Job Description :
RQ00594 - Privacy Impact Assessment Specialist - Level 3 Toronto, ON Start Date 2021-02-01 End Date 2021-07-31 Title Privacy Impact Assessment Specialist Description MSP Notes Shortlisting Date: Wednesday, January 20th at 2:00 pm EST Maximum number of Candidate Submissions: 1 (One) Must-haves: Privacy Impact Assessment experience with Software as a Service cloud deployment models, reviewing Endpoint Protection, Web Application Firewall, Security Information and Event Management (SIEM Nice to have: Public Sector experience Note Assignment Type: This position is currently listed as "Onsite" due to COVID-19 related WFH direction. Once OPS staff are required to return to the office, the resource under this request will be required to work onsite as well. - Responsibilities Required to lead or support the development of a privacy impact assessment that evaluates whether new technologies, information systems, or proposed programs or policies meet legal and policy privacy requirements, determine and mitigate risks, and address clients concerns. These requirements include ensuring that the program complies with provincial, municipal, federal and private sector access and privacy legislation, as well as relevant regulations, statutes, OPS policies, Directives, standards, guidelines and internationally accepted Fair Information Practices. General Skills Excellent knowledge of privacy and security concepts, trends, and issues. This will include an understanding of their impact on business processes, as well as skill with interpretation and communication of principles and compliance requirements; Knowledge of, and experience in researching and applying relevant information privacy laws, regulations, jurisprudence (particularly as it relates to the Information and Privacy Commissioner of Ontario) and risk countermeasures Experience in conducting Privacy Impact Assessments in public sector context; Knowledge of, and experience with privacy enhancing best practices; Knowledge and ability to interpret and apply Ontario's Freedom of Information and Protection of Privacy Act (FIPPA) and it's municipal equivalent the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), Personal Health Information Protection Act (PHIPA) their respective regulations and related jurisprudence; Familiarity with federal Personal Information Protection and Electronic Documents Act (PIPEDA) and US PATRIOT Act. Policy Knowledge Familiarity with OPS Privacy Impact Assessment Process and Tools released by the Ontario Ministry of Government Services; Good understanding of related disciplines, such as IT security, IT system design, policy development (privacy or security), business architecture, legal processes, Freedom of Information administration, business analysis, risk management, project management. Operational Program and Business Design Skills Ability to lead, mange or support the development of a PIA either independently or as part of a team by directing and gathering input from specific individuals within the organization; Knowledge and ability to create and understand data flow diagrams and business process diagrams; Ability to recognize the need for, and seek input from external experts as required; Excellent communication skills with technical and business audiences and non- access and privacy experts. Technology and Systems Knowledge Analytical skills to understand the current and future access and privacy implications of policies, decisions and business initiatives; Knowledge of Information Technology concepts and processes that impact the protection of personal information, including (but not limited to) Internet tools, system interfaces, information security, information architecture and data flows. Information and Record Keeping Knowledge Experience in developing risk assessment tools, methodologies, policies and procedures to effectively manage personal information; Knowledge of policies, directives, standards, business rules, procedures and guidelines relating to records management including classification, retention and disposition of information. Knowledge and understanding of Accessibility for Ontarians with Disability Act (AODA) and related regulations and standards Desirable Skills Professional certification from a related discipline such as IT security, architecture Experience providing education and training related to privacy Knowledge of, and experience with the policies and procedures of the Ontario government (e.g. business case development, project approvals and policy development) Skills Experience and Skill Set Requirements The Privacy Impact Specialist is directly supporting the delivery of the OPS Cyber Security Strategy which is a key enabler to the government's "Digital First" transformation agenda. In this role the Privacy Impact Specialist will: Review, analyze and produce a Privacy Impact Assessment for the following enterprise security platforms: Endpoint Protection Web Application Firewall Security Information and Event Management (SIEM) Must have significant experience to review and produce a Privacy Impact Assessment report against enterprise security platforms Experience with Software as a Service cloud deployment models Ensure enterprise security platforms meet privacy requirements by: reviewing material & configurations comparing policies and legislation Work effectively with other Security teams and external partners to produce the required Privacy Impact Assessment reports. Evaluation Criteria Technical Skills - 40% 5+ years of experience as a privacy expert including: Managing privacy risks in the collection, use, and disclosure of assessment information within and between HSP's Leading end-to-end operational risk assessments, including selecting risk methodologies, identifying privacy compliance gaps, priorities, dependencies and redundancies, and recommending process remediation or simplification implementing information privacy best practices in the operation of healthcare systems containing personal health information Developing, implementing and operating information security and privacy risk management programs based on the ISO/IEC 17799/27001/27799 standards, including strategic planning, benefits-driven approaches, performance evaluations and implementation plans Implementing information security and privacy best practices, including but not restricted to, risks to the security of data (such as financial information) and risks to the privacy of personal information Experience with commonly used business software (e.g. word processing, spreadsheet, database management in order to develop complete systems, user and operations documentation Privacy Impact Assessment (PIA) Skills - 40% Extensive experience in conducting conceptual, logical and physical Privacy Impact Analysis (PIA's), Threat Risk Analysis (TRA's); Experience in testing privacy and security functions Extensive experience of implementing and operating security technologies and conducting vulnerability assessments and penetration testing. Stakeholder Management & Communication Skills - 15% Understanding of and experience with the maintenance of information standards involving multiple stakeholders Strong leadership and people management skills and experience Effective facilitation skills; ability to build rapport with stakeholders and drive negotiations to a successful outcome Proven track record for building strong working relationships Public Sector Experience - 5% 5+ years of experience providing security and privacy expertise In-depth knowledge of personal information protection legislative requirements and how they apply to developing and maintaining systems containing personal information Experience providing privacy training and awareness in the I&IT sector