247 Edmonton App Privacy Impact Assessment

The project’s official name is 24/7 Edmonton Outreach Worker Application.  

REACH has undertaken a risk assessment for the potential of unauthorized access, collection, use, disclosure or destruction of records in the application and has set out the results in a Privacy Impact Assessment (PIA) format.

The contact persons for questions regarding the PIA are:

  • Madeleine Smith, project supervisor. She can be contacted via telephone at 780 498 1231 or email at madeleine.smith@reachedmonton.ca. Or
  • Adele Towns, Privacy Officer, She can be contacted via telephone at 780 498 1231 or email at adele.towns@reachedmonton.ca  

The submission date of the PIA is Dec 3, 2014

The implementation date for the 24/7 Edmonton Outreach Worker application is January 2015.

There are no related PIA’s for this project.

Section A

Project Overview 

REACH Edmonton decided to create an electronic application to assist outreach workers as part of a coordinated 24/7 response to vulnerable populations who need access to services 24 hours a day The concept of an application to assist frontline agencies’ workers to manage cases and direct individuals in need to the most appropriate agency has been under development for several years. “People who are at risk run into challenging situations 24 hours a day, seven days a week. 24/7 service delivery means getting these people the full range of help they need, including housing, when they need it. The result will be less dependence on police, hospitals and courts to deal with ‘after hours’ issues.”[1]

REACH partnered with its stakeholders, Homeward Trust Edmonton, Boyle Street Community Services and Bissell Centre to develop the requirements for the application. REACH also contracted with the Bissell Centre for service delivery and piloted the application with the Bissell’s 24/7 Mobile Assistance Program (MAP) team of frontline workers and with Boyle Street’s Street Outreach program. 

The application development was undertaken by Atmist, an Edmonton based web developer. The personal information collected by the application is stored on server that is hosted at Nirix secure data centre in Edmonton.   

The application is designed to allow outreach workers to track where an encounter with an individual who may require assistance occurred, who the individual is, when the event was reported, when the workers responded, the nature of the problem encountered, the agency that responded and the disposition of the call.

The information collected is used to determine resourcing requirements of the frontline agencies: where and when and how many workers to put in a geographic area. The application can also track response times (wait times). The premise is that if individuals are provided with the right type of care and services on a timely basis by frontline agencies, then much more expensive resources like ambulance and paramedics, emergency room nurses and physicians and police, will not be required or at least be required less frequently.

Technical Security and Privacy Approach Overview

The application is a customized development, based on REACH and its partners’ requirements. The development platform is Windows.NET 4.5 and MVCS for the web application portion. For the mobile app smart phone portion, it uses iOS6+ and Android 4+.

The programming languages used are C#, HTML5 , CSS3 and JavaScript.

There are three separate components to the application:

  1. A web application to manage user outreach programs and to visualize anonymized data on a map.
  2. A mobile app that is installed on the smart phone or tablet.
  3. A web service which facilitates the communication between the mobile app and the server database.

The database used to store the personal information and other data is SQL Server 2012. 

Access to the application is via smart phone or tablet type computer (dependent on which frontline agency the worker is from). Access is granted when the user supplies a valid user id and password. Data then moves over either the carrier’s cell phone network or over the Internet to a server located at Nirix, a professionally managed data centre. Data moving over the Internet is encrypted in transmission. The mobile app will use AES 256 bit encryption. The encrypted transmission will use https/ssl protocol.

Once data has been transmitted from the mobile device to the REACH server, the app will remove the data from the mobile device. 

Users are expected to have devices that require either a password or biometric authentication to gain access.  

