Public Sector Case Studies:

THE ESTABLISHMENT OF A

PRIVACY OFFICE

AGENDA

 Introduction to the

ONTARIO WORKPLACE SAFETY & INSURANCE BOARD (WSIB)

 Evolution of the

WSIB PRIVACY OFFICE

 Building a corporate

PRIVACY INFRASTRUCTURE

2

The Workplace Safety and Insurance Board An Overview

 The Workplace Safety and Insurance Board (WSIB) began as the Workmen's Compensation Board in 1915 through an Act of the Ontario Legislature  The system of no-fault collective liability provides fair compensation for injured workers and their families, while spreading individual costs among employers  Today, the WSIB administers some 340,000 claims with a staff of 4,293 located throughout Ontario  A total of 201,272 Ontario employers are covered by the WSIB 3

ENABLING LEGISLATION

 WORKPLACE SAFETY and INSURANCE ACT (

WSIA

) – Provides for legislative authority for the collection, use, retention and disclosure of information  FREEDOM OF INFORMATION and PROTECTION OF PRIVACY ACT (

FIPPA

) – Provides the right of access to information under the control of institutions – Protects the privacy of individuals with respect to personal information about themselves held by institutions and provides individuals with a right of access to that information 4

CHANGE DRIVERS



WCB



WSIB (1998)

–

VISION:

THE ELIMINATION OF ALL WORKPLACE INJURIES and ILLNESSES – WISB now oversees Ontario’s system of workplace safety education and training – Greater support of research efforts in the study of occupational disease and workplace safety – Emphasis on early and safe return to work  New technologies implemented  Increased outsourcing of business processes 5

Alternate Service Providers LMR Service Providers Pharmacies WSIB Contracted Specialty Clinics WSIB Employees Working Outside the Office Health Professionals Employers Hospitals Researchers APPLICATION SYSTEMS, TELEPHONE FAX, MAIL, EMAIL, INTERNET Safe Workplace Associations (SWAS) 6

MAKING THE CASE FOR A

PRIVACY OFFICE



January 1, 2002 Program Privacy Group

– Developed the capacity to implement Privacy Impact Assessments – Completed PIAs for key strategic projects – Educated project teams through privacy presentations –

BUILT PRIVACY AWARENESS WITH SENIOR MANAGEMENT

7

DASHBOARD VIEW OF

PRIVACY COMPLIANCE

ACCOUNTABILITY …………………………………… IDENTIFYING PURPOSES ………………………… CONSENT………………………………………………..

LIMITING COLLECTION……………………………..

LIMITING USE, DISCLOSURE & RETENTION ACCURACY……………………………………………… SAFEGUARDS………………………………………….

OPENNESS……………………………………………..

INDIVIDUAL ACCESS………………………………..

CHALLENGING COMPLIANCE…………………… SAMPLE SAMPLE SAMPLE SAMPLE SAMPLE SAMPLE SAMPLE SAMPLE SAMPLE SAMPLE 8

ACCOUNTABILITY

Requirement * In Place 1. You assign accountability for compliance with these principles to a specific person or group of people in your company.

 2. You make available the identity and contact information of the person or group of people in your organization who are accountable for compliance with established privacy principles  3. You develop and then implement specific privacy policies and procedures  In Progress    Not in Place    Color Code Color Code *Source: Information and Privacy Commissioner/Ontario (IPC)- Privacy Diagnostic Tool Color Code 9

PRIVACY

IS ON THE CORPORATE MAP

 July 1, 2002

WSIB PRIVACY OFFICE

– Legal Services Division – Integrated FOI Program – Full service ACCESS and PRIVACY OFFICE – Multidisciplined team • FOI Co-ordinator, business specialists, security architect, project management experience 10

TEAMWORK

“NEVER DOUBT THAT A SMALL GROUP OF THOUGHTFUL, COMMITTED PEOPLE CAN CHANGE THE WORLD. INDEED, IT IS THE ONLY THING THAT EVER HAS”.

11

PRIVACY OFFICE

RELATIONSHIPS

PRIVACY OFFICE BUSINESS LEGAL SERVICES SECURITY ARCHITECTURE CONTRACTED SERVICE PROVIDERS RESEARCHERS 12

CORPORATE

PRIVACY

FRAMEWORK

FIPPA ACCESS Requests Research requests WSIB Privacy Design Principles Security Polices Operational Confidentiality Policies Privacy Impact Assessments Privacy Diagnostic Tool Privacy Audits/ Reviews Internal Portal Desktop Tools Training Programs Presentations 13

WSIB

PRIVACY

DESIGN PRINCIPLES

 Compliance with the Privacy Design Principles is mandatory (FIPPA) for all project staff and consultants  Purpose:  Help staff and consultants doing projects understand and meet the WSIB’s privacy obligations with respect to the design and implementation of any type of WSIB project  Enhance WSIB privacy compliance by ensuring legislated privacy requirements are met from project concept to business integration upon completion of the project.

14

Applying the

PRIVACY Concept

to a Project: 

WSIB Project & Program Privacy Design Principles



Project Initiation

– Terms of Reference • Initial Privacy Security Screening Assessent • 1st step in identifying privacy requirements – Business Case 15

PRIVACY

Review Process

Initial Privacy Screening Assessment:  A questionnaire to determine if there are possible privacy implications,requiring a more detailed privacy review of the project  To be completed at the conceptual phase of a project.

» Is there personal information (as defined by FIPPA) collected, used, disclosed and retained?

» Who collects it? » How is it Collected?

» Where does it go? (ie. Does it cross Ontario/Canadian borders?

» How is it transmitted to external parties? (e-mail,fax) » Will the data be retained? If so, for how long?

» Who will have access to the information? » What is the legislative authority for the collection, use and disclosure of personal information?

16

PRIVACY

Impact Assessments

 What is a PIA?

• A PIA is a process that measures both legislative compliance (I.e. FIPPA, WSIA) and considers the broader privacy implications of a given proposal.

 Purpose • The function of a PIA is to ensure that privacy risks associated with a given proposal are properly identified and addressed wherever possible, and that decision makers have been informed of these risks and the options available to mitigate them.

17

The

PIA

in the PROJECT LIFE CYCLE

 CONCEPT and PLANNING – Project Definition • Initial PIA – Conceptual Design • Privacy & Security Requirements  DETAILED DESIGN & IMPLEMENTATION • Interim PIAs  POST IMPLEMENTATION • Final PIA 18

The

PIA

in the PROJECT LIFE CYCLE The Privacy Impact Assessment Process provides for:

 More detailed definition of privacy requirements  Integration of privacy requirements into project  Assurance reporting to project and business management 19

POSITIONING & COMMUNICATION

PRIVACY

PRIVACY IS NOT JUST ABOUT COMPLYING WITH LEGISLATION

PRIVACY

IS ABOUT:  BUILDING

TRUSTED

RELATIONSHIPS 

GOOD BUSINESS

PRACTICE 20

21

22

QUESTIONS/COMMENTS?

23

SPEAKER CONTACT INFORMATION

Laurisa Tkachenko Director, Privacy Office Workplace Safety & Insurance Board 200 Front Street West, 20th floor Tel: (416) 344-3685 email: [email protected]

24