Upload
trananh
View
213
Download
0
Embed Size (px)
Citation preview
< Project Name >
Security and Privacy Risk Assessment Template Last Updated: January 27, 2016
Submission Date:
Executive Team:
Project Sponsor:
Service Owner:
Project Manager:
Template Name: Security and Privacy Risk Assessment Template
Template ID: RA.1
Project Stage:
Contents
Overview of the Security and Privacy Risk Assessment Process..................................................................2
Instructions for Completing the Security and Privacy Risk Assessment Template.......................................3
STAGE 1: PROPOSAL...................................................................................................................................4
1.1 Project Identification and Lead....................................................................................................4
1.2 Project Description......................................................................................................................4
1.3 Key Stakeholders.........................................................................................................................4
1.4 Business Flow Diagram................................................................................................................4
1.5 Information Involved in the Project.............................................................................................5
1.6 Information Handling Requirements...........................................................................................6
1.7 Privacy and Records Retention Requirements.............................................................................6
1.8 Assessment..................................................................................................................................7
STAGE 2: INVESTIGATION...........................................................................................................................8
2.1 Security and Privacy Analysis.......................................................................................................8
STAGE 3: INITIATION.................................................................................................................................12
3.1 Solution Information..................................................................................................................12
3.2 Security and Privacy Analysis.....................................................................................................12
3.3 Contract Negotiation.................................................................................................................16
STAGE 4: PLANNING.................................................................................................................................19
4.1 Data Flow...................................................................................................................................19
4.2 Security and Privacy Analysis.....................................................................................................19
STAGE 5: IMPLEMENTATION....................................................................................................................22
5.1 Security and Privacy Analysis.....................................................................................................22
Security and Privacy Risk Register.............................................................................................................23
Appendix 1: Personal Information under FIPPA........................................................................................24
Appendix 2: Privacy Principles...................................................................................................................25
DRAFT of January 27, 2016 - 1
Overview of the Security and Privacy Risk Assessment Process
The Security and Privacy Risk Assessment is a staged process that provides a comprehensive review and evaluation of the risks and controls associated with the records and data collection and management requirements of a cloud based or hosted solution.
Objectives:1) To ensure that Queen’s University’s and its service providers’ data collection and handling
processes are aligned with relevant privacy legislation including the Freedom of Information and Protection of Privacy Act (FIPPA). (N.B.: For projects involving “personal health information” as defined by the Personal Health Information Protection Act (PHIPA) consult with the Privacy Office for further instructions.)
2) To ensure that Queen’s University’s records and data are managed in accordance with internal policies and procedures.
The Security and Privacy Risk Assessment is part of the “Authorization to Operate” process.
DRAFT of January 27, 2016 - 2
Stage 1: Proposal
Project DescriptionBusiness Flow
DiagramData Classification
Analysis
Stage 2: Investigation
Privacy & Security Assessment of
Vendor Security and Privacy Risk Assessment of
Service Owner (Investigation)
Stage 3: Initiation
Security and Privacy Risk Assessment of
Service Owner (Initiation)
Data Flow DiagramContract/NDA/SLA
Stage 4: Planning
Security and Privacy Risk Assessment of
Service Owner (Planning)
Stage 5: Implementation
Operational Documentation
Security and Privacy Risk Register
Authorization Sign-off
Items in black are completed as part of this Security and Privacy Risk Assessment. Items in blue are completed as separate, but related, documentation. (See http://queensu.ca/cio/information-systems-security-office/authorization-operate).
Instructions for Completing the Security and Privacy Risk Assessment Template
What is the Security and Privacy Risk Assessment Template?The Security and Privacy Risk Assessment Template provides documentation for the risk assessment reviews conducted with regards to the software application and services under consideration. It provides the vendor, project team and stakeholders with an understanding of how well the proposed software applications and services can address the data collection, use, retention, storage and disposition requirements of the business processes they manage.
The completion of this template is mandatory for all projects that require the collection and storage of personal information, and recommended for all projects that involve University records and data.