REACH Edmonton has a contractual agreement in place with Nirix that will:

  • Limit access to the personal information and restrict further uses, unless authorized by REACH.
  • Have appropriate authentication/access controls, including access logs.
  • If using the Internet to transmit personal information, that it is in encrypted format.
  • Provide evidence that there are procedures in place in the event of a personal information breach or security incident to take appropriate action.
  • Provide evidence there are procedures in place in the event of an outage to ensure business continuity and prevent data loss.
  • Grant authority to REACH to perform periodic audits of the above points.
  • Develop an exit strategy that if Nirix is no longer providing data storage services for the application that it agrees to provide the data and assist with the transfer of it in a machine readable format.

 

The server then performs a query against the authorized user directory for verification of the supplied credentials. The authorized user directory is hosted on Homeward Trust’s ETO (Efforts to Outcomes) application. If the user name and password are verified, the user is then granted access, if an administrator enabled his/her access. Each program is created separately in ETO. If a user works in multiple programs, he/she must select the right one, after logging in.

If a case is started on the mobile app but not uploaded, the caseworker will see the information entered when loading the information from the device’s local dataset. This information is encrypted while on the mobile device.

GPS (global position service) coordinates are obtained from Google Maps based on the transmission location of the mobile device. There is no personal information transmitted to Google maps to do this.

The Nirix agreement “Standard Security Practice for Advanced Cloud Service v4.0” provides details on:

  • how access to data center is restricted;
  • how access to personal information on server is restricted and how accesses are logged;
  • virus/malware protection used;
  • firewalls and protection from denial of service attacks;
  • how back up and restore is tested;
  • how data center power supply is protected; and
  • training for security administrators.

REACH Edmonton has developed an arrangement with Mike Chow of Atmist to act as security administrator, until this capability is developed across the member agencies.  REACH Edmonton has entered into a confidentially agreement with Atmist covering non-disclosure of confidential information during the app development, testing and security administrator. REACH Edmonton is developing processes for how users are added and deleted and who is responsible within for user access in the frontline agencies.

REACH Edmonton has signed an information sharing agreement with each partner agency that will be given access to the app. The agreement is predicated on the partner agency having a similar organizational purpose as REACH Edmonton and similar privacy policies and security practices as REACH Edmonton. Therefore consent provisions for use and disclosure of personal information and privacy policies and practices will be consistent across the organizations. 

Personal Information Transfer from REACH Edmonton to

Homeward Trust Edmonton 

The personal information gathered by outreach workers using the 24/7 Edmonton Outreach Worker app is temporarily stored on the REACH Edmonton server, located in Nirix’s secure data centre. It is transmitted using a secure HTTPS web service from the REACH Edmonton server to the Social Solutions ETO server, used under license by Homeward Trust Edmonton. Homeward Trust Edmonton is a partner agency of REACH Edmonton and has signed an information exchange agreement with REACH covering this arrangement. Homeward Trust assumes responsibility for the personal information after the upload. Homeward Trust performs data analysis and reporting functions with the personal information that is uploaded.

After the upload, no personal client information will be stored on the REACH server; only time, location markers and program are retained.

REACH Edmonton has undertaken to review the consent to disclose information policies of each of its partner agencies that use the app, to ensure this disclosure is permitted under the terms of the collection agreement of the agency with its clientele.                          

Authority to Collect, Use and Disclose 

The Personal Information Protection Act (PIPA) in section 7 allows for the collection, use and disclosure of personal information subject to the condition of consent. Individuals in contact with a frontline worker using the application will be asked for consent to collect his/her personal information for the purposes of receiving services from the outreach worker or an affiliated agency. The outreach worker will also ask the individual if there are any limits on the use or disclosure of his/her personal information. This is in accordance with sections 7, 8 and 13. There could be situations where a person is incapacitated to the point of not being able to provide consent to collection, in which case the provisions of section 8(2) (b) and 14 (a) will prevail. 

REACH considers the collection of personal information as reasonable under section 11 of PIPA to provide services to an individual in need and who may be vulnerable to harm if the services are not provided.  

REACH considers the use of personal information as reasonable under section 16 of PIPA to provide services to an individual in need and who may be vulnerable to harm if the services are not provided. There could be situations where a person is incapacitated to the point of not being able to provide consent to the use of his/her personal information, in which case the provisions of section 8(2) (b) and 17 (a) will prevail.

