SlideShare ist ein Scribd-Unternehmen logo

Personal Information Protection and Electronic Documents Act (PIPEDA) and Implications for Application Security and Sensitive Data Handling in Software Systems

Als PPTX, PDF herunterladen
M
Michael Sukachev

In this document, private information (PI) handling rules for software systems are based on the PIPEDA principles and guide analysis. It's recommended to include these rules as high-level requirements to any framework that implements privacy-by-design principals in Canada. The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law for private-sector organizations in Canada. It sets out the ground rules for how businesses must handle personal information in the course of commercial activity.

Technologie
1 von 16
Application Data Security And PIPEDA Principals
General Application Data Security Aspects •Privacy - Personal Information(PI) Handling •Security - Secure PI data as per defined rules
Privacy - Personal Information(PI) Handling
General Privacy Aspects 1. PI data definition 2. Definition of the PI data categories and rules for each category 3. Process to insure proper use and handling of the PI data based on rules defined
1. PI Data Identification
Under PIPEDA, personal information (PI) includes: • name, race, ethnic origin, religion, marital status, educational level • e-mail address and messages, IP (Internet protocol) address • age, height, weight, medical records, blood type, DNA code, fingerprints, voiceprint • income, purchases, spending habits, banking information, credit/debit card data, loan or credit reports, tax returns • Social Insurance Number (SIN) or other identification numbers. https://www.priv.gc.ca/information/pub/guide_ind_e.asp
Identify PI Data Currently Used In All Corporate Systems Under PIPEDA, personal information includes: • name, race, ethnic origin, religion, marital status, educational level • e-mail address and messages, IP (Internet protocol) address • age, height, weight, medical records, blood type, DNA code, fingerprints, voiceprint • income, purchases, spending habits, banking information, credit/debit card data, loan or credit reports, tax returns • Social Insurance Number (SIN) or other identification numbers. https://www.priv.gc.ca/information/pub/guide_ind_e.asp
2. PI Data Categorization (Draft)
2. PI Data Categorization (Draft) • Personal Details Data Category • Name, Marital Status, Age, Email Addresses, Postal Addresses, Phone Numbers, IP Addresses, Device IDs • Personal Financial Data Category • Income, Purchases, Spending Habits, Banking Information, Credit/Debit Cards, Loan or Credit Details • Personal Identification Data Category • Social Insurance Number (SIN) , Drivers Licence and any other personal ID.
3. Handling Rules For Each PI Data Category (Draft)
• Rules for Personal Details Data Category • Data In Transit – Encrypted (HTTPS) • Data Storage – DB-level Encryption (TDE) only • Display Rules: Show Clear Text • Retention Rules: As per business needs or 7 years (?) • Rules for Personal Financial Data Category • Data In Transit – Encrypted (HTTPS) • Data Storage – DB-level Encryption (TDE) + Field-level Encryption • Display Rules: Show Only Last 4 Digits • Retention Rules: As per business needs or 7 years (?) • Rules for Personal Identification Data Category • Data In Transit – Encrypted (HTTPS) • Data Storage – DB-level Encryption (TDE) + Field-level Encryption • Display Rules: Hidden (Visual Verification Will Be Available During Data Input Only) • Retention Rules: As per business needs or 7 years (?)
Security - Secure PI data as per defined rules
General Security Aspects •PI data storage •PI data in transit •PI data during the processing
PIPEDA Fair Information Principles PIPEDA sets out 10 principles of fair information practices, which set up the basic privacy obligations under the law. They are: • Accountability - Organizations should appoint someone to be responsible for privacy issues. They should make information about their privacy policies and procedures to available to customers. • Identifying purposes - Organization must identify the reasons for collecting your personal information before or at the time of collection. • Consent - Organizations should clearly inform you of the purposes for the collection, use or disclosure of personal information. • Limiting collection - Organizations should limit the amount and type of the information gathered to what is necessary. • Limiting use, disclosure and retention - In general, organizations should use or disclose your personal information only for the purpose for which it was collected, unless you consent. They should keep your personal information only as long as necessary. • Accuracy - Organizations should keep your personal information as accurate, complete and up to date as necessary. • Safeguards - Organizations need to protect your personal information against loss or theft by using appropriate security safeguards. • Openness - An organization’s privacy policies and practices must be understandable and easily available. • Individual access - Generally speaking, you have a right to access the personal information that an organization holds about you. • Recourse (Challenging compliance) - Organizations must develop simple and easily accessible complaint procedures. When you contact an organization about a privacy concern, you should be informed about avenues of recourse.
PIPEDA Fair Information Principles – App Security Focus PIPEDA sets out 10 principles of fair information practices, which set up the basic privacy obligations under the law. They are: • Accountability - Organizations should appoint someone to be responsible for privacy issues. They should make information about their privacy policies and procedures to available to customers. • Identifying purposes - Organization must identify the reasons for collecting your personal information before or at the time of collection. • Consent - Organizations should clearly inform you of the purposes for the collection, use or disclosure of personal information. • Limiting collection - Organizations should limit the amount and type of the information gathered to what is necessary. • Limiting use, disclosure and retention - In general, organizations should use or disclose your personal information only for the purpose for which it was collected, unless you consent. They should keep your personal information only as long as necessary. • Accuracy - Organizations should keep your personal information as accurate, complete and up to date as necessary. • Safeguards - Organizations need to protect your personal information against loss or theft by using appropriate security safeguards. • Openness - An organization’s privacy policies and practices must be understandable and easily available. • Individual access - Generally speaking, you have a right to access the personal information that an organization holds about you. • Recourse (Challenging compliance) - Organizations must develop simple and easily accessible complaint procedures. When you contact an organization about a privacy concern, you should be informed about avenues of recourse.
PIPEDA Fair Information Principles – App Security Focus • Consent • When applicable, make sure the consumer consent is taken and logged with the timestamp. • Retention • Delete sensitive data as per rules for each category. • Safeguards • PI data is encrypted in the data storage • PI data is encrypted in transit, through use of secure communication protocols (SSL/TLS 1.2, SFTP etc.) • Ensure PI data is not compromised during the processing • Checking the code using Source Code Analysis Tools • Checking applications at runtime using Runtime Application Self-Protection Tools