Who should fill out the Security and Privacy Risk Assessment Template?The Project Manager, with the assistance of the Service Owner and the Vendor, is responsible for the completion of this document.
The Project Manager is … [define]The Service Owner is the individual responsible for delivery of the business function.
When should the Security and Privacy Risk Assessment Template be filled out?The Security and Privacy Risk Assessment Template is completed in parts; the sections are categorized according to project stage. Stages 1 and 2 must be completed before signing any contract or agreeing to any Terms of Use.
ResourcesThose completing this risk assessment are encouraged to seek assistance from the Records Management and Privacy Office (http://www.queensu.ca/accessandprivacy/) as early in the process as practical.
DRAFT of January 27, 2016 - 3
STAGE 1: PROPOSALThe purpose of this stage is to understand the business need: why is the project being considered? What data is involved in the project? What information will be collected, used, disclosed, retained and disposed of within the cloud service, and what is the level of sensitivity of that information? It is at this stage that the responsible information stewards should be consulted about the project, as well as any other relevant stakeholders.
The outcome of this stage is a decision on whether to proceed with seeking a solution. Accordingly, this stage should be completed BEFORE a service provider is procured.
The information in this stage is to be compiled by the Service Owner.
1.1 Project Identification and LeadProject Name: <Insert>
Project Sponsor: <Insert>
Department: <Insert>
Project Manager/Lead: <Insert>
1.2 Project DescriptionInsert a brief overview of the project, the business needs and key objectives.
1.3 Key StakeholdersName Title
DRAFT of January 27, 2016 - 4
1.4 Business Flow DiagramThe business flow diagram outlines the existing business processes in place. It should clearly demonstrate the overall goal of the business process, as well as the requirements involved in every step of the process.
1.5 Information Involved in the Project1.5.1 Identify all individuals whose information will be involved in the project, i.e., the data subjects. Be as specific as possible, e.g., Students of which faculty? Employees of which department? Which constituency of community members?
DATA SUBJECT DESCRIPTION (e.g., faculty, department, number)
1.5.2 For each type of data subject, identify the kinds of personal information (i.e., data elements) that will be collected, used, disclosed, retained and disposed of through the project (check all that apply). Remember that information about an individual acting in a business capacity (e.g., name with job title, business contact information, etc.) is not considered to be personal information.
DATA ELEMENT (e.g., student number, email address, grades, personal opinions, etc.) CO
LLEC
T (e
ither
by
the
unit
or th
roug
h th
e sy
stem
/
appl
icati
on)
USE
(use
of i
nfor
mati
on
alre
ady
colle
cted
by
the
unit)
DISC
LOSE
(by
the
syst
em /
ap
plic
ation
)
RETA
IN (i
n th
e sy
stem
/
appl
icati
on)
DISP
OSE
(by
the
syst
em /
ap
plic
ation
)
1.5.3 List all information stewards for the personal information involved in the project. Ensure these information stewards are consulted throughout this process.
DATA ELEMENT OR INFORMATION TYPE (e.g., INFORMATION STEWARD (TITLE)
DRAFT of January 27, 2016 - 5
student record, alumni record)
1.6 Information Handling RequirementsBased on the analysis above, refer to the University’s Data Classification Scheme, and identify specific information-handling requirements for each data element. Consult with the appropriate Information Steward if unsure.
DATA ELEMENT (e.g., student number, email address, grades, personal opinions, etc.) EN
CRYP
TIO
N IN
TR
ANSI
T
ENCR
YPTI
ON
AT
REST
SECU
RE D
ELET
ION
/
DEST
RUCT
ION
JURI
SDIC
TIO
NAL
RE
STRI
CTIO
NS
ACCE
SS R
ESTR
ICTE
D TO
N
AMED
INDI
VIDU
ALS
[OTH
ER?]
1.7 Privacy and Records Retention Requirements1.7.1 Identify applicable privacy and other legislation for the information involved in the project. Consult with the appropriate Information Steward if unsure.
