Office of the Chief Information and Privacy Officer

This means the Government of Ontario's Enterprise Information & Information Technology Architecture in all its stages, from planning through development, will, at a minimum, comply with FIPPA legislation.

The mandate of the Enterprise Information and Information Technology Architecture (EIA) project is to develop a business-driven, top-down, government-wide architecture that will provide a framework and foundation for all information and information technology projects across the Government of Ontario. This enterprise architecture will serve as a management tool to co-ordinate initiatives across the government and to manage the impact of emerging technologies.

In Ontario, data protection legislation provides the business direction regarding how personal information is to be collected, used, disclosed and retained. For the most part, the objective with technology design in the past has been to ensure that the data being captured is kept in a secured manner. While data security is essential to the achievement of privacy protection, security does not equal privacy. Privacy relates to the informed consent and the control a person exerts regarding the collection, use and disclosure of their personally identifiable information. Security is concerned with the authentication, integrity, confidentiality and non-repudiation aspects of the data.

Since the introduction of Ontario's Freedom of Information and Protection of Privacy Act, the power of Information Technology (IT) to collect, match, manipulate and re-use information has grown exponentially. The capacity of IT to collect, process, store and link information, including personal information, from separate government programs has increased the ability to manage, maintain and provide accurate information. This increase in the power and capacity of IT introduces real and perceived risks to personal privacy if the technology is not designed at the outset to build in privacy. Modern technologies, including commercial "off-the-shelf" offerings, and technology driven business redesign pose new privacy risks if not implemented and managed carefully. In addition to violating the spirit or legal obligations of privacy legislation, they risk the accidental or deliberate creation of the capacity for overt or covert data surveillance and profiling of individuals. Limiting a technology's ability to conduct surveillance ensures privacy.

The use of privacy design principles is one part of a two part process to ensure that new initiatives meet privacy protection requirements. Incorporating the privacy design principles at the beginning of business and I & IT planning cycles will ensure that, proposals be developed whose business and systems details conform to privacy objectives. It will also ensure that I & IT initiatives clearly identify any circumstances where privacy may be at risk and any specific design and implementation initiatives that need to be introduced.

This approach should preclude inappropriate investments in strategies and development work, or the need to substantially revise such projects after an assessment of the project's privacy impact. A privacy impact assessment (PIA), the second part of the privacy compliance process, is an MBC requirement prior to approval of projects that involve changes in the management of personal information held in trust by government programs.

The Government of Ontario is committed to ensuring the personal privacy of Ontario's citizens. The privacy of individuals must be an integral component of the design of new technology or information systems, not only at the beginning but throughout the development and maintenance of the technology or system.

Provincial, Territorial and Federal Ministers responsible for the Information Highway confirmed the importance of privacy protection at their June 12, 1998 meeting. The Ministers agreed to support the Canadian Standards Association Model Privacy Code as a minimum privacy standard and urged their colleagues and industries within their respective jurisdictions to meet or exceed the CSA Standard in their operations.

The Ontario government is committed to keeping the personal information it collects accurate and, secure. It is also committed to I & IT that has privacy design principles built in at the outset. Privacy design principles support the informed consent and the control a person has on his or her personally identifiable information. Developing I & IT that is built on privacy design principles will ensure that individuals can make informed decisions about the purposes for which their personal information is collected or disclosed. The privacy design principles adhere to the Freedom of Information and Protection of Privacy Act (FIPPA) under legislation. The principles also reflect the CSA Model Privacy Code and the Fair Information Practices that embrace an international standard regarding privacy. These principles provide a framework used in the development and ongoing refinement of the Government of Ontario's Enterprise Information and Information Technology Architecture and will ensure that the government protects the privacy of individuals with respect to personal information about themselves held by institutions and to provide individuals with a right of access to that information.