Empfohlen

Who art & med dra
Who art & med draWho art & med dra
Who art & med dra
Plessan Joy
 
Investigator's brochure
Investigator's brochureInvestigator's brochure
Investigator's brochure
ksreekar888
 
IND INDA ANDA Application
IND INDA ANDA ApplicationIND INDA ANDA Application
IND INDA ANDA Application
Roshan Bodhe
 
Overcoming the Challenges of Benefit Risk Assessment for Established Products
Overcoming the Challenges of Benefit Risk Assessment for Established ProductsOvercoming the Challenges of Benefit Risk Assessment for Established Products
Overcoming the Challenges of Benefit Risk Assessment for Established Products
SGS
 
Detection and monitoring of ADRs
Detection and monitoring of ADRsDetection and monitoring of ADRs
Detection and monitoring of ADRs
Dr. Ramesh Bhandari
 
Pharmacovigilance AND HIPAA
Pharmacovigilance AND HIPAA Pharmacovigilance AND HIPAA
Pharmacovigilance AND HIPAA
Prajal M. Christian
 
METHODS OF POST MARKETING SURVEILLANCE
METHODS OF POST MARKETING SURVEILLANCEMETHODS OF POST MARKETING SURVEILLANCE
METHODS OF POST MARKETING SURVEILLANCE
Dr Arathy R Nath
 
E2B(R2) vs E2B(R3) ICSR ELEMENTS
E2B(R2) vs E2B(R3) ICSR ELEMENTSE2B(R2) vs E2B(R3) ICSR ELEMENTS
E2B(R2) vs E2B(R3) ICSR ELEMENTS
Anurag Raghuvanshi
 

Empfohlen

Who art & med dra
Who art & med draWho art & med dra
Who art & med dra
Plessan Joy
 
Investigator's brochure
Investigator's brochureInvestigator's brochure
Investigator's brochure
ksreekar888
 