YES NO UNKNOWNFreedom of Information and Protection of Privacy Act (FIPPA)Personal Health Information Protection Act (PHIPA) (N.B. If personal health information is involved, consult with the Privacy Office.)Personal Information Protection and Electronic Documents Act (PIPEDA)Other:
DRAFT of January 27, 2016 - 6
1.7.2 Identify records retention and disposition requirements for the information involved in the project as defined by Queen’s University records retention schedules or in legislation or policy. (Note that under FIPPA, personal information must be retained for a minimum of 1 year after use.) Consult with the appropriate Information Steward if unsure.
SCHEDULE NUMBER
SCHEDULE TITLE RETENTION PERIOD (Years)
DISPOSITION (Destroy or Transfer
to Archives)
OTHER AUTHORITIES (identify and describe below; e.g., statutes, policies, collective agreements)
1.8 AssessmentBased on the information identified above, if it is decided to continue with outsourcing the project to a third-party vendor, ensure the vendor can meet all requirements for:
Information handling Privacy Records retention
Ensure the Information Stewards are consulted and approve of any decision to move forward.
DRAFT of January 27, 2016 - 7
STAGE 2: INVESTIGATION The purpose of this stage is to investigate potential vendors and their ability to meet the needs identified in Stage 1. It is at this stage that vendors are asked to complete the Vendor Security and Privacy Assessment. In addition, the Service Owner should review each potential vendor’s Terms of Use and Privacy Policy.
The outcome of this stage is an identified vendor.
2.1 Security and Privacy AnalysisQuestions for Service Owner
Question
FindingsResponse
(If applicable, indicate the document where this is addressed)Ye
s
No
Unk
now
n
NA
COLLECTION
S2-1 Has the purpose of the collection been defined? What is the purpose of the collection?
S2-2 Is the collection of personal information authorized under FIPPA or another statute?
S2-3 Will notice of collection be provided to the individual(s)? Explain timing method, and exemptions from notice, where authorized.
S2-4 Will the notice of collection comply with FIPPA? Explain how or missing components.
S2-5 Will personal information be collected
DRAFT of January 27, 2016 - 8
Question
FindingsResponse
(If applicable, indicate the document where this is addressed)Ye
s
No
Unk
now
n
NA
directly from the individual? Explain the form of collection (for example, orally, hardcopy form, online portal, web form, etc.)
S2-6 Will personal information be collected indirectly from another source (e.g., from another Queen’s University system), or covertly? Why?
S2-7 Will indirect collection comply with FIPPA? Explain authority for indirect collection.
USE
S2-8 Has the purpose of the use been defined? Explain purpose(s).
S2-9 Will personal information be used for data matching, data analysis or data profiling? Describe.
S2-10 Will personal information be linked or cross referenced to other information systems, technologies or programs? Describe.
S2-11 Will personal information used for secondary purposes be anonymized?
S2-12 Have all parties using personal information been defined, for example, program staff, consultants, agents, third party service providers, etc.?
S2-13 Will there be procedural, technical, and
DRAFT of January 27, 2016 - 9
Question
FindingsResponse
(If applicable, indicate the document where this is addressed)Ye
s
No
Unk
now
n
NA
physical measures in place to ensure personal information will be used only for authorized purposes and by authorized parties? Explain measures.
DISCLOSURE
S2-14 Have all parties disclosing personal information been defined, for example, program staff, consultants, agents, third party service providers, etc.?
S2-15 Do all parties disclosing personal information have the legal authority for the disclosures?
S2-16 Has the purpose of the disclosure been defined? Explain purpose(s).
S2-17 Will personal information be disclosed to any persons who are not employees of Queen’s University?
S2-18 Will disclosures of personal information be for purposes stated in the notice of collection or for a consistent purpose?
S2-19 Will the disclosures be documented and how?
S2-20 Will disclosures be documented and controlled by information-sharing agreements or other means?
