An Overview of our . Responsibilities. Gioconda Di Lorenzo. - . University Secretary . Privacy Officer & Freedom of Information Officer. Policy and Compliance Education – Legal & Risk. Raffaella. ID: 611051
DownloadNote - The PPT/PDF document "Privacy by Design @ UoM" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Presentations text content in Privacy by Design @ UoM
Slide1
Privacy by Design @ UoM
An Overview of our
Responsibilities
Slide2
Gioconda Di Lorenzo- University Secretary Privacy Officer & Freedom of Information OfficerPolicy and Compliance Education – Legal & RiskRaffaella Di MaioPrivacy & Freedom of Information CoordinatorJo-anne DyerManager, Risk & ComplianceMary OppyEducation & Training Coordinator Bronwyn ThomasCoordinator Risk & Compliance
Introductions
Raffaella Di Maio & Mary Oppy
Records & Compliance
Legal & Risk, University Services
Slide3
Topics
Privacy lawsPrivacy key termsInformation Privacy Principles (IPPs)7 Foundational Principles of Privacy by DesignPrivacy impact assessmentsQuestions
Raffaella
Di Maio & Mary Oppy
Records & Compliance
Legal & Risk, University Services
Slide4
Privacy Protection
Raffaella Di Maio & Mary Oppy
Records & ComplianceLegal & Risk, University Services
Slide5
What is Personal Information?
Recorded information or opinion whether true or not about an individual whose identity is apparent or can be reasonably ascertained
Raffaella Di Maio & Mary Oppy
Records & ComplianceLegal & Risk, University Services
NameSignatureTelephone NumberEmail, Home or Work AddressEmployment PositionVoice Recordings, Photographs or VideosMedical RecordsAcademic Records
Slide6
What is Sensitive Information?
Recorded information or opinion whether true or not about an individual whose identity is apparent or can be reasonably ascertained
Raffaella Di Maio & Mary Oppy
Records & ComplianceLegal & Risk, University Services
racial or ethnic originpolitical opinionsmembership of a political associationreligious beliefs or affiliationsphilosophical beliefsmembership of a professional or trade associationmembership of a trade unionsexual preferences or practicescriminal record
Slide7
When can I use or Disclose Personal & Sensitive Information?
Raffaella Di Maio & Mary Oppy
Records & ComplianceLegal & Risk, University Services
Primary Purpose
Secondary Purpose
Personal Information
Sensitive Information
As outlined in the collection notice
A related purpose & one the individual would reasonably expect
A directly related purpose & one the individual would reasonably expect
Only
as outlined in the collection notice
Slide8
10 Information
Privacy Principles (IPPs)
Raffaella Di Maio & Mary Oppy
Records & ComplianceLegal & Risk, University Services
An organisation must not do an act, or engage in a practice, that contravenes an
Information
Privacy Principle
in
respect of personal information collected, held, managed, used, disclosed or transferred by it
Slide9
Preventative not remedialEstablish and monitor governance mechanisms for privacy responsibility.Promote an organisation-wide ‘privacy-culture’ to ensure that privacy is integrated into your policies and programs.‘Operationalise’ privacy by establishing and implementing privacy policies, conducting privacy awareness training, and developing data breach response protocols in the event that a breach does occur.Audit and monitor your organisation’s information handling processes.
Proactive not reactive
Raffaella Di Maio & Mary Oppy
Records & ComplianceLegal & Risk, University Services
Slide10
Ensure that the necessary privacy controls are built into new systems during the design and procurement phases.Undertake privacy impact assessments for all projects and programs that involve personal information.
Privacy as the default setting
Raffaella
Di Maio & Mary Oppy
Records & Compliance
Legal & Risk, University Services
Slide11
Ensure that a program’s overall risk assessment includes an obligation to consider potential privacy risks.Ensure that programs are signed off with appropriate privacy protections in place prior to a project’s commencement.
Privacy embedded into design
Raffaella
Di Maio & Mary Oppy
Records & Compliance
Legal & Risk, University Services
Slide12
Commit to finds workable solutions to achieve multiple objectives, rather than compromising any interests that seem to be in competition
Full functionality: Positive-sum not zero sum
Raffaella
Di Maio & Mary Oppy
Records & Compliance
Legal & Risk, University Services
Slide13
Ensure University staff understand – and are able to adhere to – their privacy responsibilities at all times.Ensure that contractual agreements with third parties and vendors clearly set out obligations and responsibilities, from the commencement of a program through to the point of data destruction.Map a program’s data flows and ensure that security measures are in place at each stage, including user authentication, encryption and destruction of data.
End–to–end security
Raffaella
Di Maio & Mary Oppy
Records & Compliance
Legal & Risk, University Services
Slide14
Commit to keeping the organisation’s practices transparent to the extent possible, without inviting risk.Seek independent verification for programs and procedures (processes) to ensure compliance with privacy obligations.
Visibility and transparency
Raffaella
Di Maio & Mary Oppy
Records & Compliance
Legal & Risk, University Services
Slide15
Support an approach to designing programs that considers privacy from a user’s point of view.All seven foundational principles work together and need to be implemented holistically: Privacy by Design can’t be ‘cherry picked.’
Respect for user privacy
Raffaella
Di Maio & Mary Oppy
Records & Compliance
Legal & Risk, University Services
Slide16
Privacy impact assessments (PIAs)
Raffaella
Di Maio & Mary Oppy
Records & ComplianceLegal & Risk, University Services
PIAs
are undertaken as part of a sound risk management strategy, to assess whether it is safe to proceed
with any
new
project
.
PIAs
are
living documents and are undertaken
if
changes
are made to the way we
collect
,
use
,
store
or
dispose
of personal information
.
