting FETAC Registered Providers in Implementing Quality Assurance.
1 Auditing in the Public Interest Records Management in the Victorian Public Sector Audit objective Audit had two objectives : The first objective was.
Records Management for UW-Madison Employees – An Introduction UW-Madison Records Management UW-Archives & Records Management 2012 Photo courtesy of University.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
How a Large Company Used the Principles to Establish its Corporate Information Governance Robin Woolen, MBA, IGP President / Principal.
Auditing Computer Systems
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
Security Controls – What Works
Developing a Records & Information Retention & Disposition Program:
Development of a Customized First Nations Privacy & Security Toolkit
Created May 2, Division of Public Health Managing Records What is a Record? What is a Records Retention & Disposition Schedule? Why is this Important?
Preparing Scotland’s first Records Management Plan Ava Wieclawska Records Manager.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Internal Auditing and Outsourcing
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
1 Privacy Impact Assessment ARMA Workshop April 5, 2006 Alec Campbell.
Staff Structure Support HCCA Special Interest Group New Regulations: A Strategy for Implementation Sharon Schmid Vice President, Compliance and.
Service Organization Control (SOC) Reporting Options and Information
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
1 Comp7780 Update  Why?  What?  How? What have you learnt? Comp
Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.
Information Systems Security Computer System Life Cycle Security.
The Sarbanes-Oxley Act of PricewaterhouseCoopers Introduction of Panel Members The Sarbanes-Oxley Act of 2002 What Companies Should Be Doing Now.
Creating an Effective Policy Central Missouri Chapter Jesse Wilkins April 16, 2009.
Principle of Protection By C’Les Jensema About ARMA International and the Generally Accepted Recordkeeping Principles® ARMA International (
Protecting Your Private Parts Tracy Ann Kosa. Protecting Your Private Parts TASK Meeting, 27 February 2008 Objectives  Terminology  Privacy & Security.
© 2013 Cengage Learning. All Rights Reserved. 1 Part Four: Implementing Business Ethics in a Global Economy Chapter 9: Managing and Controlling Ethics.
Confidentiality and Security Issues in ART & MTCT Clinical Monitoring Systems Meade Morgan and Xen Santas Informatics Team Surveillance and Infrastructure.
Generally Accepted Recordkeeping Principles Generally Accepted Recordkeeping Principles ® Registered Trademark of ARMA International.
Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Assess Your Organization's Information Governance using the Generally Accepted Recordkeeping ® Principles September,
Part 6 – Special Legal Rights and Relationships Chapter 35 – Privacy Law Prepared by Michael Bozzo, Mohawk College © 2015 McGraw-Hill Ryerson Limited 34-1.
Current and Future Applications of the Generic Statistical Business Process Model at Statistics Canada Laurie Reedman and Claude Julien May 5, 2010.
Holistic Approach to Security
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Eliza de Guzman HTM 520 Health Information Exchange.
PIPEDA and Receivables Management Robin Gould-Soil Receivables Management Association of Canada November 16, 2011.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Professional Certificate in Electoral Processes Understanding and Demonstrating Assessment Criteria Facilitator: Tony Cash.
HIPAA Security A Quantitative and Qualitative Risk Assessment Rosemary B. Abell Director, National Healthcare Vertical Keane, Inc. HIPAA Summit VII September.
Compliance Audit Subcommittee Reporting Work Plan Copenhagen, Denmark 6th of May 2010.
Malcolm Crompton APEC Information Privacy Framework: review, impact, & progress APEC Symposium on Information Privacy Protection in E Government & E Commerce.
The IT Vendor: HIPAA Security Savior for Smaller Health Plans?
ISO/IEC 27001:2013 Annex A.8 Asset management
Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.
Kathy Corbiere Service Delivery and Performance Commission
Generally Accepted Recordkeeping Principles Generally Accepted Recordkeeping Principles ® Registered Trademark of ARMA International.
Fred Carter Senior Policy & Technology Advisor Information and Privacy Commissioner Ontario, Canada MISA Ontario Cloud Computing Transformation Workshop.
Fundamentals of Governance: Parliament and Government Understanding and Demonstrating Assessment Criteria Facilitator: Tony Cash.
WESTERN PA CHAPTER OF THE AMERICAN PAYROLL ASSOCIATION – NOVEMBER 4, 2015 Risk Management for Payroll.
Information Sharing & Corporate Governance Dave Parsons, Information Governance Manager, City of Cardiff Council.
Records Management in Government Prepared by the Information Management Unit Saskatchewan Archives Board.
Managing Information for Transparency November 15, 2010 Monica Fuijkschot Director, Information Management.
LRC Network Planning for Records Management improvement Kathryn Dan, GM University Records and Policy.
Welcome to the ICT Department Unit 3_5 Security Policies.
Incorporating Privacy Into Systems Development Methodology Phil Moleski Director Corporate Information Technology Branch Saskatchewan Health
Security Standard: “reasonable security”
Move this to online module slides 11-56
American Health Information Management Association
Mandatory Breach Reporting (isn’t *that* bad)
HIPAA Security Standards Final Rule
IS4680 Security Auditing for Compliance
PRIVACY PRESENTATION TO THE SPRING 2013 CONFERENCE BY HANK MOORLAG
Information Governance Part 2
Presentation transcript:

Information Management – Access and Privacy Monday, April 20, 2015 Nanaimo, BC Julie Luckevich, MLIS, CIAPP-P Eclaire Solutions Inc

Introduction Today’s theme: Bridging Privacy, Information Governance and Records Management Part I: Comparing the concepts of Information Management (IM) and Privacy Part II: Using the Maturity Models (2 case studies) Recap / Questions

Part 1 IM and Privacy Information Management Access and Privacy

How did we get here? Information Management Privacy General Services Administration (USA) (1950s) ARMA’s Generally Accepted Recordkeeping Principles®, the Principles (formerly GARP) 8 Principles Uses Information Governance Maturity Model (IGMM) (c2009) OECD Guidelines (late 70s) CSA’s Privacy Principles, the “Model Code” (early 90s) AICPA/CICA Generally Accepted Privacy Principles (GAPP) 10 Principles Uses the CICA Privacy Maturity Model (c2007)

Access and Privacy Program Focus Internal and external Policies, procedures Privacy Culture FOI Process Auditing /Compliance Privacy Impact Assessments Preventing breaches

Information Management Program Focus Internal only Policies, procedures Findability throughout life cycle User acceptance Class. and Retention Auditing /Compliance Archiving

IM vs. Privacy In common Unique to Privacy Program management (policies and procedures) Accountability Availability / Access Compliance Retention and Disposition / Limiting retention Accuracy and Integrity Protection / Safeguards Transparency / Openness Consent / Withdrawing consent Identifying the purposes for collection Limiting collection

Recordkeeping and Privacy: How they compare Principlethe Principles (ARMA) CSA Model Privacy Code 1. Accountability   Focus on Personal Information 8. Transparency / Openness  Documentation available  More proactive - available to public

Recordkeeping and Privacy: How they compare Principlethe Principles (ARMA) CSA Model Privacy Code 2. Identifying purposes for collection  3. Consent / Withdrawal of consent  4. Limiting collection  Core Privacy Concept Core Privacy Concept Core Privacy Concept

Recordkeeping and Privacy: How they compare Principlethe Principles (ARMA) CSA Model Privacy Code 5. Use / Limiting use, disclosure and retention of personal information   Use limited to purpose; limited disclosure 5. Retention / Limiting use, disclosure and retention of personal information  Retention  Limiting retention 5. Disposition / Limiting use, disclosure of personal information  Disposition  Limiting retention, or anonymizing Based on 4 values Varies - only as long as needed, or +/- 1 year Secure destruction Valid business use

Recordkeeping and Privacy: How they compare Principlethe Principles (ARMA) CSA Model Privacy Code 6. Integrity / Accuracy  Integrity  Accuracy 7. Protection / Safeguards  Protection, incl. confidentiality  Safeguards (logical, physical, procedural) Secure destruction

Recordkeeping and Privacy: How they compare Principlethe Principles (ARMA) CSA Model Privacy Code 9. Availability / Individual Access  Availability to the organization  Availability to the individual 10. Compliance / Challenging Compliance  Internal compliance  External (based on rights of the individual)

A linear view of the life cycle CollectUseStoreDisposeDestroy Purpose Consents Limit collection Classify Assign retention Privacy Recordkeeping Apply safeguards, including encryption Privacy Impact Assessments Transitory records destroyed (training) Disclosure (FOI) Audit access by staff Move location Migrate media Capture legacy data Purge transitory New purpose New consent De-identify Anonymize for research purposes Keep some PI past retention date New records created Secure destruction