In a number of the principles, reference is made to the use of privacy impact assessments (PIA). The need for a PIA is dependent on the extent and significance of the changes or additions to be made in a technology or in an information system; a full PIA may not be required to evaluate and address privacy concerns in all cases. Criteria for the extent of the PIA that must be conducted is available at www.accessandprivacy.gov.on.ca/english/pia/index.html. All information or information technology projects which involve changes in the management and/or use of personal information must satisfy the PIA requirements before MBS approvals for funding or ministry approval to begin the project. In some cases, a full PIA will be required before the project can begin, whereas, in other cases, the PIA can be completed in stages aligned with the project. Guidelines and processes for determining PIA requirements will be developed.

The Freedom of Information and Protection of Privacy Act (FIPPA) applies to Ontario's provincial ministries and most agencies, boards and most commissions, as well as community colleges and district health councils.

The Act requires that the government protect the privacy of individuals with respect to personal information about themselves held by institutions, and to provide individuals with a right of access to that information. The Act also gives individuals the right to request access to government information.

The Freedom of Information and Protection of Privacy Act (FIPPA) establishes the obligations of institutions

"recorded information about an identifiable individual, including,

(a) information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual,

(b) information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,

(d) the address, telephone number, fingerprints or blood type of the individual,

(e) the personal opinions or views of the individual except where they relate to another individual,

(f) correspondence sent to an institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to that correspondence that would reveal the contents of the original correspondence,

(g) the views or opinions of another individual about the individual, and

(h) the individual's name where it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual; ("reassignments personnel's")

"personal information bank" means a collection of personal information that is organized and capable of being retrieved using an individual's name or an identifying number or particular assigned to the individual; ("banque de reassignments personnel's"

"record" means any record of information however recorded,

whether in printed form, on film, by electronic means or

otherwise, and includes,

(a) correspondence, a memorandum, a book, a plan, a map, a drawing, a diagram, a pictorial or graphic work, a photograph, a film, a microfilm, a sound recording, a videotape, a machine readable record, any other documentary material, regardless of physical form or characteristics, and any copy thereof, and

(b) subject to the regulations, any record that is capable of being produced from a machine readable record under the control of an institution by means of computer hardware and software or any other information storage equipment and technical expertise normally used by the institution; ("document") R.S.O. 1990, c. F.31, s.2.

The Act further requires institutions to be open about the personal information under their control by requiring that

A head shall cause to be included in a personal information bank all personal information under the control of the institution that is organized or intended to be retrieved by the individual's name or by an identifying number, symbol or other particular assigned to the individual. R.S.O. 1990, c. F.31, s.44.

Personal Information Bank Index

The responsible minister shall publish at least once each year an index of all personal information banks setting forth, in respect of each personal information bank,

(a) its name and location;

(b) the legal authority for its establishment;

(d) how the personal information is used on a regular basis;

(e) to whom the personal information is disclosed on a regular basis;

(f) the categories of individuals about whom personal information is maintained;
and
(g) the policies and practices applicable to the retention and disposal of the personal information. R.S.O. 1990, c. F.31, s. 45.@

FIPPA represents the Legislature's recognition that privacy is not absolute. Competing interests regarding the individual privacy include the person's or data subjects interest in fully controlling how the government collects, uses and discloses his or her personally identifiable information, the public interest (e.g., public safety), and governmental requirements (e.g., reducing welfare fraud). For example, there are specific provisions which provide the authority, without consent, to collect, disclose, or refuse disclosure of personal information for limited purposes relating to law enforcement, or to disclose in compelling circumstances the health and safety of an individual with notice sent to the last known address.

The requirements of FIPPA are the absolute minimum requirements for the protection and management of personal information that need to be followed. There are some cases where there are legislated exemptions regarding a program or specific records exempt from the requirements under FIPPA.

Over time the structures of government, the roles of programs, and interpretations of the public interest may change and be reflected in new or amended statutes. Accordingly, these design principles will evolve and be refined to reflect the statutory changes.

There are a number of information management requirements that must be considered in the development of I & IT projects. These principles address privacy. Related but separate requirements not addressed in these principles include access to non-personal government information, recorded information management (RIM), and responsibilities under archives legislation.