REACH considers the disclosure of personal information as reasonable under section 19 of PIPA to provide services to an individual in need and who may be vulnerable to harm if the services are not provided. There could be situations where a person is incapacitated to the point of not being able to provide consent to the disclosure of his/her personal information, in which case the provisions of section 8(2) (b) and 20(a) will prevail.

Correspondingly, REACH considers that a reasonable person would consider the use of the personal information collected, used or disclosed to be in his/her interest and would normally provide consent or not reasonably withhold consent, as per the provisions of sections 8(2) (b), 14(a) and 20(a). 

Given that REACH Edmonton is a community-based coordinator and catalyst for the delivery of social programs but does not directly deliver services, it also considers that if an individual provides consent to the collection, use and disclosure of his/her personal information to receive assistance or advice from an outreach worker from one organization, that if a second, different organization is better suited to address the specific needs of the individual, that the personal information collected by the first organization can be used and disclosed by the second organization. This is authorized by section (8) 2.1 of PIPA.          

Section B

Organizational Privacy Management

Management Structure

The Privacy Officer for this project is the Director, Finance and Communication. This position reports to the Executive Director.

It is important to reiterate at this point, that REACH is not involved in frontline provision of services and the collection of personal information using the app. Instead, it has privacy policies and processes as described below and ensures that the partner agencies that are involved in service delivery and use of the app have corresponding privacy policies and practices. 

Policy Management

REACH privacy policies are reviewed by Privacy Officer and other management staff and approved by the Executive Director. Advice on privacy policies is obtained from:

  • REACH legal counsel
  • Privacy consultants
  • Office of the Information and Privacy Commissioner of Alberta.

Policies are reviewed regularly to ensure continued compliance with legislation and relevance with the programs and services being developed and provided.

Training and Awareness

Staff and volunteers are made aware of REACH’s privacy policy. The Privacy Officer provides training and answers privacy related questions. 

Incident Response

If a security or privacy incident results in a complaint or a breach, then the incident response will follow section 5 of the Privacy Policies. 

Access and Correction

How are requests for personal information handled?

  • If the person is requesting specific information about him/herself that he/she has given to REACH staff, then REACH provides this information to the requestor, provided the request is made in writing.
  • If the request is made under the PIPA provisions, the request is submitted to the Privacy Officer for processing and applicable fees may be charged.

 

How is the person informed of the reason that the personal information is being collected?

  • Verbally by the staff collecting the information


 

How does an individual provide consent to disclosure of personal information and how is the consent recorded?

How are requests to correct personal information handled within the Program area?

  • The request is reviewed and where it is demonstrated that the information was incomplete or inaccurate, corrective action is taken and documented in the client’s file.

How is the individual advised about whether the request to correct information will be made within the Program area?

  • In most cases, it is done verbally and when required, in writing. 

If the information has been disclosed, how will the corrected information be provided to the other party to which it was transferred?

  • Practice is that if information is corrected in a document that has been shared with other parties, a notification is sent to the other parties, if this is reasonable.

Section C

Project Privacy Analysis

Personal Information Collected, Used or Disclosed

Each data element of personal information that is being collected in the application has been reviewed to ensure that it is required for effective identification of the client or for service delivery model program administration. The review was done by a working group comprised of both program administration and operational staff to ensure that the information collected is a reasonable use, in relation to the program’s mandate. 

Personal Information collected is set out below:

  • Full legal name and aliases;
  • Birth date;
  • Gender;
  • Residential address or where staying;
  • Brief remarks about services client has received;
  • Brief remarks about what services the person may require and best choice for referral based on the person’s condition and appearance at time of encounter; and
  • Race, if known, to determine if person may be covered under the provisions of the Indian Act (Canada).

