Your organization and Big Data: Managing access, privacy, and security
Privacy, Security & Access to Data
-
Upload
cybera-inc -
Category
Data & Analytics
-
view
550 -
download
0
Transcript of Privacy, Security & Access to Data
Privacy, Security & Access to DataCyber Summit 2015
Brian Hamilton, Director, Compliance and Special InvestigationsSeptember 28, 2015
Agenda
• Privacy laws enable your success
• How do privacy regulators analyze information sharing/analytics/big data initiatives?
• Regulatory challenges
• Tips for success in working with privacy regulators
Office of the Information and Privacy Commissioner of Alberta• Commissioner – Jill Clayton
• an officer of the Legislative Assembly• independent of government
• Oversight of Alberta’s access to information and privacy laws:
• Freedom of Information and Protection of Privacy Act• Personal Information Protection Act• Health Information Act
• Provincial government is responsible for legislation
What we do
How we intersect with research
• Health Research Ethics Boards• File their approvals with us• Duty to review research proposals and assess whether
adequate safeguards are in place
• Privacy Impact Assessment review• Especially data matching• Recommended for multi-stakeholder initiatives
• Investigations• Unusual, most people aren’t aware, or have consented• access to data without agreement
Privacy is an enabler
• Privacy regulators understand benefits of information sharing and analytics
• Advancement of science, health• Convenience• Harmonized, coordinated, targeted services• Efficiency, cost containment
• Privacy statutes allow appropriate information sharing and data matching
• Privacy ensures your success
• We are in the freedom of information business
Things privacy laws allow you to do(as long as you do it right)• Research• Planning• Resource allocation• Policy development• Quality improvement • Auditing• Evaluation• Data matching• Share personal information for service delivery
How we analyze initiatives• Who are you?
• Nature of organizations• Jurisdiction
• What are you doing?• What personal information will you collect, use or disclose?• Research, data matching
• Is it legal?• Analysis of legal authorities
• How are you managing risk?• Information security• Agreements, policies• Incident response plans• Regular review of controls• Training
Key Privacy Controls(for big data initiatives)
• Governance, policies, training• Access controls
• Need to know, least amount principle
• Consent (where necessary)
• Openness, transparency, notification
• Retention and disposition• Only keep information as long as necessary
• Incident response
• Privacy laws use reasonableness test• Controls do not need to be perfect
Challengesfor the new data scientist
• We live in a federation and have international partners
• Managing privacy among multiple stakeholders (governance)
• Transparency
• Managing consent, citizen expectations
• Trans border legal demands
• Bureaucratic fear, uncertainty and doubt
Tips for success• Talk to us
• We are happy to consult on any initiative• Early consultation prevents last-minute pitfalls
• Build privacy into your initiative from the start• Last-minute, bolt-on privacy is expensive and inefficient
• Engage the public• Transparency assuages fear
• Conduct a privacy impact assessment• Our Office is pleased to review and provide comments• Consider making your PIA public
• Develop privacy expertise
Curriculum for the new data scientist
• Privacy principles• Privacy risk assessment and mitigation
strategies• Information security• Access to information• Records management• Agreements and contracts
OIPC sponsored research on information sharing
Government Information SharingIs Data Going Out of the Silos, Into the Mines?
•http://www.oipc.ab.ca/Content_Files/Files/Publications/Report_GovtInfoSharing_Jan2015.pdf
•Case studies•Citizen expectations•Examining risk in data sharing projects
13
Free PIA training• Calgary: October 16• Edmonton: October 15• www.oipc.ab.ca for more info.
Your questions
THANK YOU!
Brian HamiltonDirector, Compliance and Special InvestigationsOffice of the Information and Privacy Commissioner, [email protected]