S2-21 Will there be controls in place to ensure
DRAFT of January 27, 2016 - 10
Question
FindingsResponse
(If applicable, indicate the document where this is addressed)Ye
s
No
Unk
now
n
NA
personal information will be disclosed for authorized purposes, by and to authorized parties? Explain controls.
Questions for Project Manager
Question ResponseS2-22 Which key stakeholders have been provided with an
opportunity to comment on the sufficiency of privacy protections and their implications on the proposed/existing solution? Describe any outstanding concerns.
S2-23 Have you contacted other universities or institutions that have implemented the same solution to discuss the risks planned for and issues encountered? Please provide feedback.
S2-24 Have you consulted the University’s Privacy Officer and Information Security Officer on the Security and Privacy risks and considerations?
DRAFT of January 27, 2016 - 11
STAGE 3: INITIATIONThe purpose of this stage is to negotiate and settle on terms with a vendor. Measures regarding access to the records for purposes of fulfilling access requests, retention and disposal of records, and privacy breach protocols should be addressed at this stage.
The outcome of this stage is a contract and/or Service Level Agreement with the selected vendor.
3.1 Solution InformationVendor: <Insert>
Software Name: <Insert>
Overview of Solution: <Insert>
3.2 Security and Privacy AnalysisQuestions for Service Owner
Question
FindingsResponse
(If applicable, indicate the document where this is addressed)Ye
s
No
Unk
now
n
NA
REQUESTING ACCESS TO PERSONAL INFORMATION
S3-1 Will requests from individuals for access to and correction of personal information
DRAFT of January 27, 2016 - 12
Question
FindingsResponse
(If applicable, indicate the document where this is addressed)Ye
s
No
Unk
now
n
NA
change be recorded and tracked?RETENTION
S3-2 Will there be defined and documented policies, procedures, and other requirements related to the retention of personal information?
S3-3 Will reasonable measures be in place to ensure that personal information will be retained for a minimum of one year after its last use?
S3-4 Has the medium and format of the personal information to be retained been defined?
DISPOSAL AND DESTRUCTION
S3-5 Will procedures be defined and documented for the secure disposal (e.g., transfer to the University Archives, or secure destruction) in accordance with applicable retention schedules? Explain disposal process.
S3-6 Will procedures be defined and documented for disposal of devices and equipment containing personal information?
S3-7 Will controls be defined and documented to ensure only appropriate personal information will be disposed of or destroyed, and only by authorized parties after obtaining
DRAFT of January 27, 2016 - 13
Question
FindingsResponse
(If applicable, indicate the document where this is addressed)Ye
s
No
Unk
now
n
NA
appropriate approval?S3-8 Will details of the disposal of personal
information be recorded?SECURITY
S3-9 Will measures be used to secure the personal information? Explain each physical, technical and procedural measure.
S3-10 Will security policies and procedures be defined and documented to protect the confidentiality, integrity and availability of personal information? Provide documentation showing which persons, positions, or employee categories have access to the personal information.
S3-11 Will user activities be monitored for security and quality assurance purposes?
S3-12 Will control mechanisms be in place to monitor user accounts, access rights and security authorizations within the system? Describe control mechanisms.
S3-13 Will procedures be defined and documented on how to identify, report, investigate and address the unauthorized access, collection, uses and/or disclosure of personal information?
DRAFT of January 27, 2016 - 14
Question
FindingsResponse
(If applicable, indicate the document where this is addressed)Ye
s
No
Unk
now
n
NA
S3-14 Will criteria be developed to determine and authorize “need to know” access to personal information? Describe the criteria.
Ensure that any risks that cannot be addressed appropriately through the business procedures are added to the Security and Privacy Risk Register (below).
Question for Project Manager
Question ResponseS3-15 Have Security and Privacy risks been identified on the
Project Risk Register?
DRAFT of January 27, 2016 - 15
3.3 Contract NegotiationEnsure the contract or agreement addresses the following conditions:
Condition Suggested Wording for Contract
1. Queen's University retains ownership of all records and information.
Queen's University retains ownership of all records and information with regards to the service.
