230 likes | 421 Views
Service Integration: Identifying Privacy Issues at ServiceOntario. Presentation to Managing Government Information 3 nd Annual Forum March 8, 2005. Developing the ServiceOntario Privacy Policy: It Starts with Service.
E N D
Service Integration: Identifying Privacy Issues at ServiceOntario Presentation toManaging Government Information 3nd Annual Forum March 8, 2005
Developing the ServiceOntario Privacy Policy: It Starts with Service • In November 2004 the Ontario Government renamed its integrated service delivery system ServiceOntario • The ServiceOntario mandate is to transform service delivery and streamline access to government information and services, Online, In person and Over the phone • Vision: to provide customers with the services they want, when, where and how they want them, in a manner that is easily understandable to them • Plan: over the next 4 years, implement and operate an integrated system of counter, internet-based and telephone channels delivering an array of government services
ServiceOntario Scope of Services • Primary provider of information about government services to the public & business • Provide referral to appropriate program areas & address customer information needs by bundling information across programs & jurisdictions • Deliver “routine transactions” on behalf of other program owners
ServiceOntario Roles • As the public face of government service delivery, ServiceOntario will have two roles: • As a service agent, delivering the services of other program owners in the Ontario public service, and beyond. • As a service owner, delivering its own services to its customers. • To fulfil these roles effectively, ServiceOntario will need to collect, verify and manage personal information to satisfy program and client expectations
The ServiceOntario Promise • The core values of ServiceOntario are: • Access • Choice • Trust • Quality • A key characteristic of trust is privacy protection. A privacy policy must clearly support and enhance this core value.
Identifying the Issues • Establish why a privacy policy is needed (over and above simply complying with legislation) • Develop approach and objectives of the policy • Context and perspective (e.g., service delivery; horizontal initiatives) • Framework (how will the information flow from a program perspective; existing legal framework; potential changes to legislation) • Review any previous policy documents, corporate standards, directives, etc. • Consider how the policy will be implemented
Purpose of the ServiceOntario Privacy Policy • To support seamless, multi-channel, cross-jurisdictional service delivery by: • Building Trust (with partners and customers) • Demonstrating to the government, overseeing bodies, the public, and partners that ServiceOntario has built privacy safeguards into the integrated service delivery program through a clear process • Ensuring compliance with privacy legislation and standards, and identifying where there may be gaps • Clearly demonstrating compliance • Guiding the design, construction and implementation of ServiceOntario initiatives to ensure that privacy requirements are met at all stages of the program lifecycle • Guiding ongoing operations. • Building Capacity (within the organization) • Training staff and ongoing communications • Codifying processes and documenting changes.
Approach to Developing the ServiceOntario Privacy Policy • Build policy as much as possible within existing privacy legislative and standards frameworks; but identify where enabling legislation might be required from a program perspective • Adapt to the ServiceOntario context–- ie, a service management perspective, acting as an information conduit using “flow through” or “broker” model • Ensure that ServiceOntario provides a comparable or improved level of protection when collecting personal information as would be provided by a Program Owner directly.
Approach, cont’d • Identify what is unique about privacy within the ServiceOntario service delivery program, in order to ensure compliance and demonstrate compliance with privacy standards • Identify processes to ensure ServiceOntario and partner programs are compliant (e.g., PIAs, performance reports, etc.) • Consider how to embed privacy processes (through implementing policy)
Sources… • Canadian Standards Association Model Code for the Protection of Personal Information • Directives and corporate strategies • e.g., MBS Electronic Service Delivery Privacy Standard • Draft ISDD Health Integration Project Conceptual Privacy Impact Assessment • Current legislation
…and Key Considerations • Canadian Charter of Rights and Freedoms • Legislation • FIPPA • MFIPPA • PIPEDA • PHIPPA • Individual program statues and regulations • Organizational mandate • Organizational model (e.g., agency, Crown Corp., etc.) • Service delivery objectives and model (e.g., broker or “flow through;” limited repository; authoritative) • Inter-jurisdictional considerations • Policy objectives (beyond compliance)
Some Challenges • Legislation is geared toward individual programs (vertical structures) rather than cross-organizational initiatives (horizontal structures) • Personal information vs. business information– not always a clear distinction between what is personal and business • Accountability (within and between programs and the service integrator) • The need to retain information for quality assurance vs. the need for minimal retention for privacy protection • Balance between service delivery requirements (public demand for greater access, efficiency) and traditional role of government (protect the public good)
Tools and Processes Identified for Implementation • Privacy Impact Analysis (PIA) • Threat Risk Analysis (TRA) • Agreements (MOUs, SLAs, delegated authority agreements, data sharing agreements, consent notices, etc.) • Training and communications • Privacy “audits” and reportbacks (measuring compliance)
Assumptions • The ServiceOntario Privacy Policy provides an overarching standard that will guide the delivery of all ServiceOntario programs and services. The policy is designed so as not to conflict with the specific privacy or data collection laws that may apply in a particular context (FIPPA, PIPEDA, PHIPA) • A “Program Owner,” whose programs and services are being delivered by ServiceOntario, may be an Ontario or federal ministry, department, agency, Crown Corporation, municipality or other entity • ServiceOntario will also act as a Program Owner to deliver its own services • Public or private sector agents may be acting as ServiceOntario representatives in different contexts
Assumptions, cont’d • ServiceOntario will have the legislative authority to collect personal information through amendments to the appropriate statutes governing a Program Owner or through separate legislation • In this policy, the term “customer information” means information about an individual, a business or an authorized representative of the business; and “customer” means an individual or an authorized representative of the business. • This policy will guide the development of ServiceOntario programs and procedures to ensure that services are delivered in a manner that offers the same or greater privacy protection than the status quo. This will allow ServiceOntario to achieve service delivery objectives while adhering to its core values of Access, Choice, Quality and Trust.
How ServiceOntario Core Values Are Supported • As an agent for service delivery, ServiceOntario will handle information on a “flow-through” basis, where information will be collected from the customer and sent along to the program owner. • ServiceOntario agents will be collecting, using and disclosing customer information but not retaining it after the initial stage of the transaction has been completed.The only exception to this is that credit card numbers, without the cardholder’s name, will need to be retained for up to one year to meet contractual requirements with financial institutions for payment processing and reconciliation. • ServiceOntario will not engage in any type of data matching. Data matching is expressly prohibited under the privacy policy. • All ServiceOntario customer information, being information related to a business or personal information about an individual.
Core Principles • Accountability • “An organization is responsible for personal information under its custody or control and shall designate an individual or individuals who are accountable for the organization’s compliance with the principles.” • Identifying purpose • “The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.” • Consent • “The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information except where required by law.”
Core Principles, cont’d… • Limiting collection • “The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.” • Limiting use, disclosure and retention • “Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.” • Accuracy • “Personal information shall be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.”
Core Principles, cont’d… • Safeguards • “Personal Information shall be protected by security safeguards appropriate to the sensitivity of the information.” • Openness • “An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.”
Core Principles, cont’d… • Individual access • “Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.” • (Individuals requesting access will be referred to the relevant program.) • Challenging compliance • “An individual shall be able to address a challenge concerning compliance with this policy to the designated individual or individuals accountable for the organization’s compliance.”
Thank You! • Please visit… • www.serviceontario.ca
Contact: • Steve Burnett • Acting Director, Policy and Strategic Planning Branch • Service Ontario • Ministry of Consumer and Business Services • 416-326-6062