PRIVACY DESIGN PRINCIPLES

The component architectures of EIA are information, application, security and technology. Each of the privacy design principles must be applied against each of these components.

In addition to the privacy design principles, consideration should be given to incorporating the privacy enhancing advantages of particular technologies which permit anonymity, pseudonymity, improve security and maintain segregation of personally identifiable data to limit surveillance risks.

In addition to the requirements of FIPPA, which form the basis of the Privacy Design Principles, the following specific Design Principles apply.

Privacy Principle
Ontario government ministries and agencies are accountable for personal information that is under their custody or control. This includes situations where ministries are in possession of the personal information (custody) or situations where ministries retain the ability to manage, restrict or administer the collection, use or disclosure of the personal information in the hands of third parties (control).

Design Principle
Information and Information Technology sponsors will designate a point of accountability through individual(s) to be held accountable for managing the privacy of personal information in the design and development and implementation of initiatives.

Privacy Principle
Ministries and agencies will identify the purpose for which personal information is lawfully collected at or before the time the information is collected.

Design Principle
Organizations must clearly identify and document the purpose(s) for which they collect personal information. The identification of collection purposes must be conducted in a systematic and evidence based fashion. Systems design must ensure the systems outcome is limited to the purposes for which personal information may be lawfully collected, used and disclosed. Attention must also be paid to all instances where personal information is disclosed regularly to other programs.

Privacy Principle
FIPPA prohibits the collection of personal information unless the collection is expressly authorized by statute, used for law enforcement or is necessary for the proper administration of a lawfully authorized activity.

Design Principle
Limits on the collection of personal information must be incorporated into the design of information systems to ensure that extraneous or unnecessary personal information is not collected. A privacy impact assessment should be completed in all cases where significant changes to collection practices are proposed or where additional personal information is to be collected for purposes other than for those previously identified or authorized.

Common multi-program identifiers must be avoided for use with unrelated programs. Distinct identifiers for unrelated programs are required to reduce the opportunity for improper data matching. Design strategies that are based on data subject anonymity or pseudonymity are the preferred approach for applications that aggregate data from multiple programs for data mart/warehouse business analysis.

Privacy Principle
While consent is not the only legal means authority by which to collect, use, and disclose and destroy personal information, obtaining consent will often be the preferred approach.

Design Principle
An information management system should be designed to capture the subject's consent or lack of consent to the collection, use or disclosure of their personal information.

Consent should never be assumed. The design of the technology used in any interaction with clients should include the ability to identify in the system whether consent was provided or not and/or whether it was required or not.

Consent can be provided by traditional methods such as a signature on a mandated form, or through the use other means such as the use of access cards. For example, where an individual initiates a transaction with the Government of Ontario by using an ATM machine, it can be implied that consent has been given for the use of the personal information for the business transaction. However, consent could not be implied for other uses or disclosures that an average customer would not reasonably expect to be required to execute the transaction.

Privacy Principle
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as specifically authorized by law. Personal information should be retained only as long as necessary for the fulfillment of those purposes.

Design Principle
It cannot be assumed that where an individual has provided personal information for one purpose, the information may be used or disclosed to another Government body for an unrelated purpose.

Information systems must be designed to ensure that personal information cannot be used or disclosed for unauthorized purposes.

FIPPA requires that where personal information is used or disclosed for purposes other than those described in the Directory of Records, the circumstances of such use or disclosure must be attached or linked to the personal information. Information systems must be designed to record/reveal such attachments or links.

Data matching, or the aggregation of personally identifiable information from distinct program databases, whether for periodic, or data mart/warehouse functions, is only permitted when in compliance with the Management Board Directive on Data Matching.

Privacy Principle
Personal information should be accurate, complete and timely. The individual who provides the personal information must have access to the data kept on file about them.