2. The service provider will use the records and information for Queen's University’s purposes and for no other purpose.
The service provider will use the records and information for Queen's University’s purposes and for no other purpose.
3. No records or information will be disclosed without the consent of Queen's University.
No records or information will be disclosed without the consent of Queen's University.
4. The service provider has a privacy policy and/or complies with privacy legislation.
[Vendor] shall comply with all federal, provincial and local laws, rules, regulations and ordinances governing or relating to privacy rights in connection with its performance under this Agreement including, without limitation, PIPEDA.
5. The service provider will ensure that it acts in such a way as to assist Queen's University meet its obligations under FIPPA and other statutes as necessary.
[Vendor] acknowledges that Queen’s University is governed by the Ontario Freedom of Information and Protection of Privacy Act (“FIPPA”) and hereby undertakes and agrees to cooperate as reasonably necessary with Queen’s University in fulfilling Queen’s University’s obligations thereunder, including without limitation, in assisting Queen’s University in responding to an access request referencing documents that may be in the custody or control of [Vendor] pursuant to this Agreement.
6. The service provider will resist, to the extent lawful, any orders to disclose information without consent, will give notice to Queen's University of any orders and give Queen's University opportunity to dispute the order.
The service provider will resist, to the extent lawful, any orders to disclose information without consent, will give notice to Queen's University of any orders and give Queen's University opportunity to dispute the order.
7. The service provider will not assign the contract to another service provider without the consent of Queen's University.
[Vendor] may not assign or transfer, by operation of law or otherwise, this Agreement or any of its rights under this Agreement to any third
DRAFT of January 27, 2016 - 16
Condition Suggested Wording for Contract
party without Queen’s University’s prior consent.8. The service provider is transparent about its partners, suppliers and sub-contractors. 9. The service provider's partners, suppliers and sub-contractors are bound by the same terms and conditions as the service provider.
[Vendor] will disclose the Queen’s University records and information only to its partners, suppliers and sub-contractors who have a need to know such information for such purposes and who are under a duty of confidentiality no less restrictive than [Vendor’s] duty hereunder.
10. The service provider is transparent about the location(s) of Queen’s University records and information.
11. The service provider's employees are properly vetted and trained in privacy and confidentiality of customer information.
12. The service provider will limit access to Queen's University's records and information to specific and appropriate individuals within the service provider's organization.
[Vendor] will disclose the Queen’s University records and information only to its employees who have a need to know such information for such purposes and who are under a duty of confidentiality no less restrictive than [Vendor’s] duty hereunder.
13. The service provider has security measures in place to prevent unauthorized access to its systems and to Queen's University's records and information.14. The service provider has acceptable protocols in place in the event of a security or privacy breach.15. The service provider will work cooperatively with Queen's University in the event of a privacy or security breach.
16. The service provider will allow Queen's University to audit its security measures and information handling practices.17. The service provider has no limitations of liability related to Security and Privacy.
DRAFT of January 27, 2016 - 17
Condition Suggested Wording for Contract
18. The service provider will work cooperatively with Queen's University to assist Queen's in complying with records retention requirements.19. The service provider will permit Queen's University to terminate the agreement for any reason.
Queen’s University may terminate this Agreement, or all or any of the Services, at any time, without cause and for convenience, by providing at least [x] days prior written notice of such termination.
20. Upon termination, the service provider will return the records and information (or a copy) to Queen's University in a readable format AND/OR permanently destroy/delete the records and information.21. The service provider will not retain any copies of records and information once instructed to return, destroy or delete them, and will provide written evidence of compliance.
[Vendor] shall, no later than [x-period of time] following the termination of this Agreement, however caused, permanently and irretrievably destroy all Confidential Information held by it in any format pursuant to this Agreement. Queen’s University shall be entitled to request proof of and/or certification from [Vendor] of such destruction and the method used therefor.
If appropriate terms cannot be negotiated, ensure any resultant risks are included in the Security and Privacy Risk Register (below).
