Public Sector Case Studies:THE ESTABLISHMENT OF A

PRIVACY OFFICEPRIVACY OFFICE

2

AGENDAAGENDA

Introduction to the ONTARIO WORKPLACE SAFETY & INSURANCE BOARD (WSIB)WSIB)

Evolution of the WSIB PRIVACY OFFICEWSIB PRIVACY OFFICE

Building a corporate PRIVACY PRIVACY INFRASTRUCTUREINFRASTRUCTURE

3

The Workplace Safety and Insurance Board The Workplace Safety and Insurance Board An Overview An Overview

The Workplace Safety and Insurance Board (WSIB) began as the Workmen's Compensation Board in 1915 through an Act of the Ontario Legislature

The system of no-fault collective liability provides fair compensation for injured workers and their families, while spreading individual costs among employers

Today, the WSIB administers some 340,000 claims with a staff of 4,293 located throughout Ontario

A total of 201,272 Ontario employers are covered by the WSIB

4

ENABLING LEGISLATION

WORKPLACE SAFETY and INSURANCE ACT (WSIA)– Provides for legislative authority for the collection, use, Provides for legislative authority for the collection, use,

retention and disclosure of informationretention and disclosure of information

FREEDOM OF INFORMATION and PROTECTION OF PRIVACY ACT (FIPPA)– Provides the right of access to information under the Provides the right of access to information under the

control of institutionscontrol of institutions– Protects the privacy of individuals with respect to personal Protects the privacy of individuals with respect to personal

information about themselves held by institutions and information about themselves held by institutions and provides individuals with a right of access to that provides individuals with a right of access to that informationinformation

5

CHANGE DRIVERS

WCBWCB WSIBWSIB (1998)(1998)– VISION: THE ELIMINATION OF ALL WORKPLACE THE ELIMINATION OF ALL WORKPLACE

INJURIES and ILLNESSESINJURIES and ILLNESSES– WISB now oversees Ontario’s system of workplace WISB now oversees Ontario’s system of workplace

safety education and trainingsafety education and training– Greater support of research efforts in the study of Greater support of research efforts in the study of

occupational disease and workplace safetyoccupational disease and workplace safety– Emphasis on early and safe return to workEmphasis on early and safe return to work

New technologies implementedNew technologies implemented Increased outsourcing of business processesIncreased outsourcing of business processes

6

Health Professionals

Pharmacies

Alternate Service Providers

Employers

APPLICATION SYSTEMS, TELEPHONE FAX, MAIL, EMAIL, INTERNET

Hospitals

Researchers Safe Workplace Associations

(SWAS)

LMR Service

Providers

WSIB Employees Working Outside the

Office

WSIB Contracted Specialty

Clinics

7

January 1, 2002 Program Privacy GroupJanuary 1, 2002 Program Privacy Group

– Developed the capacity to implement Privacy Impact Assessments

– Completed PIAs for key strategic projects– Educated project teams through privacy

presentations– BUILT PRIVACYPRIVACY AWARENESS WITH SENIOR

MANAGEMENT

MAKING THE CASE FOR A PRIVACYPRIVACY OFFICE

8

DASHBOARD VIEW OF PRIVACY COMPLIANCEPRIVACY COMPLIANCE

ACCOUNTABILITY …………………………………… SAMPLEIDENTIFYING PURPOSES ………………………… SAMPLECONSENT……………………………………………….. SAMPLELIMITING COLLECTION…………………………….. SAMPLELIMITING USE, DISCLOSURE & RETENTION SAMPLEACCURACY……………………………………………… SAMPLESAFEGUARDS…………………………………………. SAMPLEOPENNESS…………………………………………….. SAMPLEINDIVIDUAL ACCESS……………………………….. SAMPLECHALLENGING COMPLIANCE…………………… SAMPLE

9

ACCOUNTABILITYRequirement * In Place In

ProgressNot inPlace

ColorCode

ColorCode

ColorCode

1. You assignaccountability forcompliance with theseprinciples to a specificperson or group of peoplein your company.

2. You make availablethe identity and contactinformation of the personor group of people in yourorganization who areaccountable forcompliance withestablished privacyprinciples

3. You develop and thenimplement specificprivacy policies andprocedures

*Source: Information and Privacy Commissioner/Ontario (IPC)- Privacy Diagnostic Tool

10

PRIVACYPRIVACY IS ON THE CORPORATE MAP

July 1, 2002 WSIB PRIVACY OFFICEWSIB PRIVACY OFFICE

– Legal Services Division– Integrated FOI Program – Full service ACCESS and PRIVACY OFFICE– Multidisciplined team