IND INDA ANDA Application
IND INDA ANDA ApplicationIND INDA ANDA Application
IND INDA ANDA Application
Roshan Bodhe
 
Overcoming the Challenges of Benefit Risk Assessment for Established Products
Overcoming the Challenges of Benefit Risk Assessment for Established ProductsOvercoming the Challenges of Benefit Risk Assessment for Established Products
Overcoming the Challenges of Benefit Risk Assessment for Established Products
SGS
 
Detection and monitoring of ADRs
Detection and monitoring of ADRsDetection and monitoring of ADRs
Detection and monitoring of ADRs
Dr. Ramesh Bhandari
 
Pharmacovigilance AND HIPAA
Pharmacovigilance AND HIPAA Pharmacovigilance AND HIPAA
Pharmacovigilance AND HIPAA
Prajal M. Christian
 
METHODS OF POST MARKETING SURVEILLANCE
METHODS OF POST MARKETING SURVEILLANCEMETHODS OF POST MARKETING SURVEILLANCE
METHODS OF POST MARKETING SURVEILLANCE
Dr Arathy R Nath
 
E2B(R2) vs E2B(R3) ICSR ELEMENTS
E2B(R2) vs E2B(R3) ICSR ELEMENTSE2B(R2) vs E2B(R3) ICSR ELEMENTS
E2B(R2) vs E2B(R3) ICSR ELEMENTS
Anurag Raghuvanshi
 
Pharmacovigilance methods
Pharmacovigilance methodsPharmacovigilance methods
Pharmacovigilance methods
Dr. Ramesh Bhandari
 
Health Insurance and Portability and Accountability Act
Health Insurance and Portability and Accountability ActHealth Insurance and Portability and Accountability Act
Health Insurance and Portability and Accountability Act
সারন দাস
 
GOOD PHARMACOVIGILANCE PRACTICES
GOOD PHARMACOVIGILANCE PRACTICESGOOD PHARMACOVIGILANCE PRACTICES
GOOD PHARMACOVIGILANCE PRACTICES
ISF COLLEGE OF PHARMACY MOGA
 
Pharmacovigilance Programs of India PvPi
Pharmacovigilance Programs of India PvPiPharmacovigilance Programs of India PvPi
Pharmacovigilance Programs of India PvPi
SachinKumar2160
 
DRUG SAFETY REPORTING.pptx
DRUG SAFETY REPORTING.pptxDRUG SAFETY REPORTING.pptx
DRUG SAFETY REPORTING.pptx
Ameena Kadar
 
Pharmacovigilance
PharmacovigilancePharmacovigilance
Pharmacovigilance
MANISH mohan
 
Medical Dictionary for Regulatory Activities (MedDRA)
Medical Dictionary for Regulatory Activities (MedDRA)Medical Dictionary for Regulatory Activities (MedDRA)
Medical Dictionary for Regulatory Activities (MedDRA)
SMS MEDICAL COLLEGE
 
technology transfer documents confidentiality agreements, licensing, mous.pdf
technology transfer documents confidentiality agreements, licensing, mous.pdftechnology transfer documents confidentiality agreements, licensing, mous.pdf
technology transfer documents confidentiality agreements, licensing, mous.pdf
Dr. Ambekar Abdul Wahid
 
phases of clinical trial
phases of clinical trial phases of clinical trial
phases of clinical trial
Rohit K.
 
History of Pharmacovigilance
History of PharmacovigilanceHistory of Pharmacovigilance
History of Pharmacovigilance
Dr. Ramesh Bhandari
 
Investigational New Drug Application
Investigational New Drug ApplicationInvestigational New Drug Application
Investigational New Drug Application
Suhas Reddy C
 
Pharmaceutical Jurisprudence Frequently asked Questions
Pharmaceutical Jurisprudence Frequently asked QuestionsPharmaceutical Jurisprudence Frequently asked Questions
Pharmaceutical Jurisprudence Frequently asked Questions
pradeep patil
 
Pharmacovigilance regulations as per European Union
Pharmacovigilance regulations as per European UnionPharmacovigilance regulations as per European Union
Pharmacovigilance regulations as per European Union
Bindu Kshtriya
 