Design Principle
Information systems should be designed to ensure that personal information can be accessed and corrected upon request, or that a record of an individual's disagreement with the accuracy of the record can be attached to the original record. The technology should have the ability to identify when data has been changed or modified, by whom, and for what reason in order to ensure accountability.

A history of correction transactions is to be retained. The technology should be designed so that this historical information or any inaccurate information is not routinely disclosed to persons other than the data subject. Anyone who has accessed inaccurate or historical information that is changed must be informed regarding the changes in a timely manner.

Privacy Principle
All personal information shall be protected by security safeguards appropriate to the sensitivity of the information and the risks to both data subjects and the government inherent in the information management architecture.

Design Principle
Organizations should conduct information classification reviews to determine the appropriate level of security to be applied to personal information. The level of security is dependent upon the sensitivity of the information, its value to authorized programs, and its value to unauthorized individuals or organizations.

Initiatives that have the potential to increase the accessibility of personal information in an information system should implement the most recent standards regarding encryption and Public Key Infrastructure (PKI).

Privacy Principle
Ministries/agencies shall be open about the policies and procedures that apply to the management of personal information. Specific information about policies and practices relating to the management of personal information shall be readily available. An individual shall be informed of the existence, use and disclosure of his or her personal information.

This principle is essential to the operation of Principle #1 - Accountability and Principle #2 -Identifying the Purpose for Collecting Information.

Design Principle
An information system involving personal information should be transparent, so that individuals can verify how their information is being collected, used, or disclosed or destroyed. The types of transactions, the linkages within the system and the way in which personal information is collected, used, disclosed and retained must be clearly visible to data subjects and to system users. When requested, ministries and agencies should be able to provide a full description of all circumstances where the organization discloses an individual's personal information to third parties.

Who has the authority to access what information and for what purpose must be clearly identified. When program or legislative changes are made to a program, information about the change in the policy and the technology must also be available upon request. Consequently, information system changes must be clearly documented and readily available, unless to do so would reveal details about security-related activities.

Privacy Principle
Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of his or her information and have it amended as appropriate.

Design Principle
An information system should be able to provide an individual with copies of the personal information that is kept on files stored throughout the information management system without disrupting the on-going operation of the organization.

Information systems must be designed to facilitate access by individuals to their personal information retained on the system, except where such access is not legally permitted (e.g. certain law enforcement information). Upon request, an explanation must be available to the individual explaining in easily understood terms what the data fields mean, e.g. what personal information is retained in each field. The system should be designed to provide this information at the least cost possible to the individual. This principle complements Principle # 8 - Openness, in terms of how specific requests for more detailed information by individuals need to be addressed in information systems.

Individuals have the right to disagree and to correct their personal information. An information management system must be able to amend or annotate any personal information that is subject to disagreement regarding accuracy. The system must also have the capacity to notify third parties to whom incorrect personal information has been disclosed within the year preceding the correction of the changes to information or the letter of disagreement.

Privacy Principle
An individual shall be able to address a challenge concerning compliance with privacy requirements to a designated individual.

Design Principle
Ministries and agencies are accountable for the management of personal information under their custody or control and must respond to inquiries raised by individuals with respect to the management of their personal information. The use of agents or outsourcing does not reduce this obligation. Agent or outsourcing agreements must specify the mechanisms to ensure the ministry or agency can meet its compliance obligations. Compliance issues may be raised directly with individual ministries/agencies or may be communicated through the Office of the Information and Privacy Commissioner.

Information systems should be designed so that all transactions made on an individual's file can be traced for accountability purposes. It should identify who input changes to a file, when the input was initiated and for what purpose.

A history of transactions should be retained for a determined length of time for audit purposes, to respond to privacy complaints or to support requests for information from an individual. Unless otherwise specified in legislation, FIPPA requires a minimum one-year retention period after the PI has been used. In most information systems, the program's record retention schedules and archive requirements will exceed the FIPPA minimums.

PRIVACY DESIGN PRINCIPLES

PERSONAL INFORMATION

PRIVACY DESIGN PRINCIPLES