1. �Routine Disclosure (RD), Risk Management and Privacy Architecture at Alberta �Seniors and Community Supports CAPA Conference, Ottawa
Prepared by Kent Ziegler, I.A.P.P
November 24, 2009
2. Agenda
Active Dissemination, Proactive Disclosures and Routine Disclosure
Residential School Claims: the ASCS Routine Disclosure experience & Murphys Law
- Our DOA, laying the foundation
- Buy-In from the Big Guy
- making our case
What we did wrong
What we would different
What we did right
- Access to Information Audit
- Access Impact Assessment emerging tools
- Risk Management
- Information Risk Value Assessments
- Building your Information and Privacy Architecture
- Wrap Up: whats happening out there in ATIP?
3. Access to Information Although I agree, Mr. Chairman, that Canada blazed the trail in the early 80s with the passage of the Access to Information Act, I do not agree, with all due respect, that Canada continues to be at the forefront today. Information Commissioner, May 2009 to House Standing Committee on Access to Information, Privacy and Ethics
The overarching purpose of access to information legislation is to facilitate democracy by helping to ensure that citizens have the information required to participate meaningfully in the democratic process and that politicians and bureaucrats remain accountable to the citizenry.
Dagg v. Canada (Minister of Finance), [1997] 2 S.C.R. 403
A lack of access to information disproportionately affects the poor, women and other vulnerable and marginalized societies. The Atlanta Declaration: http://www.accessinitiative.org/
4. AD, PD and RD Active Dissemination
Release of Annual Reports
The practice of proactively releasing information than
an organization understands is potentially of interest
to stakeholders and outsiders.
Proactive Disclosure
Government Wide Reporting:
Disclosure of grants, position
re-classes and contracts, expense
reports
Routine Disclosure
The regular release of information online and offline, without a particular ATIP request.
Providing access to documents and information through informal, rather
than formal (ATIP), access methods
- Portions above excerpted from University of Alberta IAPP Foundations Course: Access in a Liberal Democracy
5. Indian Residential School Claims The court settlement process, established by the federal government, allows individuals who have suffered physical and mental abuses in the past while in a federal school to receive compensation for their suffering. In order to make a claim, all personal information about the individual must be submitted to the courts for assessment.
For more information:
http://www.residentialschoolsettlement.ca/English.html
6. The Approval Process Research & legwork
Preparing for challenges
Making the pitch
Establishing the process
Monitoring and follow up
7. Routine Disclosure Project Roadmap
9. The Ace up Our Sleeve: OIPC�(we couldnt have done it without them, really!) Advance consultation and collaboration with the Commissioner critical
Provides credible authority
Helps ensure smoothest possible process
Provides executives with required comfort
I commend ASCS for its consideration of this proposal. I believe this is a good decision on the part of ASCS and is an excellent example of the openness and transparency principles advocated in the FOIP Act.
10. Routine Disclosure Form
11. Verbiage Its not what you say, but how you say it!
To reign in up-trending costs, the Ministry ATIP Unit is changing an internal administrative process. This change will allow the unit to more economically manage an exponentially increasing number of ATIP requests related to personal information.
The change in this administrative process will be entirely unnoticeable by program areas, and will have no effect whatsoever on them, as the change is entirely an ATIP unit internal administrative paperwork/processing change.
The ATIP Unit has consulted with, and received positive official commentary from, the Alberta Information and Privacy (ATIP) Commissioner about the appropriateness of changing this administrative process.