There is also information collected about the encounter with the individual, which will vary, dependent on the program:

  • Date, time and location of contact with the individual;
  • Outreach worker’s name and user id;
  • Date and time that request for service was made;
  • If person has recently been contact with Edmonton Police Service, Alberta Health Services Emergency Medical Services or another security or healthcare provider; and/or
  • If person has been refused access to shelter or other services from a referral agency and the reason.

Information Flow

The app is primarily a program administration application designed to provide REACH with:

  • A record of where and when individuals received services from an outreach worker from one of the partner agencies;
  • A record of how long it took to deliver the services from when a request was received; and
  • A data base of encounters that will provide information that will allow REACH Edmonton to identify gaps in service, launch new initiatives and strengthen existing programs.

Information Flow Description

(Based on 24/7 MAP Team – other programs may vary)

A typical information flow is set out below.

A request to provide assistance (service) to an individual is received and logged or a worker engages with a client and date and time is recorded.

An outreach worker accesses the application to create an incident report for an individual.

Outreach worker is identified by user id and associated organization (partner of REACH in 24/7 service delivery model).

Data and time of contact with individual is captured by application.

Outreach worker identifies individual and obtains verbal consent to collect personal information and determine type of services the individual may require.

Outreach worker enters personal information and notes from encounter on action taken or required.

Information is transferred from the input device to a server located at Nirix.

Information is transferred from server at Nirix data centre to Social Solutions ETO server (Homeward Trust Edmonton is a licensed user of this software). After transfer, any elements of individually identifying information are no longer associated with the name of the client; only an encounter identifier remains, which cannot be used as a unique identifier.

Application is accessed by Homeward Trust administrators to provide reports by client with date, time and place that service was provided to partner frontline agencies using ETO for reporting purposes.

Application is accessed by REACH Edmonton administrators/managers to create summary incident reports by location and/or by time of day for a specified reporting period. 

Also see “REACH Outreach Worker System Overview” for a graphic presentation of the information flow. 

Use of Information Outside of Alberta

It is not anticipated that there will be any use of data outside of Alberta. Data for the application is stored on a server located in Edmonton, Alberta. All of the partner agencies are located in Alberta. 

Related Privacy Impact Assessments – There are no directly related PIAs at this time. 

Legal Authority

The collection, use and disclosure of personal information is under the authority of sections 11, 16 and 19 of the Personal Information Protection Act as the provision of   services to a person in apparent need is considered reasonable and consistent with the mission and purpose of REACH.

Data Matching and Research

There are no current plans for data matching or research using personal information collected by the application. Any proposals for data matching or research using personal information from the application will have to be made in writing to REACH and require approval by REACH.

It is planned to use aggregate data on the time and location of service events and the wait times for service delivery for some programs for planning purposes by the agencies granted access to the application.

Contracts and Agreements

A number of contracts and agreements will be in place for the protection of privacy of personal information collected by outreach workers and input to the application:

  • A data management agreement between Nirix and REACH for outsourcing of data storage.
  • A non-disclosure agreement between Atmist and REACH for exposure to personal information during app development, testing and access administration.
  • Information sharing agreements between REACH and its partners that are granted access to the application that covers:
    • Consent provisions and any limitations on disclosure made by the individual;
    • Consistent purpose for the use of the personal information;
    • Security and privacy policies to be followed;
    • Security and privacy training and awareness to be provided to users;
    • Incident reporting procedures to be followed; and
    • Privacy officer contact to be named.

Section D

Project Risks and Mitigation Measures

Access Control

Position& Job Title

User Role

Number of Staff in the Role

Type of access (read, write, edit)

Description of information user can access with examples

Outreach  worker

Determine the type of services a client may need based on observation and responses from client   

15 initially – as the app may be adopted by a number of organizations this could be significantly higher in future

Read, write and edit encounters that the outreach worker initiated or was assigned to complete on shift change    

 

Personal information of client and type and status of service delivery.