Slide17
Privacy Impact Assessment
Slide18
Why we need Privacy by Design
Most privacy breaches remain undetected, what is reported to the Privacy Officer may only be the tip of the iceberg
Download this presentation
DownloadNote - The PPT/PDF document "Privacy by Design @ UoM" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Presentations text content in Privacy by Design @ UoM
Privacy by Design @ UoM
An Overview of our
Responsibilities
Slide2Gioconda Di Lorenzo- University Secretary Privacy Officer & Freedom of Information OfficerPolicy and Compliance Education – Legal & RiskRaffaella Di MaioPrivacy & Freedom of Information CoordinatorJo-anne DyerManager, Risk & ComplianceMary OppyEducation & Training Coordinator Bronwyn ThomasCoordinator Risk & Compliance
Introductions
Raffaella Di Maio & Mary Oppy
Records & Compliance
Legal & Risk, University Services
Slide3Topics
Privacy lawsPrivacy key termsInformation Privacy Principles (IPPs)7 Foundational Principles of Privacy by DesignPrivacy impact assessmentsQuestions
Raffaella
Di Maio & Mary Oppy
Records & Compliance
Legal & Risk, University Services
Slide4Privacy Protection
Raffaella Di Maio & Mary Oppy
Records & ComplianceLegal & Risk, University Services
Slide5What is Personal Information?
Recorded information or opinion whether true or not about an individual whose identity is apparent or can be reasonably ascertained
Raffaella Di Maio & Mary Oppy
Records & ComplianceLegal & Risk, University Services
NameSignatureTelephone NumberEmail, Home or Work AddressEmployment PositionVoice Recordings, Photographs or VideosMedical RecordsAcademic Records
Slide6What is Sensitive Information?
Recorded information or opinion whether true or not about an individual whose identity is apparent or can be reasonably ascertained
Raffaella Di Maio & Mary Oppy
Records & ComplianceLegal & Risk, University Services
racial or ethnic originpolitical opinionsmembership of a political associationreligious beliefs or affiliationsphilosophical beliefsmembership of a professional or trade associationmembership of a trade unionsexual preferences or practicescriminal record
Slide7When can I use or Disclose Personal & Sensitive Information?
Raffaella Di Maio & Mary Oppy
Records & ComplianceLegal & Risk, University Services
Primary Purpose
Secondary Purpose
Personal Information
Sensitive Information
As outlined in the collection notice
A related purpose & one the individual would reasonably expect
A directly related purpose & one the individual would reasonably expect
Only
as outlined in the collection notice
Slide810 Information
Privacy Principles (IPPs)
Raffaella Di Maio & Mary Oppy
Records & ComplianceLegal & Risk, University Services
An organisation must not do an act, or engage in a practice, that contravenes an
Information
Privacy Principle
in
respect of personal information collected, held, managed, used, disclosed or transferred by it
Slide9Preventative not remedialEstablish and monitor governance mechanisms for privacy responsibility.Promote an organisation-wide ‘privacy-culture’ to ensure that privacy is integrated into your policies and programs.‘Operationalise’ privacy by establishing and implementing privacy policies, conducting privacy awareness training, and developing data breach response protocols in the event that a breach does occur.Audit and monitor your organisation’s information handling processes.
Proactive not reactive
Raffaella Di Maio & Mary Oppy
Records & ComplianceLegal & Risk, University Services
Slide10Ensure that the necessary privacy controls are built into new systems during the design and procurement phases.Undertake privacy impact assessments for all projects and programs that involve personal information.
Privacy as the default setting
Raffaella
Di Maio & Mary Oppy
Records & Compliance
Legal & Risk, University Services
Slide11Ensure that a program’s overall risk assessment includes an obligation to consider potential privacy risks.Ensure that programs are signed off with appropriate privacy protections in place prior to a project’s commencement.
Privacy embedded into design
Raffaella
Di Maio & Mary Oppy
Records & Compliance
Legal & Risk, University Services
Slide12Commit to finds workable solutions to achieve multiple objectives, rather than compromising any interests that seem to be in competition
Full functionality: Positive-sum not zero sum
Raffaella
Di Maio & Mary Oppy
Records & Compliance
Legal & Risk, University Services
Slide13Ensure University staff understand – and are able to adhere to – their privacy responsibilities at all times.Ensure that contractual agreements with third parties and vendors clearly set out obligations and responsibilities, from the commencement of a program through to the point of data destruction.Map a program’s data flows and ensure that security measures are in place at each stage, including user authentication, encryption and destruction of data.
End–to–end security
Raffaella
Di Maio & Mary Oppy
Records & Compliance
Legal & Risk, University Services
Slide14Commit to keeping the organisation’s practices transparent to the extent possible, without inviting risk.Seek independent verification for programs and procedures (processes) to ensure compliance with privacy obligations.
Visibility and transparency
Raffaella
Di Maio & Mary Oppy
Records & Compliance
Legal & Risk, University Services
Slide15Support an approach to designing programs that considers privacy from a user’s point of view.All seven foundational principles work together and need to be implemented holistically: Privacy by Design can’t be ‘cherry picked.’
Respect for user privacy
Raffaella
Di Maio & Mary Oppy
Records & Compliance
Legal & Risk, University Services
Slide16Privacy impact assessments (PIAs)
Raffaella
Di Maio & Mary Oppy
Records & ComplianceLegal & Risk, University Services
PIAs
are undertaken as part of a sound risk management strategy, to assess whether it is safe to proceed
with any
new
project
.
PIAs
are
living documents and are undertaken
if
changes
are made to the way we
collect
,
use
,
store
or
dispose
of personal information
.
Slide17Privacy Impact Assessment
Slide18Why we need Privacy by Design
Most privacy breaches remain undetected, what is reported to the Privacy Officer may only be the tip of the iceberg
Slide19Last Word & Questions