mark e.s. bernard privacy protection system

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

• ISO/IEC 27001 Integration • PIA Overview • Optimal Timing • PIA Workflow • PIA Process • Privacy Protection Process • Breach Protocol • Q & A


7.1.2 Ownership of assets

All information and assets associated with information processing facilities shall be

‘owned’ 3) by a designated part of the organization.

7.1.3 Acceptable use of assets

Rules for the acceptable use of information and assets associated with information

processing facilities shall be identified, documented, and implemented.


A.7.2.1 Classification guidelines

Information shall be classified in terms of its value, legal requirements, sensitivity

and criticality to the organization.

A.7.2.2 Information labelling and handling

An appropriate set of procedures for information labelling and handling shall be

developed and implemented in accordance


10.7.1 Management of Removable Media

There shall be procedures in place for the management of removable media.

10.7.2 Disposal of Media

Media shall be disposed of securely and safely when no longer required, using

formal procedures.

10.7.3 Information Handling Practices

Procedures for the handling and storage of information shall be established to

protect this information from unauthorized disclosure or misuse.

10.7.4 Security of System Documentation

System documentation shall be protected against unauthorized access. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

12.1 Security Requirement for Information Systems 12.1.1 Security Requirements Analysis & Specifications

Statements of business requirements for new information systems, or enhancements to

Existing information systems shall specify the requirements for security controls.

Explanatory Notes The documented security requirements and controls shall include at a minimum:

• classification of the data handled and/or generated by the system; • access requirements; • hardware and operating system to be used; • software packages, programming languages, software tools; • network elements communicating with the system; • protection requirements for sensitive information; • protection requirements for access; • protection requirements for hardware and operating systems; • protection requirements for network elements; • security resources and security funding requirements; and • required exceptions to security policy.


15.1 Compliance with Legal Requirements 15.1.1 Identification of Applicable Legislation

All relevant statutory, regulatory and contractual requirements and the organization’s approach to meet these

requirements shall be explicitly defined, documented, and kept up to date for each information system and the

organization.

15.1.2 Intellectual Property Rights (IPR)

Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory, and contractual

requirements on the use of material in respect of which there may be intellectual property rights and on the use of

proprietary software products.

15.1.3 Protection of Organizational Records

Important records shall be protected from loss, destruction and falsification, in accordance with statutory,

regulatory, contractual, and business requirements.

15.1.4 Data Protection and Privacy of Personal Information

Data protection and privacy shall be ensured as required in relevant legislation, regulations, and, if applicable,

contractual clauses. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Defined by the American Institute of Certified Public Accountants (AICPA); Personally Identifiable Information is any information relating to an identified or identifiable individual broken into two of the following categories:

‘Private Information’ (PI) customer's name address, telephone number, social security/insurance, other government identification numbers, employer, credit card numbers, personal or family financial information, personal or family medical information, employment history, history of purchases or other transactions, credit records and similar information. ‘Sensitive Private Information’ medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual preferences.


• customer data and records; • Non-published customer information; • lists of actual and potential Organizational customers; • employee records of all kinds; • Human Resources information; • financial compensation information; • performance information, until made public; • intellectual property information; • operating financial results, until made public; • vendor proposals and potential contract information; • new development projects and research discoveries that, if released, could

have a severe effect on Organizational’s competitive advantage; • pricing and cost information, before it is announced to the public and becomes

classified as Public Domain; • outside plant records including: circuit routing, facility information, cable and

pair assignment information, and test line numbers; and • Internal Audit and Organizational Security reports.


