The  Start-­‐up’s  Guide  to  Privacy

T U R N   P R I V A C Y   I N T O   A   C O M P E T I T I V E  A D V A N T A G E

IntroducIon  to  Privacy Privacy  and  the  Law Privacy  Gap  Assessment  Workskhop Panel:    Privacy  –  Who  Cares? The  Start-­‐up’s  Guide  –  PracIcal  Next  Steps

Agenda The  Start-­‐up’s  Guide  to  Privacy

January  2016  

Important  DefiniIons

•  Privacy  -­‐  The  right  of  an  individual  to  control  the  collecIon,  use,  disclosure  and  retenIon  of  their  personal  informaIon

•  ConfidenIality  -­‐  The  obligaIon  of  a  health  care  provider  (or  other  person)  to  protect  the  secrecy  of  personal  informaIon

•  Security  -­‐  the  tools  and  techniques  we  use  to  protect  the  confidenIality,  integrity  and  availability  of  personal  informaIon.

Why  Privacy?

•  Privacy  legislaIon •  Advances  in  informaIon  technology  and  data  mining

•  Public  expectaIons

Privacy  Principles

There  is  nothing  new  or  difficult  about  privacy.    Good  privacy  is: •  Good  business  pracIce •  Good  informaIon  management  pracIce •  Good  clinical  and  health  care  management  pracIce

OrganizaIons  that  have  good  business,  informaIon  management  and  clinical  management  pracIces  in  place  are  likely  in  compliance  with  these  principles  already

The  Importance  of  Principles

•  Consistent  applicaIon  of  privacy  rights  locally,  naIonally  and  internaIonally

•  Defines  with  precision  the  privacy  obligaIons  of  people  handling  personal  informaIon

•  Provides  a  sound  basis  for  a  privacy  protecIon  program

CSA  Privacy  Code

1.  Accountability 2.  Defined  Purposes 3.  Consent 4.  LimiIng  CollecIon

5.  LimiIng  Use,  Disclosure,  RetenIon

6.  Accuracy 7.  Safeguards 8.  Openness 9.  Individual  Access 10. Challenging  Compliance

An  organizaIon  is  responsible  for  personal  informaIon  under  its  control  and  shall  designate  an  individual  or  individuals  who  are  accountable  for  the  organizaIon's  compliance  with  the  following  principles.

IdenIfying  Purposes

The  purposes  for  which  personal  informaIon  is  collected  shall  be  idenIfied  by  the  organizaIon  at  or  before  the  Ime  the  informaIon  is  collected.

The  knowledge  and  consent  of  the  individual  are  required  for  the  collecIon,  use,  or  disclosure  of  personal  informaIon,  except  where  inappropriate.

LimiIng  CollecIon

The  collecIon  of  personal  informaIon  shall  be  limited  to  that  which  is  necessary  for  the  purposes  idenIfied  by  the  organizaIon.  InformaIon  shall  be  collected  by  fair  and  lawful  means.

LimiIng  Use,  Disclosure  and  RetenIon

Personal  informaIon  shall  not  be  used  or  disclosed  for  purposes  other  than  those  for  which  it  was  collected,  except  with  the  consent  of  the  individual  or  as  required  by  law.   Personal  informaIon  shall  be  retained  only  as  long  as  necessary  for  the  fulfillment  of  those  purposes.

Personal  informaIon  shall  be  as  accurate,  complete,  and  up-­‐to-­‐date  as  is  necessary  for  the  purposes  for  which  it  is  to  be  used.

Personal  informaIon  shall  be  protected  by  security  safeguards  appropriate  to  the  sensiIvity  of  the  informaIon.

Brendan  Seaton  and  Rob  Ford  are  admihed  to  hospital….

Who’s personal information is more sensitive?

An  organizaIon  shall  make  readily  available  to  individuals  specific  informaIon  about  its  policies  and  pracIces  relaIng  to  the  management  of  personal  informaIon.

Individual  Access

Upon  request,  an  individual  shall  be  informed  of  the  existence,  use,  and  disclosure  of  his  or  her  personal  informaIon  and  shall  be  given  access  to  that  informaIon.   An  individual  shall  be  able  to  challenge  the  accuracy  and  completeness  of  the  informaIon  and  have  it  amended  as  appropriate.

Challenging  Compliance

An  individual  shall  be  able  to  address  a  challenge  concerning  compliance  with  the  above  principles  to  the  designated  individual  or  individuals  accountable  for  the  organizaIon's  compliance.

7  FoundaIonal  Principles  of  PbD

1.  ProacIve  not  ReacIve;  PreventaIve  not  Remedial 2.  Privacy  as  the  Default  Sekng

3.  Privacy  Embedded  into  design

4.  Full  FuncIonality  –  PosiIve-­‐Sum,  to  Zero-­‐Sum

5.  End-­‐to-­‐end  Security  –  Full  Lifecycle  ProtecIon 6.  Visibility  and  Transparency-­‐  Keep  it  Open 7.  Respect  for  User  Privacy  –  Keep  it  User-­‐Centric

Privacy  and  the  Law