• FOI Co-ordinator, business specialists, security architect, project management experience

11

TEAMWORKTEAMWORK

““NEVER DOUBT THAT A SMALL GROUP OF NEVER DOUBT THAT A SMALL GROUP OF

THOUGHTFUL, COMMITTED PEOPLE CAN THOUGHTFUL, COMMITTED PEOPLE CAN

CHANGE THE WORLD. INDEED, IT IS CHANGE THE WORLD. INDEED, IT IS

THE ONLY THING THAT EVER HAS”.THE ONLY THING THAT EVER HAS”.

12

PRIVACY OFFICE RELATIONSHIPS

LEGAL SERVICESLEGAL SERVICES

SECURITYSECURITY

ARCHITECTUREARCHITECTURE

BUSINESSBUSINESS

CONTRACTED SERVICE PROVIDERSCONTRACTED SERVICE PROVIDERS

PRIVACYPRIVACY

OFFICEOFFICE

RESEARCHERSRESEARCHERS

13

CORPORATE PRIVACYPRIVACY FRAMEWORK

FOI PRO

GRAM

Governance

Risk Assessm

ents &

Risk Mgm

t

Education & Aw

areness

- FIPPAACCESSRequests- Research

requests

- WSIB PrivacyDesignPrinciples- Security Polices- Operational

ConfidentialityPolicies

- Privacy ImpactAssessments- Privacy Diagnostic

Tool- Privacy Audits/

Reviews

- Internal Portal- Desktop Tools- Training

Programs- Presentations

14

WSIB PRIVACYPRIVACY DESIGN PRINCIPLES

Compliance with the Privacy Design Principles is mandatory (FIPPA) for all project staff and consultants

Purpose: Help staff and consultants doing projects understand and

meet the WSIB’s privacy obligations with respect to the design and implementation of any type of WSIB project

Enhance WSIB privacy compliance by ensuring legislated privacy requirements are met from project concept to business integration upon completion of the project.

15

Applying the PRIVACY ConceptPRIVACY Concept to a Project:

WSIB Project & Program Privacy Design Principles

Project Initiation– Terms of Reference

• Initial Privacy Security Screening Assessent• 1st step in identifying privacy requirements

– Business Case

16

PRIVACY PRIVACY Review Process

Initial Privacy Screening Assessment: A questionnaire to determine if there are possible privacy

implications,requiring a more detailed privacy review of the project

To be completed at the conceptual phase of a project. » Is there personal information (as defined by FIPPA)

collected, used, disclosed and retained?» Who collects it? » How is it Collected?» Where does it go? (ie. Does it cross Ontario/Canadian

borders?» How is it transmitted to external parties? (e-mail,fax)» Will the data be retained? If so, for how long?» Who will have access to the information? » What is the legislative authority for the collection, use and

disclosure of personal information?

17

PRIVACYPRIVACY Impact Assessments

What is a PIA?• A PIA is a process that measures both legislative

compliance (I.e. FIPPA, WSIA) and considers the broader privacy implications of a given proposal.

Purpose• The function of a PIA is to ensure that privacy risks

associated with a given proposal are properly identified and addressed wherever possible, and that decision makers have been informed of these risks and the options available to mitigate them.

18

TheThe PIA PIA in the PROJECT LIFE CYCLE

CONCEPT and PLANNING– Project Definition

• Initial PIA– Conceptual Design

• Privacy & Security Requirements DETAILED DESIGN & IMPLEMENTATION

• Interim PIAs POST IMPLEMENTATION

• Final PIA

19

TheThe PIA PIA in the PROJECT LIFE CYCLE

The Privacy Impact Assessment Process provides for: More detailed definition of privacy

requirements Integration of privacy requirements into

project Assurance reporting to project and

business management

20

POSITIONING & COMMUNICATIONPRIVACYPRIVACY

PRIVACY IS NOT JUST ABOUT COMPLYING WITH LEGISLATION

PRIVACYPRIVACY IS ABOUT:

BUILDING TRUSTED RELATIONSHIPS

GOOD BUSINESS PRACTICE

21

22

23

QUESTIONS/COMMENTS?

24

SPEAKER CONTACT INFORMATION

Laurisa TkachenkoDirector, Privacy OfficeWorkplace Safety & Insurance Board200 Front Street West, 20th floorTel: (416) 344-3685email: laurisa_tkachenko@wsib.on.ca