INVESTIGATOR’S BROCHURE (IB)
INVESTIGATOR’S BROCHURE (IB) INVESTIGATOR’S BROCHURE (IB)
INVESTIGATOR’S BROCHURE (IB)
SachinFartade
 
Pharmacovigilance
PharmacovigilancePharmacovigilance
Pharmacovigilance
JABEEN FATIMA
 
Causality assessment,methods,pharmacovigilance
Causality assessment,methods,pharmacovigilanceCausality assessment,methods,pharmacovigilance
Causality assessment,methods,pharmacovigilance
Gaurav Chhabra
 
Methods of causality assessment
Methods of causality assessmentMethods of causality assessment
Methods of causality assessment
thennarasu palani
 
AN OVERVIEW AND IMPORTANCE OF PHARMACOVIGILANCE
AN OVERVIEW AND IMPORTANCE OF PHARMACOVIGILANCEAN OVERVIEW AND IMPORTANCE OF PHARMACOVIGILANCE
AN OVERVIEW AND IMPORTANCE OF PHARMACOVIGILANCE
Ramakrishna K
 
Description & functions of drug regulatory affairs
Description & functions of drug regulatory affairsDescription & functions of drug regulatory affairs
Description & functions of drug regulatory affairs
Cepal & Co.
 
Med dra Basics
Med dra BasicsMed dra Basics
Med dra Basics
Somnath Mondal
 
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Frank Dawson
 
Gdpr for business full
Gdpr for business fullGdpr for business full
Gdpr for business full
Fionnuala Hendrick
 

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Pharmacovigilance methods
Pharmacovigilance methodsPharmacovigilance methods
Pharmacovigilance methods
 
Health Insurance and Portability and Accountability Act
Health Insurance and Portability and Accountability ActHealth Insurance and Portability and Accountability Act
Health Insurance and Portability and Accountability Act
 
GOOD PHARMACOVIGILANCE PRACTICES
GOOD PHARMACOVIGILANCE PRACTICESGOOD PHARMACOVIGILANCE PRACTICES
GOOD PHARMACOVIGILANCE PRACTICES
 
Pharmacovigilance Programs of India PvPi
Pharmacovigilance Programs of India PvPiPharmacovigilance Programs of India PvPi
Pharmacovigilance Programs of India PvPi
 
DRUG SAFETY REPORTING.pptx
DRUG SAFETY REPORTING.pptxDRUG SAFETY REPORTING.pptx
DRUG SAFETY REPORTING.pptx
 
Pharmacovigilance
PharmacovigilancePharmacovigilance
Pharmacovigilance
 
Medical Dictionary for Regulatory Activities (MedDRA)
Medical Dictionary for Regulatory Activities (MedDRA)Medical Dictionary for Regulatory Activities (MedDRA)
Medical Dictionary for Regulatory Activities (MedDRA)
 
technology transfer documents confidentiality agreements, licensing, mous.pdf
technology transfer documents confidentiality agreements, licensing, mous.pdftechnology transfer documents confidentiality agreements, licensing, mous.pdf
technology transfer documents confidentiality agreements, licensing, mous.pdf
 
phases of clinical trial
phases of clinical trial phases of clinical trial
phases of clinical trial
 
History of Pharmacovigilance
History of PharmacovigilanceHistory of Pharmacovigilance
History of Pharmacovigilance
 
Investigational New Drug Application
Investigational New Drug ApplicationInvestigational New Drug Application
Investigational New Drug Application
 
Pharmaceutical Jurisprudence Frequently asked Questions
Pharmaceutical Jurisprudence Frequently asked QuestionsPharmaceutical Jurisprudence Frequently asked Questions
Pharmaceutical Jurisprudence Frequently asked Questions
 
Pharmacovigilance regulations as per European Union
Pharmacovigilance regulations as per European UnionPharmacovigilance regulations as per European Union
Pharmacovigilance regulations as per European Union
 
