html5-img
1 / 78

Information security and privacy protection aspects of electronic information management in the Belgian social sector

Information security and privacy protection aspects of electronic information management in the Belgian social sector. Frank Robben General manager Crossroads Bank for Social Security Sint-Pieterssteenweg 375 B-1040 Brussels E-mail: Frank.Robben@ksz.fgov.be Website CBSS: www.ksz.fgov.be

hashim
Download Presentation

Information security and privacy protection aspects of electronic information management in the Belgian social sector

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information security andprivacy protection aspects ofelectronic information managementin the Belgian social sector Frank Robben General manager Crossroads Bank for Social Security Sint-Pieterssteenweg 375 B-1040 Brussels E-mail: Frank.Robben@ksz.fgov.be Website CBSS: www.ksz.fgov.be Personal website: www.law.kuleuven.be/icri/frobben

  2. Stakeholders of the Belgian social sector • > 10,000,000 citizens • > 220,000 employers • about 3,000 public and private institutions (actors) at several levels (federal, regional, local) dealing with • collection of social security contributions • delivery of social security benefits • child benefits • unemployment benefits • benefits in case of incapacity for work • benefits for the disabled • re-imbursement of health care costs • holiday pay • old age pensions • guaranteed minimum income • delivery of supplementary social benefits • delivery of supplementary benefits based on the social security status of a person

  3. The problem • a lack of well coordinated service delivery processes and of a lack of well coordinated information management led to • suboptimal effectiveness of social protection • a huge avoidable administrative burden and related costs for • the citizens • the employers/companies • the actors in the social sector • service delivery that didn’t meet the expectations of the citizens and the companies • insufficient social inclusion • too high possibilities of fraud • suboptimal support of social policy

  4. Expectations of citizens and companies • effective social protection • integrated services • attuned to their concrete situation, and personalized when possible • delivered at the occasion of events that occur during their life cycle (birth, going to school, starting to work, move, illness, retirement, starting up a company, …) • across government levels, public services and private bodies • attuned to their own processes • with minimal costs and minimal administrative burden • if possible, granted automatically • with active participation of the user (self service) • well performing and user-friendly • reliable, secure and permanently available • accessible via a channel chosen by the user (direct contact, phone, PC, …) • sufficient privacy protection

  5. The solution • a network between all 3,000 social sector actors with a secure connection to the internet, the federal MAN, regional extranets, extranets between local authorities and the Belgian interbanking network • a unique identification key • for every citizen, electronically readable from an electronic social security card and an electronic identity card • for every company • for every establishment of a company • an agreed division of tasks between the actors within and outside the social sector with regard to collection, validation and management of information and with regard to electronic storage of information in authentic sources

  6. The solution • 210 electronic services for mutual information exchange amongst actors in the social sector, defined after process optimization • nearly all direct or indirect (via citizens or companies) paper-based information exchange between actors in the social sector has been abolished • in 2007, 656 million electronic messages were exchanged amongst actors in the social sector, which saved as many paper exchanges • electronic services for citizens • maximal automatic granting of benefits based on electronic information exchange between actors in the social sector • 8 electronic services via an integrated portal • 3 services to apply for social benefits • 5 services for consultation of social benefits • about 30 new electronic services are foreseen

  7. The solution • 41 electronic services for employers, either based on the electronic exchange of structured messages or via an integrated portal site • 50 social security declaration forms for employers have been abolished • in the remaining 30 (electronic) declaration forms the number of headings has on average been reduced to a third of the previous number • declarations are limited to 4 events • immediate declaration of recruitment (only electronically) • immediate declaration of discharge (only electronically) • quarterly declaration of salary and working time (only electronically) • occurence of a social risk (electronically or on paper) • in 2007, 23 million electronic declarations were made by all 220,000 employers, 98 % of which from application to application

  8. The solution • an integrated portal site containing • electronic transactions for citizens, employers and professionals • simulation environments • information about the entire social security system • harmonized instructions and information model relating to all electronic transactions • a personal page for each citizen, each company and each professional • an integrated multimodal contact centre supported by a customer relationship management tool • a data warehouse containing statistical information with regard to the labour market and all branches of social security

  9. The solution • reference directory • directory of available services/information • which information/services are available at any actor depending on the capacity in which a person/company is registered at each actor • directory of authorized users and applications • list of users and applications • definition of authentication means and rules • definition of authorization profiles: which kind of information/service can be accessed, in what situation and for what period of time depending on in which capacity the person/company is registered with the actor that accesses the information/service • directory of data subjects • which persons/companies have personal files at which actors for which periods of time, and in which capacity they are registered • subscription table • which users/applications want to automatically receive what information/services in which situations for which persons/companies in which capacity

