586
edits
Changes
GC Enterprise Architecture/Framework (view source)
Revision as of 16:43, 8 September 2020
, 16:43, 8 September 2020→Design with privacy in mind for the collection, use and management of personal Information
== Information Architecture ==
== Information Architecture ==
Information architecture best practices and principles remain consistent but their focus must accommodate the needs of a business service and business capability orientation. In particular, in order to share information across Government, information architecture must address the higher standards needed in terms of the awareness of the information handling needs of each piece of data – its source, quality, and associated policy obligations. <u>The collection, use and management of Personal Information requires adherence to the principles and requirements of GC privacy legislation and its related policies.</u>
Information architecture best practices and principles remain consistent but their focus must accommodate the needs of a business service and business capability orientation. In particular, in order to share information across Government, information architecture must address the higher standards needed in terms of the awareness of the information handling needs of each piece of data – its source, quality, and associated policy obligations. <u>The collection, use and management of personal information requires adherence to the principles and requirements of GC privacy legislation and its related policies.</u>
=== Collect data to address the needs of the users and other stakeholders ===
=== Collect data to address the needs of the users and other stakeholders ===
=== <u>Design with privacy in mind for the collection, use and management of personal Information</u> ===
=== <u>Design with privacy in mind for the collection, use and management of personal Information</u> ===
* <u>Consult the departmental ATIP Office, reference the Privacy Act and Access to Information Act for guidance and application of the policies.</u>
* <u>Determine if the initiative will be collecting, using, disclosing, retaining sharing and disposing personal information, which is any recorded information about an identifiable individual</u>
* <u>Only collect personal information if it directly relates to the operation of the programs or activities</u>
* <u>Notify individuals of the purpose for collection at the point of collection by including a privacy notice</u>
* <u>Design processes so personal information remains accurate, up-to-date and as complete as possible, and the ability to correct</u>
* <u>Personal information should be collected directly from individuals but can be from shared sources where permitted by the Privacy Act</u>
* <u>Ensure that combined data does not risk identification or re-identification of personal information – de-identification techniques should be considered prior to sharing personal information</u>
* <u>Personal information needs to be available to facilitate Canadians’ right of access to and correction of government records</u>
* <u>Conduct a Privacy Impact Assessment (PIA) to identify and mitigate privacy risks for new or substantially modified programs when personal information is identified</u>
* <u>Perform Algorithmic Impact Assessment (AIA) to support risk mitigation activities when deploying an automated decision system as per Directive on Automated Decision Making</u>
* <u>Design access controls into all processes and across all architectural layers from the earliest stages of design to limit use to “need to know” and disclosure of, and access to personal information</u>
* <u>Establish procedures to address privacy breaches so they can be reported to the ATIP Office and measures to contain, and manage the breach efficiently and effectively</u>
== Application Architecture ==
== Application Architecture ==
* Include your users and other stakeholders as part of DevSecOps process
* Include your users and other stakeholders as part of DevSecOps process
== Security Architecture and Privacy ==
== Security Architecture <s>and Privacy</s> ==
Security architecture and privacy has always been an important but often poorly addressed aspect of solution design. However, for the successful implementation of the GC Enterprise Ecosystem Target Architecture depends on a proper security architectural implementation. Legacy systems based on monolithic architectures often had simplistic approaches to mitigating security risks. The future digitally enabled GC services will support a diverse community and have interoperating components spread across multiple environments. It is critical that security be built in to all processes and across all architectural layers.
Security architecture <s>and privacy</s> has always been an important but often poorly addressed aspect of solution design. However, for the successful implementation of the GC Enterprise Ecosystem Target Architecture depends on a proper security architectural implementation. Legacy systems based on monolithic architectures often had simplistic approaches to mitigating security risks. The future digitally enabled GC services will support a diverse community and have interoperating components spread across multiple environments. It is critical that security be built in to all processes and across all architectural layers.
=== Build Security into the System Life Cycle, Across All Architectural Layers ===
=== Build Security into the System Life Cycle, Across All Architectural Layers ===
* Establish an incident management plan in alignment with the GC Cyber Security Event Management Plan (GC CSEMP) and report incidents to the Canadian Centre for Cyber Security (CCCS).
* Establish an incident management plan in alignment with the GC Cyber Security Event Management Plan (GC CSEMP) and report incidents to the Canadian Centre for Cyber Security (CCCS).
=== Privacy by Design ===
=== <s>Privacy by Design</s> ===
* Perform Privacy Impact Assessment (PIA) to support risk mitigation activities when personal information is involved
* <s>Perform Privacy Impact Assessment (PIA) to support risk mitigation activities when personal information is involved</s>
* Perform Algorithmic Impact Assessment (AIA) to support risk mitigation activities when deploying an automated decision system as per Directive on Automated Decision Making. For more info, please go to this link
* <s>Perform Algorithmic Impact Assessment (AIA) to support risk mitigation activities when deploying an automated decision system as per Directive on Automated Decision Making. For more info, please go to this link</s>
* Implement security measures to assure the protection of personal information and data
* <s>Implement security measures to assure the protection of personal information and data</s>
* Take into consideration the 7 Foundational Privacy Design Principles (English only) when designing services
* <s>Take into consideration the 7 Foundational Privacy Design Principles (English only) when designing services</s>
== EA Framework Playbook ==
== EA Framework Playbook ==