DRAFT of January 27, 2016 - 18
STAGE 4: PLANNING The purpose of this stage is to establish operational procedures for ensuring the Security and Privacy requirements are met by the selected vendor. The outcome of this stage is a set of business procedures that can be operationalized.
4.1 Data Flow The data flow diagram serves as a graphic representation of the flow of data through an information system. It must illustrate the following:
a. How data is being collectedb. How data is being stored and processed
Note that in some cases, the data flow architecture diagram could be identical to the business flow diagram.
4.2 Security and Privacy AnalysisQuestions for Service Owner
Question
FindingsResponse
(If applicable, indicate the document where this is addressed)Ye
s
No
Unk
now
n
NA
PRIVACY MANAGEMENT
S4-1 Will accountability for managing personal information throughout its lifecycle be defined to include parties involved in the project, for example, the University, the vendor and any other third parties? Explain
DRAFT of January 27, 2016 - 19
Question
FindingsResponse
(If applicable, indicate the document where this is addressed)Ye
s
No
Unk
now
n
NA
accountability.S4-2 Will operational policies, procedures or
practices related to the protection of personal information be needed?
S4-3 Have all parties requiring training on operational, security and privacy aspects of the project been identified?
S4-4 Has the individual responsible for ensuring that all parties receive appropriate training been identified?
S4-5 Will communications exist to inform individuals how the system works and how their personal information will be managed?
ACCURACY AND CORRECTION
S4-6 Will there be measures in place to make sure personal information is not used unless it is accurate, complete and up-to-date? Provide details of measures.
S4-7 Will individuals be provided with an option to update all of their personal information?
S4-8 Will a log exist to track any changes made to stored personal information in the system?
S4-9 Will other sources of the same information be updated? How?
S4-10 Will there be a defined and documented
DRAFT of January 27, 2016 - 20
Question
FindingsResponse
(If applicable, indicate the document where this is addressed)Ye
s
No
Unk
now
n
NA
process for the processing of a request for the correction of personal information? Provide details of process.
BREACH PROTOCOLS
S4-11 Will protocols be in place to identify privacy and security breaches? Describe the protocols.
S4-12 Will users be notified of a compromise of security or privacy? How?
DRAFT of January 27, 2016 - 21
STAGE 5: IMPLEMENTATION The purpose of this stage is to ensure that all documentation required for the operation of the system has been completed, and that all residual risks have been identified and strategies for risk mitigation developed. The outcome of this stage is the written Operational Documentation and the completed Security and Privacy Risk Register.
5.1 Security and Privacy AnalysisQuestions for Service Owner
Question ResponseS5-1 Has your staff been formally trained for handling personal
information?S5-2 Has the vendor agreement been negotiated to mitigate
privacy and security risks to the greatest extent possible?
Questions for Project Manager
Question ResponseS5-3 Has the Privacy Risk Assessment, including the Security and
Privacy Risk Register, been fully completed?S5-4 Has the Operational Documentation been fully completed?
DRAFT of January 27, 2016 - 22
DRAFT of January 27, 2016 - 23
Security and Privacy Risk Register
Based on your responses in the Security and Privacy Analysis, complete the risk register below. Consider the likelihood and impact of all residual risks, and the strategies for mitigating such risks.
Risk Description Risk Likelihood
5 = almost certain4 = likely3 = possible2 = unlikely1 = rare
Risk Impact
5 = catastrophic4 = major3 = moderate2 = minor1 = insignificant
Risk Analysis(Likelihood x Impact)
20+ = extreme11 to 19 = high5 to 10 = moderate1 to 4 = low
Owner Risk Mitigation Strategy
Example: Vendor will not encrypt data at rest in its data centre meaning that if the data centre is compromised, personal information could be improperly accessed and disclosed.
Example: 2 – data centre has good physical and technical security
Example: 4 – personal information includes the educational history of students (student number, grades, etc.)