  10. CBSS as driving force • coordination by the Crossroads Bank for Social Security • Board of Directors consists of representatives of the companies, the citizens and the actors in the social sector • mission • definition of the vision and the strategy on eGovernment in the social sector • definition of the common principles related to information management, information security and privacy protection • definition, implementation and management of an interoperability framework • technical: secure messaging of several types of information (structured data, documents, images, metadata, …) • semantic: harmonization of concepts and co-ordination of necessary legal changes • business logic and orchestration support • coordination of business process reengineering • stimulation of service oriented applications • driving force of the necessary innovation and change • consultancy and coaching

  11. Co-operative governance • CBSS has an innovative model of governance, steering the business process re-engineering with complex interdependencies between all actors involved • Board of Directors of the CBSS • consists of representatives of the stakeholders (employers associations, trade unions, social security institutions, …) • approves the strategic, operational and financial plans of the CBSS • General Coordination Committee with representation of all users acts as debating platform for the elaboration and implementation of eGovernment initiatives within the social sector

  12. Co-operative governance • permanent or ad hoc working groups are instituted within the General Coordination Committee in order to co-ordinate the execution of programs and projects • the chairmen of the various working groups meet regularly as a Steering Committee • besides project planning and follow-up, proper measuring facilities are available to assure permanent monitoring and improvement after the implementation of the electronic services

  13. Adequate management and control techniques • annual priority plan debated with all users within the General Coordination Committee of the CBSS • cost accounting and zero-based budgeting resulting in financial transparency, an informed budget and a good evaluation of the management contract with the Belgian federal government • internal control based on the COSO-methodology (see www.coso.org) in order to provide reasonable assurance regarding the achievement of objectives with regard to • effectiveness and efficiency of operations • reliability of financial reporting • compliance with applicable laws and regulations • external audit with regard to the correct functioning of the internal control system

  14. Adequate management and control techniques • program management through the whole social sector • issue management during the management of each program • use of a system of project management combined with a time keeping system to follow up projects that are realized by the CBSS and its partners • frequent reports to all users which describe the progress of the various projects and eventual adjustment measures • use of balanced scorecards and a dashboard to measure, follow-up and evaluate the performance of the electronic services and the CBSS • use of ITIL (see www.itil-itsm-world.com) for ICT-service delivery • use of a coherent set of monitoring techniques to guarantee an optimal control and transparency of the electronic services

  15. Towards a network of service integrators Service integrator (Corve, Easi- Wal, CIRB, …) RPS RPS Services repository Extranet region or commmunity Service integrator (CBSS) Services repository ASS Extranet social sector ASS Internet Municipality FPS ASS VPN, Publi-link, VERA, … FPS FEDMAN Services repository Service integrator (FEDICT) City Province FPS Services repository

  16. Advantages • gains in efficiency • in terms of cost: services are delivered at a lower total cost • due to • a unique information collection using a common information model and administrative instructions • a lesser need to re-encoding of information by stimulating electronic information exchange • a drastic reduction of the number of contacts between actors in the social sector on the one hand and companies or citizens on the other • a functional task sharing concerning information management, information validation and application development • a minimal administrative burden • according to a study of the Belgian Planning Bureau, rationalization of the information exchange processes between the employers and the social sector implies an annual saving of administrative costs of about 1.7 billion € a year for the companies

  17. Advantages • gains in efficiency • in terms of quantity: more services are delivered • services are available at any time, from anywhere and from several devices • services are delivered in an integrated way according to the logic of the customer • in terms of speed: the services are delivered in less time • benefits can be allocated quicker because information is available faster • waiting and travel time is reduced • companies and citizens can directly interact with the competent actors in the social sector with real time feedback

  18. Advantages • gains in effectiveness: better social protection • in terms of quality: same services at same total cost in same time, but to a higher quality standard • in terms of type of services: new types of services, e.g. • push system: automated granting of benefits • active search of non-take-up using data warehousing techniques • controlled management of own personal information • personalized simulation environments • better support of social policy • more efficient combating of fraud

  19. Critical success factors • common vision on electronic service delivery, information management and information security amongst all stakeholders • support of and access to policymakers at the highest level • trust of all stakeholders, especially partners and intermediaries, based on • mutual respect • real mutual agreement • transparency • respect for legal allocation of competences between actors • co-operation between all actors concerned based on distribution of tasks rather than centralization of tasks • focus on more effective and efficient service delivery and on cost control

  20. Critical success factors • reasoning in terms of added value for citizens and companies rather than in terms of legal competences • quick wins combined with long term vision • lateral thinking when needed • adaptability to an ever changing societal and legal environment • electronic service delivery as a structural reform process • process re-engineering within and across actors • back-office integration for unique information collection, re-use of information and automatic granting of benefits • integrated and personalized front-office service delivery

