Canadian Government Executive - Volume 26 - Issue 02

Privacy UX encom- passes the interfaces between institutions and individuals with respect to transparency, consent and preference management (CPM) and subject rights request (SRR) management in personal information. TECHNOLOGY March/April 2020 // Canadian Government Executive / 13 the choices available to citizens in the private sector do not necessarily exist in the public sector. In order to bring more transparency to public-private partnerships, government CIOs must pioneer the ethical process- ing of personal information in P3 projects among internal stakeholders and private- sector partners. Follow these three best practices to build trust in P3 projects and ensure a positive privacy user experience (privacy UX) among all parties. Complete a Privacy Impact Assessment While privacy responsibilities in govern- ment may reside with the privacy office or other program areas, that does not mean CIOs should not be involved. CIOs lead, or are key partners with, the functions that manage technologies used to process data or oversee similar activities performed by private-sector organizations. A best practice – and a consistent rec- ommendation by Canadian regulators – is the completion of a privacy impact assess- ment (PIA) or, where appropriate, a data protection impact assessment (DPIA). These assessments identify and treat pri- vacy risks early as well as consistently and, in the case of DPIAs, are mandated under the EU’s GDPR. Where CIOs can truly ex- ert influence and insist one be completed is through the project management life cycle: CIOs must demand that any P3 project that processes personal informa- tion cannot begin until there is agreement about the completion and subsequent maintenance of a privacy impact assess- ment. Completed assessments should be revisited on an ongoing basis to catch and mitigate potential new risks. Establish Standards and Controls When Processing Personal information Ensuring governance and accountability is of utmost important when dealing with personal information, but it’s not always straightforward. As an example, consider the parties involved in building a toll highway. There will be one organiza- tion involved in constructing it, another one who is responsible for maintaining it, and a third one who ensures tolls are collected and processed. If toll collection is done via transponders instead of cash, the personal information involved would reside only with organization #3. If, how- ever, these companies want to engage in a project to install 5G signal towers to support autonomous vehicles, which in- volve the transmission of vast amounts of data, the personal information becomes identifiable and therefore regulated. The question becomes who will own the ethical processing of that data and be ac- countable for using and protecting it. In such scenarios, the conversation about data processing in P3 projects starts with a contract that all parties agree to, but it does not end there. Ongoing dia- logue to discuss new developments and subsequent actions is required. This is why privacy considerations in P3 projects must be actively managed by CIOs who can implement standards and controls that relate to the purpose(s) for process- ing personal information. The Interna- tional Standards Organization (ISO) and National Institute of Standards and Tech- nology (NIST) are two frameworks that serve as resources for CIOs in their ongo- ing management of privacy. Invest in a Comprehensive Privacy User Experience Since CIOs have control over the digital interfaces between the government and its citizens, they can take an active role in ensuring a strong UX. CIOs can exam- ine these touchpoints and ensure that appropriate measures have been built to provide transparency to citizens with re- spect to how their data is processed and a means for citizens to exercise control over how their data can be processed (where appropriate). Privacy UX encompasses the interfaces between institutions and individuals with respect to transparency, consent and preference management (CPM) and subject rights request (SRR) management in personal information. Establish a base- line standard that requires appropriate notice be presented everywhere the gov- ernment collects personal information from citizens. Take the leap to build a comprehensive CPM system to accompa- ny government transparency. Ultimately, the CIOs’ target should be a self-service portal for citizens to manage their access and use of services provided by govern- ments and partners. This topic and others within privacy are becoming increasingly important as priva- cy regulations evolve worldwide. Modern privacy legislation has significantly broad- ened the definition of personal informa- tion, yet current government practices for managing privacy risks tend to be overly simplistic. Implementing the aforemen- tioned best practices will ensure privacy risks are managed throughout the data life cycle and equip CIOs with the proper mindset and tools when things go wrong. Bernard Woo is an Ontario-based Senior Research Director at Gartner with a focus on data protection/privacy risk management and compliance programs. Throughout his career in privacy-relat- ed roles, Mr. Woo has excelled at work- ing with stakeholders from various functions (e.g. IT, legal, marketing, secu- rity, HR) to devise innovative, efficient solutions that enable organizations to grow and achieve their objectives, while ensuring the protection of personal in- formation and individual privacy rights. Join Gartner analysts onsite at the Gartner IT Symposium/Xpo global con- ferences in 2020.