Karen Jack, University Privacy Officer, UW Secretariat
The university held a privacy colloquium on December 4th 2013 in light of the potential adoption of Concur, a US-based online expense claim processing system. (Read more about the project here: https://uwaterloo.ca/online-expense-claims/) There were two speakers: Jim Turk, Executive Director of the Canadian Association of University Teachers, and Fred Carter, Senior Policy & Technology Advisor of the Ontario Privacy Commissioner’s Office.
Jim Turk’s presentation is available here (PDF), and Fred Carter’s is available here (PDF).
Following their presentations, attendees participated in a question and answer session with a panel that included Fred Carter, University of Waterloo professor Ian Goldberg, and Blair Campbell, Senior Privacy Manager of Scotiabank. During the lively panel discussion, several attendees expressed concerns about the proposal. They spoke of a desire to retain control over their personal information, expressed reservations about the security of information in the cloud, and described issues relating to “anonymisation” techniques. In turn, the panel spoke about: the need to ensure that robust contractual safeguards re: privacy and security are in place in any outsourced solution, no matter where the company is headquartered; insights into encryption possibilities and pitfalls; the benefits of data minimization and privacy by design. Members of the project’s steering committee spoke of the efficiencies of an outsourced solution and of the consultation undertaken to date. There was consensus in the room that privacy and security can’t be afterthoughts.
Near the closing of the panel discussion, the university’s privacy officer advised that she and the university’s information security services director are undertaking a privacy and security impact assessment (PSIA) on this project. This tool, new at UW, helps to identify potential privacy and security risks and mitigation strategies for projects being proposed at the university that use personal information. As of the date of this post, the PSIA is nearing completion and, save those aspects which could create security risks if disclosed, will be made available to the community so users will have the opportunity to understand what’s at issue.
When the PSIA documentation has been posted, an alert will be posted on this blog.