Part I Recap Core concepts of privacy Similarities and differences of Information Management (IM) and Privacy program priorities Activities at various point of the life cycle

Part 2 Case Studies Privacy Practices Report IM program elements inc0rporated into the Privacy gap analysis Information Management Priorities Report Privacy program elements incorporated into the IM gap analysis

Case Study 1: Privacy Practices Report ScenarioLarge upper tier municipality. Recently merged public health and social services departments represent all Health Information Custodians as defined in legislation (Ontario’s PHIPA – Ontario), employees Gap Analysis CICA’s GAPP privacy maturity model

Case study 1: Privacy Practices Report Methodology Many disparate sources of information Challenge was to bring it all together into a coherent narrative Personal Information Bank (PIB) unknown repository search Assessment of current practices using the Generally Accepted Privacy Principles (GAPP) framework Report compiled from all sources, integrating departmental records management and privacy concerns/risks (note: well-established RM program)

Case study 1: Privacy Practices Report, cont’d Methodology, cont’d Rated the Department against each of the 73 criteria in the CICA Privacy Maturity Model For each criteria, one of five values was assigned (ad hoc, repeatable, defined, managed, or optimized) Level 3 of “defined” was used as the benchmark All values of “ad hoc” and “repeatable”, and some values of “defined” were identified as gaps Assessments reviewed with program manager

Case study 1: GAPP Criteria & Maturity Levels

Case study 1: Another way to do it AICPA/CICA Privacy Risk Assessment Tool Excel-based Consists of a scoring input template (10 separate, individual files for up to 10 different evaluators) a scoring summary that automatically updates using the scores from the 10 templates Reports the 5 levels of the privacy maturity model into low risk, medium risk and high risk Generates numeric values, more quantitative approach Resources lacking for this approach

Case study 1: Another way to do it 2 = ad hoc + repeatable 8 = managed + optimized 5 = defined

Case study 1: Sample survey results

Case study 1: Putting it all together GAPP Principle re: “Use” Disposal, Destruction and Redaction of Personal Information: “Personal information no longer retained is anonymized, disposed of, or destroyed in a manner that prevents loss, theft, misuse, or unauthorized access.” The Records Management and Privacy Practices Policies cover the secure disposal of confidential and personal information respectively. Procedures for the secure destruction of paper records are well established. Procedures for the secure disposal of personal health information are lacking for electronic records. Level: Ad Hoc

Case study 1: Privacy Practices Report Final report and recommendations Gap Analysis Online Survey Several other appendices Review of relevant IPC orders Encryption of mobile devices (IPC order) Verified Personal Information Banks Some risks and concerns were communicated verbally

Case study 2: IM Priorities Report ScenarioSmall lower tier municipality, with well-developed privacy processes but lacking corporate IM program Gap Analysis ARMA’s Information Governance Maturity Model, supplemented by Model Code Privacy Principles and the CICA Privacy Maturity Model

Case study 2: IM Priorities Report Methodology Previous consultant’s report reviewed 13 recommendations needed to be updated/validated and did not include access and privacy Decision to overlay privacy program components into ARMA’s Information Governance Maturity Model, using CICA’s Privacy Maturity Model 65 criteria Level 3 of “essential” chosen as the benchmark

Case study 2: IM Priorities Report Methodology, cont’d Created Gap Analysis collection tool based on ARMA Added in privacy-related criteria Added three privacy principles: Personal Information Ownership Privacy Principle Protection of Privacy Principle Access to Information Principle Detailed recommendations, with dependencies 1 page strategic plan 1 page short term work plan

Case study 2: ARMA Criteria & Maturity Levels

Sample IM recommendations incorporating privacy Create an Information Management and Privacy (IMAP) Working Group This group tasked with developing a priority ranking of outstanding PIAs based on risk Develop a corporate-wide privacy policy (if not in corporate-wide IM policy) Continue to complete Privacy Impact Assessments on high priority processes/programs

Case study 2: High Level Strategic Plan

Case study 2: High Level Work Plan

Recap / Questions Core concepts of privacy Similarities and differences of Information Management (IM) and Privacy programs priorities 2 Case Studies Lessons learned from using a Maturity Model

Julie Luckevich, MLIS, CIAPP-P Eclaire Solutions Inc

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.