INVESTIGATOR’S BROCHURE (IB)
INVESTIGATOR’S BROCHURE (IB) INVESTIGATOR’S BROCHURE (IB)
INVESTIGATOR’S BROCHURE (IB)
 
Pharmacovigilance
PharmacovigilancePharmacovigilance
Pharmacovigilance
 
Causality assessment,methods,pharmacovigilance
Causality assessment,methods,pharmacovigilanceCausality assessment,methods,pharmacovigilance
Causality assessment,methods,pharmacovigilance
 
Methods of causality assessment
Methods of causality assessmentMethods of causality assessment
Methods of causality assessment
 
AN OVERVIEW AND IMPORTANCE OF PHARMACOVIGILANCE
AN OVERVIEW AND IMPORTANCE OF PHARMACOVIGILANCEAN OVERVIEW AND IMPORTANCE OF PHARMACOVIGILANCE
AN OVERVIEW AND IMPORTANCE OF PHARMACOVIGILANCE
 
Description & functions of drug regulatory affairs
Description & functions of drug regulatory affairsDescription & functions of drug regulatory affairs
Description & functions of drug regulatory affairs
 
Med dra Basics
Med dra BasicsMed dra Basics
Med dra Basics
 

Ähnlich wie Personal Information Protection and Electronic Documents Act (PIPEDA) and Implications for Application Security and Sensitive Data Handling in Software Systems

Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Frank Dawson
 
3A – DATA PROTECTION: ADVICE
3A – DATA PROTECTION: ADVICE3A – DATA PROTECTION: ADVICE
3A – DATA PROTECTION: ADVICE
CFG
 
LW GDPR and Cyber Security.pptx
LW GDPR and Cyber Security.pptxLW GDPR and Cyber Security.pptx
LW GDPR and Cyber Security.pptx
TimBee1
 
How to Build and Implement your Company's Information Security Program
How to Build and Implement your Company's Information Security ProgramHow to Build and Implement your Company's Information Security Program
How to Build and Implement your Company's Information Security Program
Financial Poise
 

Ähnlich wie Personal Information Protection and Electronic Documents Act (PIPEDA) and Implications for Application Security and Sensitive Data Handling in Software Systems (20)

Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
 
Gdpr for business full
Gdpr for business fullGdpr for business full
Gdpr for business full
 
Media_644046_smxx (1).pptx
Media_644046_smxx (1).pptxMedia_644046_smxx (1).pptx
Media_644046_smxx (1).pptx
 
Preparing your Business for the Data Protection Bill
Preparing your Business for the Data Protection BillPreparing your Business for the Data Protection Bill
Preparing your Business for the Data Protection Bill
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response Plan
 
Introduction to data protection
Introduction to data protectionIntroduction to data protection
Introduction to data protection
 
3A – DATA PROTECTION: ADVICE
3A – DATA PROTECTION: ADVICE3A – DATA PROTECTION: ADVICE
3A – DATA PROTECTION: ADVICE
 
Ethics in Data Management.pptx
Ethics in Data Management.pptxEthics in Data Management.pptx
Ethics in Data Management.pptx
 
LW GDPR and Cyber Security.pptx
LW GDPR and Cyber Security.pptxLW GDPR and Cyber Security.pptx
LW GDPR and Cyber Security.pptx
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
 
GDPR and Cyber Security LW.pptx
GDPR and Cyber Security LW.pptxGDPR and Cyber Security LW.pptx
GDPR and Cyber Security LW.pptx
 
Global Data Privacy Regulation
Global Data Privacy RegulationGlobal Data Privacy Regulation
Global Data Privacy Regulation
 
GDPR Data Life Cycle
GDPR Data Life CycleGDPR Data Life Cycle
GDPR Data Life Cycle
 
GDPR Data Lifecycle
GDPR Data LifecycleGDPR Data Lifecycle
GDPR Data Lifecycle
 
How to Build and Implement your Company's Information Security Program
How to Build and Implement your Company's Information Security ProgramHow to Build and Implement your Company's Information Security Program
How to Build and Implement your Company's Information Security Program
 