The Privacy Impact Assessment is a risk management tool that achieves the following goals:

• Identifies actual or potential impacts that an information system,

technology or program may have on privacy

• Transforms qualitative data into quantitative facts for decision makers

• Identifies and addresses the manner in which the actual or potential risks to privacy can be mitigated

• Ensures that the collection, use, disclosure, retention, or disposal of information complies with data protection legislation


• Major changes to existing programs

• New programs

• New delivery structures and partnerships

• Changes in technology

• Additional systems linkages

• Enhanced accessibility

• Service monitoring

• Delivery channel management

• Data warehousing

• Re-engineering business processes


• Marketing—Organization-specific policy experience, broad strategic policy and planning skills and customer impact analysis skills

• Operational—Knowledge of the operational flow of the organization, to advise on the feasibility, practicality, efficiency of the program and alternatives

• Systems Engineering—Including design, attributes and operations of mainframe and legacy systems, networking products, new Internet tools, system security and front-end customer interface systems

• Security Officer—Comprehensive financial and due diligence audit experience; if available, specialties related to audits of computer system vulnerabilities

• Legal—Statutory, regulatory and contractual expertise

• Privacy Expertise—National and international privacy standards, privacy enhancing technologies, and current privacy developments


• United States Safe Harbor Privacy Principles Issued By The U.S. Department Of Commerce On July 21, 2000

• July 14, 2000 - Safe Harbor Enforcement Overview, Federal and State “Unfair and Deceptive Practices” Authority and Privacy

• United Kingdom Data Protection Act 1998 • Organization for Economic Co-operation and Development (OECD) Privacy Guidelines • European Union Directive 95/46/EC • United Nations Guidelines for the Regulation of Computerized Personal Data Files, Adopted

by the UN General Assembly 14 December 1990 Model Clauses for Use in Contracts involving

• Transborder Data Flows 23 Sept. 1998 • International Chamber of Commerce Australia Privacy Act 1988 • Hong Kong Data Protection Principles • Japan Handbook Concerning Protection Of Personal DataECOM Guidelines Concerning the

Protection of Personal Data in Electronic Commerce in the Private Sector (version 1.0) • Canada - Personal Information Protection and Electronic Documents, 48-49 Elizabeth II,

Chapter 5 Assented to 13th April, 2000 • Germany Federal Data Protection Act


• Identifying the purpose of the personal information associated with business process

• Documenting the collection, use, disclosure and destruction of personal information

• Providing management with a tool to make informed policy, operations and system design decisions, based on an understanding of privacy risk and of the options available for mitigating that risk

• Ensuring that accountability for privacy issues has been clearly incorporated in the project

• Creating a consistent format and structured process for analyzing both technical and legal compliance with relevant statutory and regulatory obligations

• Reducing revisions and retrofitting of information systems to meet data protection statutory, regulatory and contractual obligations for compliance


• Step 1 – Organizational Responsibility for Personal Information

• Step 2 – Identifying the Purpose for Personal Information

• Step 3 – Limiting Data Collection to Business Objectives

• Step 4 – Required Consent

• Step 5 – Limitations on the Retention of Personal Information

• Step 6 – Accuracy of Data

• Step 7 – Data Security

• Step 8 – Training and Communication


Please note that there are three roles engaged in the process workflow described within this practice. The Organizational Information Security Office facilitates the development and finalization of the PIA. The Sponsor signs off on its acceptance and the Project Manager and Project Team provide the technical details and coordination until successful completion.


1.1. Division/Department and Program Area. Division:________________________________________________ Department:_____________________________________________ Program:________________________________________________ 1.2. Contact Position and/or Name, Telephone Number and E-Mail Address. (This should be the name of the Individual most qualified to respond to questions regarding the PIA). Name:___________________________________________________ Title:____________________________________________________ Department:______________________________________________ Phone:___________________________________________________ Number:__________________________________________________ E-Mail:___________________________________________________ 1.3. Description of the Program/System/Legislation (Initiative) being assessed. (Please note if the initiative does Not collect, use or disclose personal information). If this is a change to existing legislation, system or program, describe the current system or program and the proposed changes. ______________________________________________________________________________ ______________________________________________________________________________


1.4. Purpose/Objectives of the initiative (if statutory, provide citation). _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ 1.5. What are the potential impacts of this proposal? (Include privacy impacts in this description). _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ 1.6. Provide details of any previous PIA or other form of personal information assessment done on this initiative (in whole or in part). _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________