 

Outreach worker can only access encounters that he/she initiated or was assigned to complete on shift change.

Access Administrator (REACH)

Grant and revoke access to users.

 

Troubleshoot technical issues.

 

Perform access audits.

 

 

 

Read listing of users and access granted.

 

Run and read access reports.

 

Add, change or delete user access.

User’s name, role and agency affiliation 

 

Manager/ Supervisor in service provider agency

Determine user’s role and access and advise REACH app Access Administrator.

 

Notify Access Administrator of changes to a user’s role or of termination.

 

Read listing of users and access granted.

 

Run screen print of current users

 

 

 

 

Personal information of client and type and status of service delivery.

 

Data Centre – managed by Nirix

Nirix account manager and technical staff

3

No read access. Can copy or delete data only with permission from authorized REACH representative.  

 

 

Risk Mitigation Table

Privacy Risk

Description

Mitigation Measures

Policy Reference *

Unauthorized use of information by authorized partner agency users

An outreach worker attempts to access a contact file which he or she did not create or was subsequently assigned

REACH has information sharing agreement in place that requires partner agency have policy that establishes need to know as basis for access of a file.

 

Staff is trained on his/her employing agency’s privacy principles.

 

App restricts user’s access to only those files which user created or were transferred from another authorized user from the same partner agency.

Section 3 Disclosure of Personal Information

Unauthorized collection, use or disclosure of information by external parties

Data on server used for the app is not removed or encrypted when it is decommissioned or serviced and access is gained by an external party.

 

Data on server used for the app is accessed by an unauthorized party from within data centre or via network interception (hacker)  

 

An employee of an agency that has been granted access to the data accesses personal information for which there is no need to know.  

 

 

 

 

 

An outreach worker’s input device is lost or stolen.

 

Ensure that contractors are bound by security and privacy provisions when repairing, replacing or decommissioning hardware.

 

 

 

Physical servers are located in secure data centre where physical access is monitored.  

 

Dual firewalls are used.

 

 

 

Use of the privacy breach procedure

 

System will log failed authentication attempts and all requests for access.

 

Use of agreements that limit access to and use of personal information by the outsourcer and other parties that have access.

 

 

No personal information is stored on the device after upload to REACH server and personal information on device is stored in encrypted format.

Section 3 Disclosure of Personal Information

Loss, destruction or loss of use of information

A power failure or hardware failure causes data in data centre to be lost or to be inaccessible.

 

 

 

 

Malware causes data to be lost or to be inaccessible.

 

 

 

 

 

 

 

 

Network is unavailable at time that user attempts to transmit personal information. 

Fully redundant power supply to data centre and redundant power supply for firewalls.

 

Servers are virtualized and configured to be fully redundant.

 

Nirix uses enterprise class anti-virus and spyware software on all servers. Anti-virus software is updated daily and monitored 24x7x365. Any detection of a virus immediately sets off an alert and the appropriate staff is notified.

 

Personal data is held on device in encrypted format until the network in available and the user transmits it. After transmission it is wiped from the device.

Section 5 Security of Personal Information   

Loss of integrity of information

Malware, a bug in the software or a hardware failure cause errors in the data index and data is not retrievable.

Server backups are performed every evening.

 

REACH data is transitory and uploaded to the Social Solutions ETO server on a regular basis. 

Section 5 Security of Personal Information  

Unauthorized or inappropriate collection or disclosure of information by an authorized user

An authorized user collects information that is not required for program purposes or discloses information to a party for which consent to disclose has not been obtained or discloses the information to the wrong party

Policy that establishes need to know and consent to disclose is required.

 

 

Privacy breach procedures are set out in privacy policy.

 

Provide privacy training to staff on policy and processes to use.

 

Monitor for compliance.

# 3 Disclosure of Personal Information

 

#4 Consent 

 

* Number refers to section of REACH Edmonton Privacy Policy 1.4 updated August, 2014

Monitoring

All service event entry will be logged and will include the date/time and user id involved. 