12. The Numbers Game there are three types of lies: lies, blatant lies and statistics Mark Twain
RD & ATIP Statistics May September 2009
Routine request requestor: all legal counsel or legal representatives
Routine requests received: 53
ATIP requests received: 45
Routine request pages processed: 2011
ATIP request pages processed: 8621
Average routine request processing time: 16 days
Average ATIP request processing time: 25 days and, currently, dropping
13. ASCS AD/PD and RD Initiatives Rural Capital Projects Initiative: http://www.seniors.gov.ab.ca/housing/RCPI/
Supportive Living Public Reporting Information: http://asalreporting.gov.ab.ca/astral/
Protection for Persons in Care Statistics http://www.seniors.gov.ab.ca/CSS/persons_in_care/reports/index.asp
Protection for Persons in Care - Case Summaries http://www.seniors.gov.ab.ca/CSS/persons_in_care/case_summaries/index.asp
Ministers office Expenses: http://www.servicealberta.gov.ab.ca/minister_expenses/Reports.cfm?path=senior
PDD Research Reports http://www.pdd.org/publications/researchreports.shtml
PDD Satisfaction Reports: (http://www.pdd.org/publications/archivepubs.shtml)
14. What we did wrong Moved too quickly
Didnt do enough background work
Didnt anticipate executive viewpoints/concerns thoroughly enough
Assumed this was a minor process adjustment
Poor timing
Didnt have samples for executive to see impacts/issues
15. What we would do different Formal, and more extensive, AIA, build in an ATI Audit as well into corporate privacy architecture
Allow more time for executive consideration and buy-in, more strategic engagement time
Refer more to other ministries/bodies RD programs
Ensure we are looking at issues through glasses other than our own
Dream bigger: next timePI requests for client files
Hire well trained staff, stand behind them and give them support when they need it, and then stand back and let them do what they are trained to do!
16. Comments from Other GOA ATIP Offices In 08-09, AENV processed 3000 RD requests
Challenges include classifying information and training ministry staff in assessing and handling information and documents in a consistent fashion
This exercise has revealed additional classes of information that could be routinely disclosed
Has allowed ATIP team to really become viewed as in-house information experts
The more that goes through RD, the fewer ATIP requests you get
Courtesy (and paraphrased from):
Bonnie Nelson, Assistant ATIP Coordinator, AENV
17. What we did right Access Impact Assessment (AIA) and Access to Information Audit (ATI)
18. Access Impact Assessments Formal ATI requests are not appropriate in some instances, moreover, ATIs are time consuming and can be replaced by a more streamlined process such as RD
AIAs allow identification of frequently requested records and records that should be publicly available
AIAs present an excellent opportunity to deliver on the principles of openness and transparency
Identifies potential risks or sensitivities associated with certain disclosure methods
Courtesy of Stefania Cerisano, Privacy Manager and Acting Access Manager, Alberta Energy
21. Whats in an AIA? Similar to PIA but:
- Are generally project specific (process or project level)
if they are organization centric (entity level) they are likely an ATI Audit
- focus on information management and disclosure processes
- legislative compliance (roll up results from an ATI audit)
- operational efficiencies
- risk management and disclosure issues management
22. Risk Assessment 201 The assessment of risk and value creates an Information Risk Value Assessment (IRVA) which is based on two key concepts:
Risk is a set of challenges and obstacles which may impede or affect an entitys achievement of its goals or objectives, and undermines its mission.
Value is determined by the process that generates or consumes the information series and is inherently linked to an organizations goals and objectives.
23. Risk Assessment 201 Risk is then further broken down into two sub components: likelihood and impact.
Likelihood is the probability, based on the law of averages, of a risk event occurring within a given risk event horizon (ie. time frame).
Impact is the outcome of an event expressed qualitatively or quantitatively as a loss (resources, prestige, effort), injury, or disadvantage.
Value is simply established, as objectively as possible under the circumstances, on a sliding scale.
24. Information Risk Value Assessment
25. Current State Privacy Assessment
26. Privacy Architecture Pyramid
27. Sample Information and Privacy Architecture Build-Out
28. Governance Layer: Policy
29. Typical Architecture Uptake Curve
30. Whats Happening Out There?
31. � The View From 30,000 feet�
32. � Privacy Tort Law: A Laypersons Guide
Concepts extracted from The Canadian Legal System, 5th Ed., Gerald Gall, Thomson, Canada Limited, Toronto
33. Opt-Ins Last Stand at the Alamo
34. International Awards� From Jorge Hage, Head of the Office of Comptroller General, Brazil http://www.cartercenter.org/resources/pdfs/peace/americas/conference2009/JorgeHage.ppt#686,13,International Awards UNODC Award
2008
35. Whats Happening Out There in ATI?
37. Keeping up With the Jones Johannsens:�The Norway way
38. Thank You!
