Changes

m
no edit summary
Line 126: Line 126:  
=== Use and share data openly in an ethical and secure manner ===
 
=== Use and share data openly in an ethical and secure manner ===
 
* share data openly by default as per the ''Directive on Open Government and Digital Standards'', while respecting security and privacy requirements; data shared should adhere to existing enterprise and international standards, including on data quality and ethics
 
* share data openly by default as per the ''Directive on Open Government and Digital Standards'', while respecting security and privacy requirements; data shared should adhere to existing enterprise and international standards, including on data quality and ethics
 +
  <b>How to achieve:</b>
 +
    * Summarize how the architecture supports sharing data openly by default as per Directive on Open Government and Digital Standards given:
 +
        * Existing ESDC and GC data standards and policies
 +
        * International data standards;  and the Privacy Act,
 +
        * Fitness for purpose
 +
        * Ethics
 +
  <b>Tools:</b>
 +
    * Data Foundation – Implement (Leverage the  standard definition)
 +
        * Data Catalogue
 +
        * Benefits Knowledge Hub
 +
        * Data Lake (growth)
 +
        * Data Science and Machine Platform
 +
    * Theoretical Foundation
 +
        * EDRM (Conceptual and Logical)
 +
        * Business Glossary
 +
        * Departmental Data Strategy
 +
 
* ensure data formatting aligns to existing enterprise and international standards on interoperability; where none exist, develop data standards in the open with key subject matter experts
 
* ensure data formatting aligns to existing enterprise and international standards on interoperability; where none exist, develop data standards in the open with key subject matter experts
 +
  <b>How to achieve:</b>
 +
    * Summarize how the architecture  utilises existing enterprise and international data standards
 +
    * Summarize how the architecture has developed any data standards through open collaboration with key subject matter experts and the Enterprise Data Community of Practice.
 +
  <b>Tools:</b>
 +
    * Data Standards
 +
        * NIEM
 +
        * OpenData
 +
        * National Address Register
 +
        * Reference Data Repository
 +
 
* ensure that combined data does not risk identification or re‑identification of sensitive or personal information
 
* ensure that combined data does not risk identification or re‑identification of sensitive or personal information
 +
  <b>How to achieve:</b>
 +
    * Summarize how the architecture ensures the aggregation and combing of data does not pose a risk to  information  sensitivity or personal information
 +
    
=== Design with privacy in mind for the collection, use and management of personal Information ===
 
=== Design with privacy in mind for the collection, use and management of personal Information ===
 
* ensure alignment with guidance from appropriate institutional ATIP Office with respect to interpretation and application of the ''Privacy Act'' and related policy instruments
 
* ensure alignment with guidance from appropriate institutional ATIP Office with respect to interpretation and application of the ''Privacy Act'' and related policy instruments
 +
  <b>How to achieve:</b>
 +
    * Describe how the architecture aligns to guidance of the ATIP Office around  personal information  regulatory  framework; policy framework; and consent directives
 +
 
* assess initiatives to determine if personal information will be collected, used, disclosed, retained, shared, and disposed
 
* assess initiatives to determine if personal information will be collected, used, disclosed, retained, shared, and disposed
 +
  <b>How to achieve:</b>
 +
    * Has the initiative assessed  if personal information will be collected, used, disclosed, retained, shared, and disposed
 +
 
* only collect personal information if it directly relates to the operation of the programs or activities
 
* only collect personal information if it directly relates to the operation of the programs or activities
 +
  <b>How to achieve:</b>
 +
    * Summarize how the architecture ensures  the  personal information collected is directly required to the operational of the programs or activities
 +
 
* notify individuals of the purpose for collection at the point of collection by including a privacy notice
 
* notify individuals of the purpose for collection at the point of collection by including a privacy notice
 +
  <b>How to achieve:</b>
 +
    * Does the solution’s privacy notice provide the purpose for collecting this personal information
 +
    * Does the solution provide a privacy notice at the point of personal information collection
 +
 
* personal information should be, wherever possible, collected directly from individuals but can be from other sources where permitted by the ''Privacy Act''
 
* personal information should be, wherever possible, collected directly from individuals but can be from other sources where permitted by the ''Privacy Act''
 +
  <b>How to achieve:</b>
 +
    * Does the architecture collect personal information directly from the individual
 +
    * If no, what personal information is collect form other sources  and does it comply with the Privacy Act and the consent directive of the source
 +
  <b>Tools:</b>
 +
    * Target State Architecture
 +
    * Interim State Architecture
 +
 
* personal information must be available to facilitate Canadians’ right of access to and correction of government records
 
* personal information must be available to facilitate Canadians’ right of access to and correction of government records
 +
  <b>How to achieve:</b>
 +
    * Summarize how the architecture facilitates Canadian's right to access their personal information records
 +
    * Summarize how the architecture facilitates Canadian's right to correct their personal information records
 +
  <b>Tools:</b>
 +
    * Target State Architecture
 +
    * Interim State Architecture
 +
 
* design access controls into all processes and across all architectural layers from the earliest stages of design to limit the use and disclosure of personal information
 
* design access controls into all processes and across all architectural layers from the earliest stages of design to limit the use and disclosure of personal information
 +
  <b>How to achieve:</b>
 +
    * Summarize how the architecture limits the use and disclosure of personal information in accordance to the privacy legislative; policy frameworks and consent directives
 +
 
* design processes so personal information remains accurate, up‑to‑date and as complete as possible, and can be corrected if required
 
* design processes so personal information remains accurate, up‑to‑date and as complete as possible, and can be corrected if required
 +
  <b>How to achieve:</b>
 +
    * Summarize how the  architecture ensures personal information remains accurate
 +
    * Summarize how the architecture ensures personal information remains up-to-date
 +
    * Summarize how the architecture ensures personal information remains complete as possible
 +
    * Summarize how the architecture ensures personal information can be corrected if required
 +
  <b>Tools:</b>
 +
    * Non Functional Requirements
 +
    * FUnctional Requirements
 +
 
* de‑identification techniques should be considered prior to sharing personal information
 
* de‑identification techniques should be considered prior to sharing personal information
 +
  <b>How to achieve:</b>
 +
    * Outline the de-identification techniques used by the architecture in sharing personal information
 +
 
* in collaboration with appropriate institutional ATIP Office, determine if a Privacy Impact Assessment (PIA) is required to identify and mitigate privacy risks for new or substantially modified programs that impact the privacy of individuals
 
* in collaboration with appropriate institutional ATIP Office, determine if a Privacy Impact Assessment (PIA) is required to identify and mitigate privacy risks for new or substantially modified programs that impact the privacy of individuals
* establish procedures to identify and address privacy breaches so they can be reported quickly and responded to efficiently to appropriate institutional ATIP Office
+
  <b>How to achieve:</b>
 +
    * Describe how the architecture addresses the recommendations of the PIA
 +
    * If not all recommendations of the PIA are being addressed,  outline how the business will address any residual risks of the PIA
       +
* establish procedures to identify and address privacy breaches so they can be reported quickly and responded to efficiently to appropriate institutional ATIP Office
 +
  <b>How to achieve:</b>
 +
    * Are procedures established to identify and address privacy breaches
 +
    * Summarize how the architecture enables/supports these procedures
 +
  <b>Tools:</b>
 +
    * Business Process Model
    
@fr|
 
@fr|
514

edits