2.1. Describe the field level elements of personal information that will be collected, used and/or disclosed and the nature and sensitivity of the personal information. For example: Name, home address, gender, age/birth date, SIN, Employee#, race/national, ethnic origin. _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ 2.2. Provide a description including a narrative and flow chart of the linkages and flows of Personal information collected, used and/or disclosed. _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________


1. Has responsibility for Organizational privacy oversight been assigned to a Specific individual? Y/N 2. Are the roles, responsibility and reporting structure of that person documented? Y/N 3. Have performance requirements been specified in a measurable way, and subject to management reviews? Y/N 4. Are independent third-party audits facilitated to review privacy practices? Y/N 5. Has Organizational retained the legal right to collect, use, disclose, archive and dispose of personally identifiable information under its custody? Y/N 6. Has Organizational retained the legal right to audit and enforce data protection principles with Trimble Divisions and external service providers? Y/N


1. Is the business purpose for the collection, use, retention and disclosure

documented? Y/N

2. Has the purpose for collection been mapped to the business purpose? Y/N

3. Has the purpose for collection been mapped to a specific statute or regulation? Y/N

4. Is the purpose for collection based on an exception due to debt collection,

investigations or media? Y/N

5. Has Organizational customers been formally notified of the purpose for

the collection? Y/N


1. Can the requirements for information collection be limited or reduced? Y/N 2. Is personally identifiable information collected directly from the individual? Y/N 3. Is personally identifiable information indirectly collected thou other programs? Y/N 4. Is personally identifiable information collected indirectly thru external parties? Y/N 5. Will the Customers online activity be monitored and related information collected? Y/N 6. Is the information collected for planning, forecasting, or evaluation purposes? Y/N 7. Can the information collected be made anonymous and still meet the business purpose? Y/N


1. Was the consent clearly linked to the purpose for collection and usage? Y/N 2. Did the consent clearly and unambiguously specify that personally identifiable Information can be collected, used and disclosed? Y/N 3. Did the individual implicitly consent to the collection of their personally identifiable information? Y/N 4. Was the consent to collect personal identifiable information implied? Y/N 5. Was consent gathered based on the individual’s option to ‘opt-in’? Y/N 6. Was consent gathered based on the individual’s option to ‘opt-out’? Y/N 7. Was personally identifiable information collected indirectly from an external third parties? Y/N 8. Does consent allow for secondary uses like service improvements? Y/N 9. Has procedures been created to obtain further consent for usage not previously identified? Y/N


1. Are there specific statutory or regulatory obligations for retaining personal identifiable information? Y/N 2. Has the reconciliation of cross jurisdictional retention obligations been completed? Y/N 3. Have practices and/or standards been document with respect to the retention of Personal information? Y/N 4. Do these standards include a minimum and maximum retention period? Y/N 5. Is there a method to log and report on the duration which personally information has been retained? Y/N 6. Are there documented practices and standards outlining the appropriate methods of destruction, erasure or anonymizing personally information? Y/N 7. Are disposal/destruction records maintained for personally information? Y/N


1. Are updates to Customer records recorded including date, time stamp and user account? Y/N 2. Have procedures been documented and communicated to Customers regarding Access and maintenance of inaccurate records? Y/N 3. Are records kept regarding requests for access to records? Y/N 4. Can Customers access their personally information without disrupting regular operations? Y/N 5. Has field level validation been implemented for interactive updates to records? Y/N 6. Has exception reporting been implemented for batch file processing? Y/N 7. Are errors to information process monitored and investigated? Y/N 8. Are external parties notified of corrections? Y/N


