Business Strategy Analysis of Pia

Document Sample
Business Strategy Analysis of Pia Powered By Docstoc
					Privacy Risk Assessment Template                                                                                                     11295477-f7f3-4f4d-a992-2b3d8cbaeca0.xls

        A B                                                                               C                                                                         D      E        F
      YES: The answer to the question is either YES in the present or, if a YES response cannot yet be provided, there exists a firm commitment to take whatever measures are
  2   necessary to provide a YES response once the project is complete. YES responses should be unequivocal, or nearly so.
  3   NO: The answer to the question is either NO in the present, or a NO response is likely once the project is complete.
      DON'T KNOW: If the project is complete, the answer to the question is unknown. If the project is not complete, it is not yet known whether the appropriate response will be YES or
  4   NO when it is complete.
      NOT APPLICABLE: Leave questions that are not applicable blank. There are few questions for which a "not applicable" response would be appropriate; they all begin or are
  5   preceded with a phrase beginning with "If...". Other than for these few questions, blank responses will be interpreted as "don't know".
                                                                                                                                                                  YES     NO DON'T
  6                                                                                                                                                                               KNOW
  7                                                                       Principle 1: Accountability
                                                                                                                                                                  YES     NO DON'T
  8                                                                                                                                                                               KNOW
  9    Number                                                                        QUESTION                                                                         0        0       0
 10     P1- 1 Does the responsible organization have a written privacy policy or statement of information practices?
        P1- 2 Have privacy policies or procedures been developed for various aspects of the operations of the organization responsible for the project?
 12    P1- 3     Are there are clearly defined responsibilities and accountabilities for safeguards to protect personal information?
       P1- 4     Does a reporting process exist to ensure that the management of the organization responsible for the project is informed of any privacy
 13              compliance issues?
       P1-   5 Are employees or agents with access to personal information in the organization responsible for the project provided with training related to
 14              privacy protection?
 15    P1-   6 Is there a person in the responsible organization who is accountable for privacy protection?
       P1-   7 Does the responsible organization have policies and procedures in place concerning the management of privacy breaches, including the
 16              notification of individuals when the confidentiality of their personal information has been breached?
 17    P1-   8 Has responsibility for the PIA been assigned to a specified individual or specified individuals?
 18              If the custody or control of personal information will be transferred to other public or private sector partners as part of the project:
       P1-   9       Where public and private sector partners are not subject to ATIPPA, have independent third-party audit mechanisms been incorporated into
 19                  performance and partnership agreements, such that public accountability is assured?
       P1-   10      Will the responsible organization be provided with the results of regularly scheduled audits and compliance checks on the privacy practices
 20                  of external partners?
       P1-   11 Does the organization have specific audit and enforcement mechanisms that oversee the collection, use and disclosure of personal information
 21              by public or private sector partners?
 22    P1-   12 Is there an inventory of personal information holdings associated with this project, or will one be created?
 24          (Max. 1000 characters)

Government of Ontario                                                                 11/30/2010                                                                                Page 1
Privacy Risk Assessment Template                                                                                                      11295477-f7f3-4f4d-a992-2b3d8cbaeca0.xls

