1.
Privacy, Security &
Access to Data
Cyber Summit 2015
Brian Hamilton, Director, Compliance and Special InvestigationsSeptember 28, 2015

2.
Agenda
• Privacy laws enable your success
• How do privacy regulators analyze
information sharing/analytics/big data
initiatives?
• Regulatory challenges
• Tips for success in working with privacy
regulators

3.
Office of the Information and
Privacy Commissioner of Alberta
• Commissioner – Jill Clayton
• an officer of the Legislative Assembly
• independent of government
• Oversight of Alberta’s access to
information and privacy laws:
• Freedom of Information and Protection of Privacy Act
• Personal Information Protection Act
• Health Information Act
• Provincial government is responsible for
legislation

4.
What we do

5.
How we intersect with research
• Health Research Ethics Boards
• File their approvals with us
• Duty to review research proposals and assess whether
adequate safeguards are in place
• Privacy Impact Assessment review
• Especially data matching
• Recommended for multi-stakeholder initiatives
• Investigations
• Unusual, most people aren’t aware, or have consented
• access to data without agreement

6.
Privacy is an enabler
• Privacy regulators understand benefits of
information sharing and analytics
• Advancement of science, health
• Convenience
• Harmonized, coordinated, targeted services
• Efficiency, cost containment
• Privacy statutes allow appropriate information
sharing and data matching
• Privacy ensures your success
• We are in the freedom of information business

7.
Things privacy laws allow you to do
(as long as you do it right)
• Research
• Planning
• Resource allocation
• Policy development
• Quality improvement
• Auditing
• Evaluation
• Data matching
• Share personal information for service delivery

8.
How we analyze initiatives
• Who are you?
• Nature of organizations
• Jurisdiction
• What are you doing?
• What personal information will you collect, use or disclose?
• Research, data matching
• Is it legal?
• Analysis of legal authorities
• How are you managing risk?
• Information security
• Agreements, policies
• Incident response plans
• Regular review of controls
• Training

9.
Key Privacy Controls
(for big data initiatives)
• Governance, policies, training
• Access controls
• Need to know, least amount principle
• Consent (where necessary)
• Openness, transparency, notification
• Retention and disposition
• Only keep information as long as necessary
• Incident response
• Privacy laws use reasonableness test
• Controls do not need to be perfect

10.
Challenges
for the new data scientist
• We live in a federation and have international
partners
• Managing privacy among multiple stakeholders
(governance)
• Transparency
• Managing consent, citizen expectations
• Trans border legal demands
• Bureaucratic fear, uncertainty and doubt

11.
Tips for success
• Talk to us
• We are happy to consult on any initiative
• Early consultation prevents last-minute pitfalls
• Build privacy into your initiative from the start
• Last-minute, bolt-on privacy is expensive and inefficient
• Engage the public
• Transparency assuages fear
• Conduct a privacy impact assessment
• Our Office is pleased to review and provide comments
• Consider making your PIA public
• Develop privacy expertise

12.
Curriculum
for the new data scientist
• Privacy principles
• Privacy risk assessment and mitigation
strategies
• Information security
• Access to information
• Records management
• Agreements and contracts

13.
OIPC sponsored research on
information sharing
Government Information Sharing
Is Data Going Out of the Silos, Into the Mines?
•http://
www.oipc.ab.ca/Content_Files/Files/Publications/Repor
•Case studies
•Citizen expectations
•Examining risk in data sharing projects
13

14.
Free PIA training
• Calgary: October 16
• Edmonton: October 15
• www.oipc.ab.ca for more info.

15.
Your questions

16.
THANK YOU!
Brian Hamilton
Director, Compliance and Special Investigations
Office of the Information and Privacy Commissioner, Alberta
bhamilton@oipc.ab.ca
www.oipc.ab.ca
780.422.6860