1 / 46

Incorporating Privacy Into Systems Development Methodology

Incorporating Privacy Into Systems Development Methodology. Phil Moleski Director Corporate Information Technology Branch Saskatchewan Health Pmoleski@health.gov.sk.ca. Incorporating Privacy Into Systems Development Methodology. Agenda. Health sector background information.

alessa
Download Presentation

Incorporating Privacy Into Systems Development Methodology

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Incorporating Privacy Into Systems Development Methodology Phil Moleski Director Corporate Information Technology Branch Saskatchewan Health Pmoleski@health.gov.sk.ca

  2. Incorporating Privacy Into Systems Development Methodology Agenda • Health sector background information • Evolving privacy framework • Current systems methodology at Sask. Health • Overlay on systems methodology • Security assessment considerations

  3. Incorporating Privacy Into Systems Development Methodology • Saskatchewan Health “ Provincial Government Department responsible for the publicly funded health system in Saskatchewan” “ Roughly 1 million clients and $2.9 billion in forecast expenditures for 2005 –2006”

  4. Incorporating Privacy Into Systems Development Methodology • Saskatchewan Health Sector • Department • 13 Regional Health Authorities • Cancer Agency • Independent Professionals (Doctors, etc.) • Various smaller funded agencies

  5. Incorporating Privacy Into Systems Development Methodology Major IT Organizations in the Health Sector • Corporate Information Technology Branch (CITB) • Health Information Solutions Centre (HISC) • Regional Health Authorities (RHA’s) • Cancer Agency

  6. Incorporating Privacy Into Systems Development Methodology • Corporate Information Technology Branch • Internally Department Focused • IT infrastructure • Systems Development Environment • Claims and Health Registration Applications

  7. Incorporating Privacy Into Systems Development Methodology • Health Information Solutions Centre (HISC) • Health Sector network, help desk and & IT solutions to support service delivery • Focus on Clinical Applications • Electronic Health Record • Lead Provincial IT/IM Planning, Architecture and Standards for Health Sector • Information products and services

  8. Incorporating Privacy Into Systems Development Methodology • Regional Health Authorities (RHAs) & others (Cancer Agency etc.) • Internal IT focus on their organizations • CIO Forum

  9. Incorporating Privacy Into Systems Development Methodology • Privacy Framework within Provincial Government • Exec. Director, Access and Privacy Branch, Saskatchewan Justice • Privacy Policy Framework with Goals, Objectives, and Performance Measures

  10. Incorporating Privacy Into Systems Development Methodology • Privacy Framework within Provincial Government • principles adapted for Saskatchewan from the • CSA, Model Code for the Protection of Personal • Information – Q830.1996, p. vii

  11. Incorporating Privacy Into Systems Development Methodology • Privacy Framework within Provincial Government Eleven principles • Accountability • Purpose • Limiting Consent • Collection • Use and Disclosure • Retention • Accuracy • Safeguards • Openness • Access • Compliance

  12. Incorporating Privacy Into Systems Development Methodology • Privacy Framework within Saskatchewan Health • Deputy Minister • Privacy Officer • CIO Forum – Privacy Subcommittee

  13. Incorporating Privacy Into Systems Development Methodology What Happens now?

  14. Incorporating Privacy Into Systems Development Methodology While formally including privacy as part of the systems development methodology is a work in progress, “Protecting the privacy of information with appropriate security has always been and remains a top priority for Saskatchewan Health”

  15. Incorporating Privacy Into Systems Development Methodology Phases 4&5 Application & Infrastructure • CITB Systems Development Methodology Phase 1 System Need Definition Phase 2 Conceptual Design Phases 6 & 7 Implementation Phase 3 Application System Architecture Ongoing Operations

  16. Incorporating Privacy Into Systems Development Methodology Phases 4&5 Application & Infrastructure • Macro Plan • Security • Privacy Impact • Interfaces • Conceptual Architecture Phase 1 System Need Definition Phases 6 & 7 Implementation Ongoing Operations • CITB Systems Development Methodology

  17. Business/Data Flows • Functionality • Data elements • Technology • Security • Privacy • Project plan Phase 2 Conceptual Design Incorporating Privacy Into Systems Development Methodology Phase 1 System Need Definition Phase 2 Conceptual Design Phases 6 & 7 Implementation Phase 3 Application System Architecture Ongoing Operations • CITB Systems Development Methodology

  18. Incorporating Privacy Into Systems Development Methodology Phases 4&5 Application & Infrastructure • CITB Systems Development Methodology Phase 1 System Need Definition Phase 3 Application System Architecture Phase 2 Conceptual Design Phases 6 & 7 Implementation • Physical database Features • Business /Data Flows • Security Tables & Processes • Project Plan Phase 3 Application System Architecture Ongoing Operations

  19. Incorporating Privacy Into Systems Development Methodology Phases 4&5 Application & Infrastructure • CITB Systems Development Methodology Phase 1 System Need Definition Phases 4&5 Application & Infrastructure Development Phase 2 Conceptual Design Phases 6 & 7 Implementation • Application system • Acceptance Test Results • Implementation Plan • Operations Service Level • Hardware/Network Plan Phase 3 Application System Architecture Ongoing Operations

