Public Sector Case Studies:

1
Public Sector Case Studies

• THE ESTABLISHMENT OF A
• PRIVACY OFFICE

2
AGENDA

• Introduction to the ONTARIO WORKPLACE SAFETY
  INSURANCE BOARD (WSIB)
• Evolution of the WSIB PRIVACY OFFICE
• Building a corporate PRIVACY INFRASTRUCTURE

3
The Workplace Safety and Insurance Board An
Overview

• The Workplace Safety and Insurance Board (WSIB)
  began as the Workmen's Compensation Board in 1915
  through an Act of the Ontario Legislature
• The system of no-fault collective liability
  provides fair compensation for injured workers
  and their families, while spreading individual
  costs among employers
• Today, the WSIB administers some 340,000 claims
  with a staff of 4,293 located throughout Ontario
• A total of 201,272 Ontario employers are covered
  by the WSIB

4
ENABLING LEGISLATION

• WORKPLACE SAFETY and INSURANCE ACT (WSIA)
• Provides for legislative authority for the
  collection, use, retention and disclosure of
  information
• FREEDOM OF INFORMATION and PROTECTION OF PRIVACY
  ACT (FIPPA)
• Provides the right of access to information under
  the control of institutions
• Protects the privacy of individuals with respect
  to personal information about themselves held by
  institutions and provides individuals with a
  right of access to that information

5
CHANGE DRIVERS

• WCB ? WSIB (1998)
• VISION THE ELIMINATION OF ALL WORKPLACE INJURIES
  and ILLNESSES
• WISB now oversees Ontarios system of workplace
  safety education and training
• Greater support of research efforts in the study
  of occupational disease and workplace safety
• Emphasis on early and safe return to work
• New technologies implemented
• Increased outsourcing of business processes

6
(No Transcript)
7
MAKING THE CASE FOR A PRIVACY OFFICE

• January 1, 2002 Program Privacy Group
• Developed the capacity to implement Privacy
  Impact Assessments
• Completed PIAs for key strategic projects
• Educated project teams through privacy
  presentations
• BUILT PRIVACY AWARENESS WITH SENIOR MANAGEMENT

8
DASHBOARD VIEW OF PRIVACY COMPLIANCE
9
ACCOUNTABILITY
Source Information and Privacy
Commissioner/Ontario (IPC)- Privacy Diagnostic
Tool
10
PRIVACY IS ON THE CORPORATE MAP

• July 1, 2002 WSIB PRIVACY OFFICE
• Legal Services Division
• Integrated FOI Program
• Full service ACCESS and PRIVACY OFFICE
• Multidisciplined team
• FOI Co-ordinator, business specialists, security
  architect, project management experience

11
TEAMWORK

• NEVER DOUBT THAT A SMALL GROUP OF THOUGHTFUL,
  COMMITTED PEOPLE CAN CHANGE THE WORLD. INDEED,
  IT IS THE ONLY THING THAT EVER HAS.

12
PRIVACY OFFICE RELATIONSHIPS
BUSINESS
LEGAL SERVICES
PRIVACY OFFICE
SECURITY
ARCHITECTURE
CONTRACTED SERVICE PROVIDERS
RESEARCHERS
13
CORPORATE PRIVACY FRAMEWORK
FOI PROGRAM
Education Awareness
Governance
Risk Assessments Risk Mgmt
14
WSIB PRIVACY DESIGN PRINCIPLES

• Compliance with the Privacy Design Principles is
  mandatory (FIPPA) for all project staff and
  consultants
• Purpose
• Help staff and consultants doing projects
  understand and meet the WSIBs privacy
  obligations with respect to the design and
  implementation of any type of WSIB project
• Enhance WSIB privacy compliance by ensuring
  legislated privacy requirements are met from
  project concept to business integration upon
  completion of the project.

15
Applying the PRIVACY Concept to a Project

• WSIB Project Program Privacy Design Principles
• Project Initiation
• Terms of Reference
• Initial Privacy Security Screening Assessent
• 1st step in identifying privacy requirements
• Business Case

16
PRIVACY Review Process

• Initial Privacy Screening Assessment
• A questionnaire to determine if there are
  possible privacy implications,requiring a more
  detailed privacy review of the project
• To be completed at the conceptual phase of a
  project.
• Is there personal information (as defined by
  FIPPA) collected, used, disclosed and retained?
• Who collects it?
• How is it Collected?
• Where does it go? (ie. Does it cross
  Ontario/Canadian borders?
• How is it transmitted to external parties?
  (e-mail,fax)
• Will the data be retained? If so, for how long?
• Who will have access to the information?
• What is the legislative authority for the
  collection, use and disclosure of personal
  information?

17
PRIVACY Impact Assessments

• What is a PIA?
• A PIA is a process that measures both legislative
  compliance (I.e. FIPPA, WSIA) and considers the
  broader privacy implications of a given proposal.
  
• Purpose
• The function of a PIA is to ensure that privacy
  risks associated with a given proposal are
  properly identified and addressed wherever
  possible, and that decision makers have been
  informed of these risks and the options available
  to mitigate them.

18
The PIA in the PROJECT LIFE CYCLE

• CONCEPT and PLANNING
• Project Definition
• Initial PIA
• Conceptual Design
• Privacy Security Requirements
• DETAILED DESIGN IMPLEMENTATION
• Interim PIAs
• POST IMPLEMENTATION
• Final PIA

19
The PIA in the PROJECT LIFE CYCLE

• The Privacy Impact Assessment Process provides
  for
• More detailed definition of privacy requirements
• Integration of privacy requirements into project
• Assurance reporting to project and business
  management

20
POSITIONING COMMUNICATIONPRIVACY

• PRIVACY IS NOT JUST ABOUT COMPLYING WITH
  LEGISLATION
• PRIVACY IS ABOUT
• BUILDING TRUSTED RELATIONSHIPS
• GOOD BUSINESS PRACTICE

21
(No Transcript)
22
(No Transcript)
23

• QUESTIONS/COMMENTS?

24
SPEAKER CONTACT INFORMATION

• Laurisa Tkachenko
• Director, Privacy Office
• Workplace Safety Insurance Board
• 200 Front Street West, 20th floor
• Tel (416) 344-3685
• email laurisa_tkachenko_at_wsib.on.ca