Privacy, Security & Access to DataCyber Summit 2015

Brian Hamilton, Director, Compliance and Special InvestigationsSeptember 28, 2015

Agenda

• Privacy laws enable your success

• How do privacy regulators analyze information sharing/analytics/big data initiatives?

• Regulatory challenges

• Tips for success in working with privacy regulators

Office of the Information and Privacy Commissioner of Alberta• Commissioner – Jill Clayton

• an officer of the Legislative Assembly• independent of government

• Oversight of Alberta’s access to information and privacy laws:

• Freedom of Information and Protection of Privacy Act• Personal Information Protection Act• Health Information Act

• Provincial government is responsible for legislation

What we do

How we intersect with research

• Health Research Ethics Boards• File their approvals with us• Duty to review research proposals and assess whether

adequate safeguards are in place

• Privacy Impact Assessment review• Especially data matching• Recommended for multi-stakeholder initiatives

• Investigations• Unusual, most people aren’t aware, or have consented• access to data without agreement

Privacy is an enabler

• Privacy regulators understand benefits of information sharing and analytics

• Advancement of science, health• Convenience• Harmonized, coordinated, targeted services• Efficiency, cost containment

• Privacy statutes allow appropriate information sharing and data matching

• Privacy ensures your success

• We are in the freedom of information business

Things privacy laws allow you to do(as long as you do it right)• Research• Planning• Resource allocation• Policy development• Quality improvement • Auditing• Evaluation• Data matching• Share personal information for service delivery

How we analyze initiatives• Who are you?

• Nature of organizations• Jurisdiction

• What are you doing?• What personal information will you collect, use or disclose?• Research, data matching

• Is it legal?• Analysis of legal authorities

• How are you managing risk?• Information security• Agreements, policies• Incident response plans• Regular review of controls• Training

Key Privacy Controls(for big data initiatives)

• Governance, policies, training• Access controls

• Need to know, least amount principle

• Consent (where necessary)

• Openness, transparency, notification

• Retention and disposition• Only keep information as long as necessary

• Incident response

• Privacy laws use reasonableness test• Controls do not need to be perfect

Challengesfor the new data scientist

• We live in a federation and have international partners

• Managing privacy among multiple stakeholders (governance)

• Transparency

• Managing consent, citizen expectations

• Trans border legal demands

• Bureaucratic fear, uncertainty and doubt

Tips for success• Talk to us

• We are happy to consult on any initiative• Early consultation prevents last-minute pitfalls

• Build privacy into your initiative from the start• Last-minute, bolt-on privacy is expensive and inefficient

• Engage the public• Transparency assuages fear

• Conduct a privacy impact assessment• Our Office is pleased to review and provide comments• Consider making your PIA public

• Develop privacy expertise

Curriculum for the new data scientist

• Privacy principles• Privacy risk assessment and mitigation

strategies• Information security• Access to information• Records management• Agreements and contracts

OIPC sponsored research on information sharing

Government Information SharingIs Data Going Out of the Silos, Into the Mines?

•http://www.oipc.ab.ca/Content_Files/Files/Publications/Report_GovtInfoSharing_Jan2015.pdf

•Case studies•Citizen expectations•Examining risk in data sharing projects

13

Free PIA training• Calgary: October 16• Edmonton: October 15• www.oipc.ab.ca for more info.

Your questions

THANK YOU!

Brian HamiltonDirector, Compliance and Special InvestigationsOffice of the Information and Privacy Commissioner, Albertabhamilton@oipc.ab.cawww.oipc.ab.ca780.422.6860