  21. Critical success factors • multidisciplinary approach • process optimization • legal coordination • ICT coordination • information security and privacy protection • change management • communication • coaching and training

  22. Critical success factors • appropriate balance between efficiency on the one hand and information security and privacy protection on the other • technical and semantic interoperability • legal framework • creation of an institution that stimulates, co-ordinates and assures a sound program and project management • availability of skills and knowledge => creation of an association that hires ICT-specialists at normal market conditions and puts them at the disposal of the actors in the social sector • sufficient financial means for innovation: agreed possibility to re-invest efficiency gains in innovation • service oriented architecture (SOA)

  23. Critical success factors • need for radical cultural change within government, e.g. • from hierarchy to participation and team work • meeting the needs of the customer, not the government • empowering rather than serving • rewarding entrepreneurship within government • ex post evaluation on output, not ex ante control of every input

  24. Information security and privacy protection • security, availability, integrity and confidentiality of information is ensured by integrated • structural • institutional • legal • organizational • HR-related • technical security measures according to agreed policies

  25. Structural and institutional measures • no central data storage • the access authorization to personal information is granted by a Sector Committee of the Privacy Commission, designated by Parliament, after having checked whether the access conditions are met • the access authorizations are public • every actual electronic exchange of personal information has to pass an independent trusted third party (basically the CBSS) and is preventively checked on compliance with the existing access authorizations by that trusted third party • every actual electronic exchange of personal information is logged, to be able to trace possible abuse afterwards

  26. Structural and institutional measures • every actor in the social sector disposes of an information security officer with an advisory, stimulating, documentary and control task • specialized information security service providers in the social sector have been recognized in order to support the information security officers • a working party on information security and privacy protection within the social sector has been established • minimal information security and privacy protection standards are proposed by the working party on information security and privacy protection and are established by the Sector Committee

  27. Structural and institutional measures • every year, every actor in the social sector has to report to the Sector Committee on compliance with the minimal information security and privacy protection standards • in case an actor in the social sector doesn’t meet the minimal information security and privacy protection standards, the actor can be prohibited by the Sector Committee to be connected to the CBSS

  28. Independent Sector Committee • established within the Privacy Commission • composed of • 2 members of the Privacy Commission • 3 independent social security specialists designated by Parliament • competences • supervision of information security • authorizing the information exchange • complaint handling • information security recommendations • extensive investigating powers • annual activity report

  29. Information security department • at each actor in the social sector • composition • information security officer • one or more assistants • control on independence and permanent education of the information security officers is performed by the Sector Committee • the Sector Committee can allow to commit the task of the information security department to a recognized specialized information security service provider

  30. information security department recommends promotes documents controls reports directly to the general management formulates the blueprint of the security plan elaborates the annual security report general management takes the decision is finally responsible gives motivated feedback approves the security plan supplies the resources Information security department: tasks

  31. Contents of the security report • general overview of the security situation • overview of the activities • recommendations and their effects • control • campaigns in order to promote information security • overview of the external recommendations and their effects • overview of the received trainings

  32. Specialized IS service providers • to be recognized by the Government • recognition conditions • non-profit association • having information security in the social sector as the one and only activity • respecting the tariff principles determined by the Government • control on independence is performed by the Sector Committee • tasks • keeping information security specialists at the disposal of the associated actors • recommending • organizing information security trainings • supporting campaigns promoting information security • external auditing on request of the actor or the Sector Committee • each actor can only associate with one specialized information security service provider

  33. Working party on information security • composition • information security officers of all branches of the social sector • task • coordination • communication • proposal of minimal information security and privacy protection standards • check list • recommendations to the Sector Committee

  34. Legal measures • obligations of the actors in the social sector as data controllers (i.e. the natural or legal person, public authority, agency or any other body which alone or jointly determines the purposes and means of the processing of personal data) • rights of the data subjects (i.e. the natural persons the personal data relate to) • remedies, liability and sanctions

  35. Obligations of actors in the social sector • principles relating to fair and lawful processing and data quality • information to be given to the data subject • confidentiality and security of processing

  36. Fair and lawful processing and data quality • fair and lawful processing • collection only for specified, explicit and legitimate purposes • no further processing in a way incompatible with those purposes • personal data must be adequate, relevant and not excessive in relation to those purposes • personal data must be accurate and kept up to date • personal data must not be kept longer than necessary for those purposes in a form which permits the identification of the data subject

  37. Fair and lawful processing and data quality • respect of additional protection measures related to sensitive data, i.e. data revealing or concerning • racial or ethnic origin • political opinions • religious or philosophical beliefs • trade union membership • health • sexual life • offences, criminal convictions or security measures