IT6701 Information Management Unit - V
IT6701 Information Management Unit - VIT6701 Information Management Unit - V
IT6701 Information Management Unit - V
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business Advisors
 
GDPR: Your Journey to Compliance
GDPR: Your Journey to ComplianceGDPR: Your Journey to Compliance
GDPR: Your Journey to Compliance
 
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
 

Mehr von Michael Sukachev

Mehr von Michael Sukachev (8)

SOA vs Microservices vs SBA
SOA vs Microservices vs SBASOA vs Microservices vs SBA
SOA vs Microservices vs SBA
 
TOGAF Sample Matrices, Catalogs and Diagrams from the Open Group
TOGAF Sample Matrices, Catalogs and Diagrams from the Open GroupTOGAF Sample Matrices, Catalogs and Diagrams from the Open Group
TOGAF Sample Matrices, Catalogs and Diagrams from the Open Group
 
TOGAF®9.1 in Pictures
TOGAF®9.1 in PicturesTOGAF®9.1 in Pictures
TOGAF®9.1 in Pictures
 
EA practice establishment - Strawman plan
EA practice establishment - Strawman planEA practice establishment - Strawman plan
EA practice establishment - Strawman plan
 
Basic set of core TOGAF artifacts and deliverables by ADM phase
Basic set of core TOGAF artifacts and deliverables by ADM phaseBasic set of core TOGAF artifacts and deliverables by ADM phase
Basic set of core TOGAF artifacts and deliverables by ADM phase
 
Agile Architecture And The Role Of The Architect In The Agile Team
Agile Architecture And The Role Of The Architect In The Agile TeamAgile Architecture And The Role Of The Architect In The Agile Team
Agile Architecture And The Role Of The Architect In The Agile Team
 
Practical Enterprise Architecture in Medium-size Corporation using TOGAF
Practical Enterprise Architecture in Medium-size Corporation using TOGAFPractical Enterprise Architecture in Medium-size Corporation using TOGAF
Practical Enterprise Architecture in Medium-size Corporation using TOGAF
 
SignalR Overview
SignalR OverviewSignalR Overview
SignalR Overview
 

Kürzlich hochgeladen

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 

Kürzlich hochgeladen (20)

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 

Personal Information Protection and Electronic Documents Act (PIPEDA) and Implications for Application Security and Sensitive Data Handling in Software Systems

