Changes

Jump to navigation Jump to search
Line 57: Line 57:  
* Contribute to and align with enterprise and international data taxonomy and classification structures to manage, store, search and retrieve data
 
* Contribute to and align with enterprise and international data taxonomy and classification structures to manage, store, search and retrieve data
   −
=== Use and share data openly in an ethical, <u>privacy-centric</u> and secure manner ===
+
=== Use and share data openly in an ethical and secure manner ===
* Share data openly <u>(for example on Canada’s Open Data portal)</u> by default as per the Directive on Open Government and Digital Standards, while adhering to existing enterprise and international standards, including on data quality and ethics
+
* Share data openly by default as per the Directive on Open Government and Digital Standards, <u>while respecting security and privacy requirements.</u> Data shared should adhere to existing enterprise and international standards, including on data quality and ethics.
* Ensure data formatting aligns to existing enterprise and international standards on interoperability. Where none exist, develop data standards in the open with key subject matter experts, in consultation with the Enterprise Data Community of Practice
+
* Ensure data formatting aligns to existing enterprise and international standards on interoperability. Where none exist, develop data standards in the open with key subject matter experts.
* <u>Ensure that combined data does not risk identification or re-identification of  personal information – de-identification techniques should be considered prior to sharing personal information</u>
+
* Ensure that combined data does not risk identification or re-identification of sensitive or personal information
   −
=== <u>Design with privacy in mind for the collection, use and management of personal Information</u> ===
+
=== Design with privacy in mind for the collection, use and management of personal Information ===
* <u>Consult the departmental ATIP Office, reference the Privacy Act and Access to Information Act for guidance and application of the policies.</u>
+
* Consult your institution’s ATIP Office, for assistance with the interpretation and application of the ''Privacy Act'' and its related policy instruments
* <u>Determine if the initiative will be collecting, using, disclosing, retaining sharing and disposing personal information, which is any recorded information about an identifiable individual</u>
+
* Determine if the initiative will be collecting, using, disclosing, retaining sharing and disposing personal information
* <u>Only collect personal information if it directly relates to the operation of the programs or activities</u>
+
* Only collect personal information if it directly relates to the operation of the programs or activities
* <u>Notify individuals of the purpose for collection at the point of collection by including a privacy notice</u>
+
* Notify individuals of the purpose for collection at the point of collection by including a privacy notice
* <u>Design processes so personal information remains accurate, up-to-date and as complete as possible, and the ability to correct</u>
+
* <u>Personal information should be collected directly from individuals but can be from shared sources where permitted by the Privacy Act</u>  
* <u>Personal information should be collected directly from individuals but can be from shared sources where permitted by the Privacy Act</u>
+
* Personal information needs to be available to facilitate Canadians’ right of access to and correction of government records
* <u>Personal information needs to be available to facilitate Canadians’ right of access to and correction of government records</u>
+
* Design access controls into all processes and across all architectural layers from the earliest stages of design to limit the use and disclosure of personal information
* <u>Conduct a Privacy Impact Assessment (PIA) to identify and mitigate privacy risks for new or substantially modified programs when personal information is identified</u>
+
* Design processes so personal information remains accurate, up-to-date and as complete as possible and can be corrected if required
* <u>Perform Algorithmic Impact Assessment (AIA) to support risk mitigation activities when deploying an automated decision system as per Directive on Automated Decision Making</u>
+
* De-identification techniques should be considered prior to sharing personal information
* <u>Design access controls into all processes and across all architectural layers from the earliest stages of design to limit use to “need to know”  and disclosure of, and access to personal information</u>
+
* In collaboration with your ATIP officials, determine if a Privacy Impact Assessment (PIA) is required to identify and mitigate privacy risks for new or substantially modified programs that impact the privacy of individuals
* <u>Establish procedures to address privacy breaches so they can be reported to the ATIP Office and measures to contain, and manage the breach efficiently and effectively</u>
+
* Establish procedures to identify and address privacy breaches so they can be reported quickly and responded to efficiently within your institution
    
== Application Architecture ==
 
== Application Architecture ==

Navigation menu

GCwiki