All access to the server in the data centre is logged and monitored.

PIA Compliance

Given that the 24/7 Edmonton Outreach Worker application is new and usage will grow, particularly during the first one to two years after implementation, the REACH Privacy Officer will conduct a review of the PIA approximately 18 months after implementation to determine if there have been significant changes that may require an addendum to the PIA. The review will include, but not be limited to:

  • Changes to legislation
  • Changes to privacy policy
  • Changes in type of input devices used
  • Changes to the outsourcer or data centre used to store the personal information in the application
  • Changes to the personal information collected
  • Changes to the purpose for which the personal information was collected
  • Changes to the organization or management of REACH
  • Changes to the information sharing agreements including consent and disclosure provisions and acceptable use of personal information with frontline agencies.   

Section E

General Privacy Policies

 

Topic

Policy Description

Attachment Title*

Page Reference

Privacy Accountability

# 11 inquiries regarding privacy policies and practices contact Privacy Officer

REACH Edmonton Council for Safe Communities Policy I.4

5

Access to Information

# 6 Access and Amendment to Personal Information 

REACH Edmonton Council for Safe Communities Policy I.4

4

Correction Requests

# 6 Access and Amendment to Personal Information 

REACH Edmonton Council for Safe Communities Policy I.4

4

Training, Awareness and Sanctions

# 5 Security of Personal Information

REACH Edmonton Council for Safe Communities Policy I.4

3

Collection of Information

# 1 Collection and Use of Personal information

 

# 2 Method of Collection

REACH Edmonton Council for Safe Communities Policy I.4

1 and 2

Use of Information

# 1 Collection and Use of Personal information

 

REACH Edmonton Council for Safe Communities Policy I.4

1 and 2

Disclosure of Information

# 3 Disclosure of Personal Information

REACH Edmonton Council for Safe Communities Policy 1.4

2

Research

 

 

 

Third Parties

# 2 Method of Collection

 

# 3 Disclosure of Personal Information

REACH Edmonton Council for Safe Communities Policy I.4

2

Privacy Impact Assessments

As REACH is subject to PIPA, used on an ad hoc basis

 

 

Records Retention and Disposition

# 7 Storage of Personal information

REACH Edmonton Council for Safe Communities Policy I.4

4

Information Classification

# 5 Security of Personal Information

  • Transmittal of Information

REACH Edmonton Council for Safe Communities Policy I.4

3 and 4

Risk Assessment

# 5 Security of Personal Information 

REACH Edmonton Council for Safe Communities Policy I.4

3 and 4

Physical Security of Data and Equipment

# 5 Security of Personal Information 

REACH Edmonton Council for Safe Communities Policy I.4

3

Network Communications and Controls

# 5 Security of Personal Information

  • Transmittal of Information

REACH Edmonton Council for Safe Communities Policy I.4

3

Access Controls

# 5 Security of Personal Information

  • Computer Workstations
  • Passwords/Access Cards
  • Locking Filing Cabinets

REACH Edmonton Council for Safe Communities Policy I.4

3

Monitoring and Audit

# 5 Security of Personal Information

  • Security Incidents

REACH Edmonton Council for Safe Communities Policy I.4

 

Incident Response

# 9 Complaints

 

# 11 Contact Information

REACH Edmonton Council for Safe Communities Policy I.4

4

Business Continuity

 

 

 

Change Control

 

 

 

Project Specific Policies

 

 

 

 

List of Attachments

  1. REACH Edmonton Privacy Policy I.4 updated August, 2014
  2. An example of privacy training handout for REACH
  3. Nirix Standard Security Practice for Cloud Computing Services for outsourcing of data storage
  4. Template information sharing agreement between REACH and other frontline agencies that use app

REACH Outreach

 

[1] REACH Edmonton Impact 2012 Building Partnerships, Working Together, Making a Difference page 16.