  • 1. Application Data Security And PIPEDA Principals
  • 2. General Application Data Security Aspects •Privacy - Personal Information(PI) Handling •Security - Secure PI data as per defined rules
  • 3. Privacy - Personal Information(PI) Handling
  • 4. General Privacy Aspects 1. PI data definition 2. Definition of the PI data categories and rules for each category 3. Process to insure proper use and handling of the PI data based on rules defined
  • 5. 1. PI Data Identification
  • 6. Under PIPEDA, personal information (PI) includes: • name, race, ethnic origin, religion, marital status, educational level • e-mail address and messages, IP (Internet protocol) address • age, height, weight, medical records, blood type, DNA code, fingerprints, voiceprint • income, purchases, spending habits, banking information, credit/debit card data, loan or credit reports, tax returns • Social Insurance Number (SIN) or other identification numbers. https://www.priv.gc.ca/information/pub/guide_ind_e.asp
  • 7. Identify PI Data Currently Used In All Corporate Systems Under PIPEDA, personal information includes: • name, race, ethnic origin, religion, marital status, educational level • e-mail address and messages, IP (Internet protocol) address • age, height, weight, medical records, blood type, DNA code, fingerprints, voiceprint • income, purchases, spending habits, banking information, credit/debit card data, loan or credit reports, tax returns • Social Insurance Number (SIN) or other identification numbers. https://www.priv.gc.ca/information/pub/guide_ind_e.asp
  • 8. 2. PI Data Categorization (Draft)
  • 9. 2. PI Data Categorization (Draft) • Personal Details Data Category • Name, Marital Status, Age, Email Addresses, Postal Addresses, Phone Numbers, IP Addresses, Device IDs • Personal Financial Data Category • Income, Purchases, Spending Habits, Banking Information, Credit/Debit Cards, Loan or Credit Details • Personal Identification Data Category • Social Insurance Number (SIN) , Drivers Licence and any other personal ID.
  • 10. 3. Handling Rules For Each PI Data Category (Draft)
  • 11. • Rules for Personal Details Data Category • Data In Transit – Encrypted (HTTPS) • Data Storage – DB-level Encryption (TDE) only • Display Rules: Show Clear Text • Retention Rules: As per business needs or 7 years (?) • Rules for Personal Financial Data Category • Data In Transit – Encrypted (HTTPS) • Data Storage – DB-level Encryption (TDE) + Field-level Encryption • Display Rules: Show Only Last 4 Digits • Retention Rules: As per business needs or 7 years (?) • Rules for Personal Identification Data Category • Data In Transit – Encrypted (HTTPS) • Data Storage – DB-level Encryption (TDE) + Field-level Encryption • Display Rules: Hidden (Visual Verification Will Be Available During Data Input Only) • Retention Rules: As per business needs or 7 years (?)
  • 12. Security - Secure PI data as per defined rules
  • 13. General Security Aspects •PI data storage •PI data in transit •PI data during the processing
  • 14. PIPEDA Fair Information Principles PIPEDA sets out 10 principles of fair information practices, which set up the basic privacy obligations under the law. They are: • Accountability - Organizations should appoint someone to be responsible for privacy issues. They should make information about their privacy policies and procedures to available to customers. • Identifying purposes - Organization must identify the reasons for collecting your personal information before or at the time of collection. • Consent - Organizations should clearly inform you of the purposes for the collection, use or disclosure of personal information. • Limiting collection - Organizations should limit the amount and type of the information gathered to what is necessary. • Limiting use, disclosure and retention - In general, organizations should use or disclose your personal information only for the purpose for which it was collected, unless you consent. They should keep your personal information only as long as necessary. • Accuracy - Organizations should keep your personal information as accurate, complete and up to date as necessary. • Safeguards - Organizations need to protect your personal information against loss or theft by using appropriate security safeguards. • Openness - An organization’s privacy policies and practices must be understandable and easily available. • Individual access - Generally speaking, you have a right to access the personal information that an organization holds about you. • Recourse (Challenging compliance) - Organizations must develop simple and easily accessible complaint procedures. When you contact an organization about a privacy concern, you should be informed about avenues of recourse.
  • 15. PIPEDA Fair Information Principles – App Security Focus PIPEDA sets out 10 principles of fair information practices, which set up the basic privacy obligations under the law. They are: • Accountability - Organizations should appoint someone to be responsible for privacy issues. They should make information about their privacy policies and procedures to available to customers. • Identifying purposes - Organization must identify the reasons for collecting your personal information before or at the time of collection. • Consent - Organizations should clearly inform you of the purposes for the collection, use or disclosure of personal information. • Limiting collection - Organizations should limit the amount and type of the information gathered to what is necessary. • Limiting use, disclosure and retention - In general, organizations should use or disclose your personal information only for the purpose for which it was collected, unless you consent. They should keep your personal information only as long as necessary. • Accuracy - Organizations should keep your personal information as accurate, complete and up to date as necessary. • Safeguards - Organizations need to protect your personal information against loss or theft by using appropriate security safeguards. • Openness - An organization’s privacy policies and practices must be understandable and easily available. • Individual access - Generally speaking, you have a right to access the personal information that an organization holds about you. • Recourse (Challenging compliance) - Organizations must develop simple and easily accessible complaint procedures. When you contact an organization about a privacy concern, you should be informed about avenues of recourse.
  • 16. PIPEDA Fair Information Principles – App Security Focus • Consent • When applicable, make sure the consumer consent is taken and logged with the timestamp. • Retention • Delete sensitive data as per rules for each category. • Safeguards • PI data is encrypted in the data storage • PI data is encrypted in transit, through use of secure communication protocols (SSL/TLS 1.2, SFTP etc.) • Ensure PI data is not compromised during the processing • Checking the code using Source Code Analysis Tools • Checking applications at runtime using Runtime Application Self-Protection Tools