Example: 8 = moderate
Example: Service Owner
Example: Continue to push vendor to implement encryption at rest. Take steps to minimize the personal information collected. Ensure information is destroyed as per the contract and not retained by the vendor.
DRAFT of January 27, 2016 - 24
Appendix 1: Personal Information under FIPPA“Personal information” (FIPPA) means recorded information about an identifiable individual, including,
(a) information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual,
(b) information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,
(c) any identifying number, symbol or other particular assigned to the individual,
(d) the address, telephone number, fingerprints or blood type of the individual,
(e) the personal opinions or views of the individual except where they relate to another individual,
(f) correspondence sent to an institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to that correspondence that would reveal the contents of the original correspondence,
(g) the views or opinions of another individual about the individual, and
(h) the individual’s name where it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual;
“Business identity”: (FIPPA) Personal information does not include the name, title, contact information or designation of an individual that identifies the individual in a business, professional or official capacity.
The purpose of FIPPA is: to provide a right of access to information under the control of institutions in accordance with the principles that, information should be available to the public, necessary exemptions from the right of access should be limited and specific, and decisions on the disclosure of government information should be reviewed independently of government; and to protect the privacy of individuals with respect to personal information about themselves held by institutions and to provide individuals with a right of access to that information
The provisions of Part 3 of FIPPA apply to personal information – that is, recorded information about an identifiable individual – in the custody or under the control of an institution.
FIPPA assessment is based on questions addressing:
1. Collection; (Sec. 38(2))
2. Use; (Sec. 41)
3. Disclosure; (Sec. 42)
4. Retention; and (Sec. 40(1))
5. Destruction. (Sec. 40(4))
DRAFT of January 27, 2016 - 25
Appendix 2: Privacy PrinciplesThese principles are taken from the Canadian Standards Association’s “Model Code for the Protection of Personal Information” (1996) and form the foundation for all privacy legislation in Canada, including Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA), which applies to public sector and broader public sector organizations in Ontario, and the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to private sector organizations in Canada and federally regulated bodies.
Principle 1 - Accountability
An organization is accountable for personal information under its control and shall designate an individual(s) who is/are accountable for the custodian’s compliance with the appropriate legislation and the Principles adopted by Queen’s University.
Principle 2 - Identifying Purposes
The purposes for which personal information is collected shall be identified by the custodian at or before the time the information is collected. Individuals must be told why their personal information is being collected at or before the time of collection.
Principle 3 - Consent
Consent of the individual is required for the collection, use and disclosure of personal information, except where obtaining consent is inappropriate.
Principle 4 - Limiting Collection
The primary purpose of the collection of personal information is to benefit the individual. Collection for a use, which is not the care and treatment of the individual, shall be restricted to what is necessary and shall not impede the collection of information for the primary purpose. Information shall be collected by fair and lawful means.
Principle 5 - Limiting Use, Disclosure, and Retention
Personal information shall only be used or disclosed for purposes for which it was collected, except with the consent of the individual or as required by law. The purpose of the use, disclosure and retention of personal information is to benefit the individual. Any other use or disclosure shall be restricted to what is necessary and shall not impede the collection of information.
Principle 6 - Accuracy and Integrity
The accuracy and integrity of personal information are necessary to offer the services required, the individual right to privacy and to meet the requirements for its collection, use or disclosure.
DRAFT of January 27, 2016 - 26
Principle 7 – Security Safeguards
Personal information shall be protected by security safeguards appropriate to the information and against unintended or unauthorized access, use or intrusion, or such dangers as accidental loss or destruction.
Principle 8 - Openness
The custodian shall make readily available to individuals specific information about its policies, procedures and practices relating to the management of personal information.
Principle 9 - Individual Access
Individuals have the right to access their own personal information. Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate, subject to exceptions.
Principle 10 - Challenging Compliance
Individuals shall be informed that the custodian’s policies, procedures and practices are open to scrutiny and challenge. An individual shall be able to challenge compliance with the above Principles
DRAFT of January 27, 2016 - 27