  38. Informing the data subject • the controller or his representative must provide the data subject a minimum of information • when obtaining personal data from the data subject • when undertaking the recording or envisaging a disclosure to a third party of personal data that have not been obtained from the data subject • exceptions: • the data subject already has the information • informing the data subject in case of processing of data obtained from another person • proves impossible, in particular for processing for statistical purposes or purposes of historical or scientific research or • would involve disproportionate effort for the controller in particular for processing for statistical purposes or purposes of historical or scientific research or • is not necessary because the recording or disclosure is expressly laid down by law

  39. Informing the data subject • information to be given • identity of the controller and his representative, if any • the purposes of the processing • any further information necessary to guarantee fair processing in respect of the data subject such as • categories of processed data • (categories of) recipients • whether replies are obligatory or not, as well as the possible consequences of failure to reply • the existence of rights of access and rectification

  40. Confidentiality and security • no access to personal data is permitted except on instructions from the controller or if required by law • appropriate technical and organizational security measures • protection against • accidental or unlawful destruction • accidental loss • alteration • unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network • all other forms of unlawful processing • measures have to be appropriate • to the risks represented by the processing • and the nature of the data to be protected • having regard to the state of the art • and the cost of their implementation

  41. Confidentiality and security • where processing is carried out by an external processor • the controller has to choose a processor guaranteeing sufficient technical and organizational security measures • the controller must ensure compliance of the processing with the security measures • the carrying out of the processing must be governed by a written contract or legal act stipulating in particular that • the processor shall act only on instructions from the controller • the security obligations shall also be incumbent on he processor

  42. Recommendation Belgian Privacy Commission • see http://www.privacycommission.be/nl/static/pdf/ referenciemaatregelen-vs-01.pdf • risk analysis taking into account • the nature of the processed data • the applicable legal requirements • the size of the organization • the importance and the complexity of the information systems • the extent of internal and external access to personal data • the probability and the impact of the several risks • the cost of the implementation of risk mitigating measures

  43. Recommendation Belgian Privacy Commission • 10 types of measures • information security policy • information security officer • minimal organizational measures and measures related to staff • physical security • network security • access control • logging and investigation of logging • supervision, audit and maintenance • management of security incidents and continuity • documentation

  44. Rights of the data subject • right of privacy protection • right of information • access to the public register • in case of collection of data • in case of the recording or disclosure of data obtained elsewhere • right of access • right of rectification, erasure or blocking • right not to be subject to fully automated individual decisions • right of a judicial remedy

  45. Right of access • the data subject has the right to obtain from the controller without constraint, at reasonable intervals and without excessive delay or expense • confirmation as whether or not data relating to him are being processed • information at least about • the purposes of the processing • the categories of data • the (categories of) recipients • communication of the data and any available information as to their source • knowledge of the logic in case of an automated processing intended to evaluate certain personal aspects relating to him • every time information is used to take a decision, the information used is communicated to the person concerned together with the decision

  46. Right of rectification, erasure or blocking • the data subject has the right to obtain from the controller the rectification, erasure or blocking of data, the processing of which does not comply with the provisions of the directive (e.g. incomplete or inaccurate data) • the controller has to notify any rectification, erasure or blocking to third parties to whom the data have been disclosed, unless this proves impossible or involves a disproportionate effort

  47. Automated individual decisions • every person is granted the right not to be subject to a decision which produces legal effects for him or significantly effects him and which is based solely on the automated processing of data intended to evaluate certain personal aspects, such as his performance at work, creditworthiness, reliability, conduct, ... • derogations are possible • under certain circumstances, in the course of the entering into or the performance of a contract or • by law providing measures to safeguard the data subject’s legitimate interests

  48. Remedies, liability and sanctions • remedies • administrative remedies, inter alia before the Sector Committee • judicial remedies • for any breach of the rights guaranteed by the national law applicable • liability • right to compensation from the controller for the damage suffered as a result of an unlawful processing operation, unless the controller proves not to be responsible for the event giving rise to the damage • sanctions • penal sanctions • interdiction to process personal data

  49. Organizational, HR-related & technical measures • risk assessment • security policies • governance and organization of information security • inventory and classification of information • human resources security • physical and environmental security • management of communication and service processes • processing of personal data • access control • acquisition, development and maintenance of information systems • information security incident management • business continuity management • compliance: internal and external control • communication to the public of the policies concerning security and the protection of privacy

  50. Security policies • an integrated set of security policies is being elaborated through step-by-step refinement • the policies always have the following structure • material field of application: what the policy is all about • personal field of application: to whom does the policy apply • definitions of the concepts used under the policy • general principles: setting rules and responsibilities • requirements and references to other policies • sanctions, arising among other things from regulations, if the policy is not complied with • references to directives, architecture, procedures, standards and techniques to comply with the policy • date of validation by the bodies concerned • note of the person responsible for policy maintenance

More Related