1. Has a Risk Assessment been facilitated for the information asset? Y/N 2. Are regular user account access and privilege access rights authorized and recorded? Y/N 3. Has the roles and responsibilities for asset owners and custodians been documented and communicated? Y/N 4. Has an information handling practice and standard been documented for the collection, transmission, storage and disposal of personal information? Y/N 5. Has a breach protocol been documented and communicated to all stake holders? Y/N 6. Have Organizational employees been trained on the requirements for protecting personal information? Y/N 7. Has a process been documented for granting users access to the maintenance application to add, change or delete personal information? Y/N 8. Does the business system including audit logging of access to personal information including date and time stamping and user account? Y/N


1. Has training and awareness been developed for Organizational employees? Y/N 2. Does the training include an overview of statutory, regulator and contractual obligations for data protections? Y/N 3. Does training include an overview of Organizational policies, practices and standards relating to the Handling of personal information? Y/N 4. Does training include instructions concerning the reporting of suspected breaches in security? Y/N 5. Does training include instructions regarding the “whistleblower” policy? Y/N 6. Are there documented plans for training on “how to” facilitate a privacy impact assessment? Y/N 7. Are new hires required to attend information handling training and awareness before access to personal information is granted? Y/N 8. Have all Organizational employees accessing personal information attended training and awareness? Y/N 9. Has an annual training and awareness program and schedule been created and communicated? Y/N 10. Are records of Organizational employee and contractors attendance including post session evaluations and sign in sheets maintained? Y/N


• Classification labeling • Access restriction • Classified information authorization list • Information input/output validation • Protection of spooled/printed information • Storage complies with manufactures specifications • Keep distribution to a minimum • Clear Marking of recipient/sender • Review distribution list


•Granting Access Rights •Network Access Control •Storage on Servers •Storage on Removable Media •Physical Removal •Duplicating/Copying •Faxing •Transmission over Internet •Transmission over FTP •Transmission over email •Transmission over wireless •Disposal/Destruction

•Third-party / External-party Disclosure •US Personnel Disclosure •Electronic Media Labeling •Hardcopy Labeling Required •Physical Mail Handling •Tracking Process by Log •Human Resources •Remote Access •Desktop •Laptop


“Data breach” means an incident involving loss of, unauthorized access to, or disclosure of, personal

information as a result of a breach of an organization’s security safeguards pursuant to Principle 7 of Schedule

1 of PIPED Act.


• In the event of a data breach, where it is reasonable to consider in the circumstances that there exists a substantial risk of significant harm to affected individuals, the organization will notify affected individuals as a matter of course, and other organizations as required, as soon as is reasonably possible after detection, confirmation and assessment of the scope and extent of the breach. • Notification to affected individuals will be provided in a clear and conspicuous manner using a direct means of communication, and will include information that is sufficient for the individual to understand the significance of the breach, and to take steps to mitigate harm resulting from it.


• Factors that are relevant to the determination of substantial risk include (i) the sensitivity of the information involved in the data breach and (ii) the probability that the information could be misused, or that harm to the affected individuals might result. • Factors that are relevant to the determination of which other organizations should be notified are (i) whether an organization has a role in the mitigation or prevention of harm to the affected individuals; or (ii) whether an organization could reasonably be expected to suffer direct harm as a result of the data breach.


• The organization will also report to the Privacy Commissioner

any material data breach, as soon as is reasonably possible

following detection, confirmation, and an assessment of scope

and extent of the breach.

• Factors relevant to the determination of material data breach

include (i) the sensitivity of the information involved in the

breach, (ii) the number of individuals affected, and (iii) if it

constitutes a pattern, or provides evidence of a systemic root-

cause, outside of commercially acceptable operating standards.


•The organization having control of the information will be

responsible for determining the need for notification to affected

individuals and organizations and for reporting to the Privacy

Commissioner.



For more information contact Skype; Mark_E_S_Bernard

Twitter; @MESB_TechSecure LinkedIn; http://ca.linkedin.com/in/markesbernard

mark e.s. bernard privacy protection system

Business

information labelling

identifiable information

information systems12

cost information

similar information

storage of information

public access

access protection requirements