  20. Incorporating Privacy Into Systems Development Methodology Phases 4&5 Application & Infrastructure • CITB Systems Development Methodology Phase 1 System Need Definition Phase 2 Conceptual Design Phases 6 & 7 Implementation Phases 6 & 7 Implementation • User Sign –off • User Training • Security Certificates • System Governance Design/ • Next Steps • Support Procedures Phase 3 Application System Architecture Ongoing Operations

  21. Incorporating Privacy Into Systems Development Methodology Phases 4&5 Application & Infrastructure • CITB Systems Development Methodology Phase 1 System Need Definition Ongoing Operations Phase 2 Conceptual Design Phases 6 & 7 Implementation • Problem Logs • Change Management • Privacy Management Phase 3 Application System Architecture Ongoing Operations

  22. Incorporating Privacy Into Systems Development Methodology How does the systems development methodology and privacy fit together? - still learning • completed several projects with • privacy built into the project plan - lots of work, start early

  23. Incorporating Privacy Into Systems Development Methodology Phases 4&5 Application & Infrastructure (Development) • CITB Systems Development Methodology Phase 1 System Need Definition (Requirements) Phase 2 Conceptual Design Phases 6 & 7 Implementation Phase 3 Application System Architecture (Detailed Design) Ongoing Operations

  24. Incorporating Privacy Into Systems Development Methodology High Level Privacy Assessment Requirements Operations Design Legal & Policy Systems Development Methodology Implementation Detailed Design Detailed Privacy Assessment Development Execute Agreements Drafting Agreements

  25. Incorporating Privacy Into Systems Development Methodology High Level Privacy Assessment Privacy Assessment High Level Privacy Impact Assessment • may identify changes needed to the business • or existing law.

  26. Incorporating Privacy Into Systems Development Methodology Legal and Policy What are the questions that need to be asked? Legal & Policy Is it legal? Is it good public policy? Will it stand up to Public Scrutiny? Will it stand up to Audit (good management practices)?

  27. Incorporating Privacy Into Systems Development Methodology Legal and Policy Legal & Policy In summary: Making good public policy decisions includes addressing the Legal, Public Scrutiny, and Audit perspectives.

  28. Incorporating Privacy Into Systems Development Methodology Legal and Policy Creating and changing provincial law Legal & Policy

  29. Incorporating Privacy Into Systems Development Methodology Privacy Assessment Detailed Privacy Impact Assessment • Final document for audit purposes • Addresses all of the principles in the • privacy framework Detailed Privacy Assessment

  30. Incorporating Privacy Into Systems Development Methodology Drafting Agreements Documents that outline the flow of information between one or more trustees of the information for a particular purpose including any conditions that apply. Drafting Agreements

  31. Incorporating Privacy Into Systems Development Methodology Drafting Agreements • Creating Policy • Education • Culture Drafting Agreements

  32. Incorporating Privacy Into Systems Development Methodology Executing Agreements It’s (implementation?) time when the agreements are signed!! Execute Agreements

  33. Incorporating Privacy Into Systems Development Methodology High Level Privacy Assessment Requirements Operations Design Legal & Policy Systems Development Methodology Implementation Detailed Design Detailed Privacy Assessment ? Development ? Execute Agreements Drafting Agreements

  34. Incorporating Privacy Into Systems Development Methodology Staffing and Project Considerations Project Manager Business/Systems Analyst Policy/Legal Analyst

  35. Incorporating Privacy Into Systems Development Methodology Project Structure Project Steering Committee Project Management Office Business Stream Policy and Legal Technical Stream

  36. Incorporating Privacy Into Systems Development Methodology Summary thoughts Addressing privacy is good management and helps documenting the answers to the questions: Just because we can do something, “Should we?” What happens if something goes wrong?

  37. Incorporating Privacy Into Systems Development Methodology Privacy Security

  38. Incorporating Privacy Into Systems Development Methodology Security assessment considerations What is the appropriate security in response to the privacy requirements? • Security Controls • Environment Classification • Information Classification

  39. Incorporating Privacy Into Systems Development Methodology Security assessment considerations Security Controls • Authentication • Authorization • Encryption • Integrity • Availability • Accountability

  40. Incorporating Privacy Into Systems Development Methodology Security assessment considerations • Environment Classification • Un-trusted • Semi-Trusted • Trusted

  41. Incorporating Privacy Into Systems Development Methodology Security assessment considerations • Information Classification • Public • Internal • Confidential • Restricted

  42. Incorporating Privacy Into Systems Development Methodology Security Classification Matrix

  43. Incorporating Privacy Into Systems Development Methodology Security Assessment Review • A document that outlines how well the • proposed solution meets the requirements • for privacy and security • Outlines the security factors, the unmitigated risks, • and the mitigated risks of proceeding • Companion document to the Privacy Impact • Assessment - Buy versus build

  44. Incorporating Privacy Into Systems Development Methodology Documents Attached PIA Templates Security Cube Security Assessment Templates

  45. Incorporating Privacy Into Systems Development Methodology Documents Attached • Order of use • Determine business requirements • Fill in PIA • Use the Cube document based on the PIA • Fill in the SAR document based on the • proposed technical solution

  46. Incorporating Privacy Into Systems Development Methodology Questions

More Related