Mitigating privacy risks to streamline modernization

The need

Halifax Water required Privacy Impact Assessments (PIA) to identify privacy risks associated with large IT projects fundamental to their five-year plan. The 12+ PIAs involved migrating to Office 365, updating the customer contact center’s telephony solution (CCMS), and implementing a new internal payroll system.

The solution

Each project was assessed by our multi-disciplinary team to identify if a PIA or an exemption letter was needed. Both PIAs and exemption letters identified privacy related risks to Halifax Water, appropriate legislation, and recommendations for mitigations to minimize or eliminate privacy risk. PIAs were also analyzed for privacy risks across multiple vendors and data sources. All PIAs were reviewed by our Legal Analyst, the Halifax Water project teams, the Halifax Water Executive, and Nova Scotia’s Office of the Information Privacy Commissioner (OIPC).

Barrington’s Privacy team:

• Performed a gap analysis to identify any risks in the contract between Halifax Water and third-party vendors as well as in the physical, technical, and administrative safeguards;
• Researched information flows, third-party service provider processes, internal processes, and risks associated with each technical solution;
• Assessed the solutions, identifying gaps, and making risk, policy, and process recommendations for mitigation and improvements; and,
• Drafted the PIAs, reviewed Executive feedback and met with investigators from the Provincial Office of the Information and Privacy Commissioner

The results

All PIAs were approved by the Halifax Water executive team and OIPC and were recognized as being valuable in mitigating any future risk for Halifax Water, setting each modernization project up for long-term success.