       A     B                                                                C                                                                                      D     E     F
 26                                         Principle 2: Identify the Purposes of Collecting Personal Information
                                                                                                                                                                     YES   NO   DON'T
 27                                                                                                                                                                             KNOW
 28 Number                                                                      QUESTION                                                                              0    0      0
 29 P2- 1 Have options to minimize the routine collection of personal information been considered?
     P2- 2 Do application forms, questionnaires, survey forms, pamphlets, brochures, websites and other information collection and disclosure
 30          instruments associated with the project clearly state the purposes for the collection, use or disclosure of personal information?
     P2- 3 Does the notice of collection contain the specific purposes, the legal authorities for collection, and the contact information for the official
 31          designated to respond to queries regarding the purposes of collection?
     P2- 4 If there are secondary purposes that are not required to be included in the notice of collection (e.g. audit trail information, transaction validation,
 32          financial settlements), have these been documented?
 33 P2- 5 Is client consent sought for secondary uses of personal information, such as service monitoring?
 34 P2- 6 Is the notice of collection available to all persons affected, regardless of the medium or service channel they use?
 35 P2- 7 Does the notice of collection identify ALL of the following:
 36          a. a description of the personal information to be collected,
 37          b. the authority for its collection,
 38          c. the principal purpose(s) for which it is collected,
 39          d. the name, position, address and telephone number of a contact person?
     P2- 8 Does the notice of collection clearly distinguish between personal information collected for program purposes and personal information
 40          collected by partners for other purposes? Alternatively, are separate notices provided?
 42      (Max. 1000 characters)
 44                                                                 Principle 3: Client’s Consent
                                                                                                                                                                     YES   NO   DON'T
 45                                                                                                                                                                             KNOW
 46 Number                                                                           QUESTION                                                                         0    0      0
     P3- 1       Where consent is required, do project staff know that the individual's consent must be obtained before or at the time they collect personal
 47              information?
     P3- 2       Where consent is required, do project staff know they must obtain an individual's consent before any new use or new disclosure of the
 48              information?
 49 P3- 3        Is express consent used whenever possible, and in all cases in which the individual would reasonably expect it?
 50 P3- 4        Are consent statements worded clearly, so that an individual can understand the purpose of the collection, use or disclosure?
 51 P3- 5        Does consent require a positive action by the customer?
 52 P3- 6        Have all feasible measures to avoid the indirect collection of personal information been taken?
 53 P3- 7           If not, is consent obtained from the individual to whom the information pertains?

Government of Ontario                                                                 11/30/2010                                                                                Page 2
Privacy Risk Assessment Template                                                                                                 11295477-f7f3-4f4d-a992-2b3d8cbaeca0.xls

      A       B                                                                       C                                                                        D     E     F
 54   P3-   8Does the proposal envision possible secondary uses for the personal information collected?
 55   P3-   9   If yes, does the authority for those uses flow from:
 56   P3-   10     a. consent?
 57   P3-   11     b. the consistent purpose rationale?
 58   P3-   12     c. other statutory authority?
 59   P3-    Is consent sought for secondary uses of personal information, such as service enhancement, resource management or research?
 60   P3-    If necessary, are mechanisms in place to obtain consent for the use of personal information for purposes not previously identified?
      P3-    Can a client’s refusal to consent to the collection or use of personal information for a secondary purpose, unless required by law, be honoured
 61          without disrupting service?
      P3- 16 Does refusal to consent to secondary uses of personal information by any service delivery partners affect the level of service provided to an
 62          individual with regard to authorized governmental transactions?
 63          Are there procedures in place for administering consent requirements that address:
 64   P3- 17            a. Making the determination whether the customer has the capacity to give consent by reasons of age or capacity; and
      P3- 18            b. Recognition of substitute decision makers (persons authorized to make decisions on behalf of an incapable person or minor).
 67         (Max. 1000 characters)
 69                                                  Principle 4: Limits for Collecting Personal Information
                                                                                                                                                               YES   NO   DON'T
 70                                                                                                                                                                       KNOW
 71 Number                                                                                QUESTION                                                              0    0      0
 72 P4- 1         Have all purposes for collecting personal information been identified and documented?
 73 P4- 2         Are these purposes identified to the subject at or before the time the information is collected?
 74 P4- 3         Is the collection of personal information limited to that which is needed for identified purposes?
 75 P4- 4         Has the combination of personal information from more than one source into new records of personal information been avoided?
 76 P4- 5            If not, are the purposes for combining the information consistent with the original purposes for collecting it?
 77 P4- 6         Is the collection of personal information:
 78 P4- 7            a. Authorized by a statute, or
 79 P4- 8            b. Related to and necessary for the proper administration of a lawfully authorized activity?
 80 P4- 9         Is personal information collected directly from the individual?
 81 P4- 10               If no, is there indirect collection of personal information from third parties?
 82 P4- 11           o If so, has the individual to whom the information pertains consented to such collection?
 83 P4- 12           o Alternatively, is the collection authorized under applicable privacy legislation, or other legislation?
 84 P4- 13        Is personally identifiable information indirectly collected from other programs?
 85 P4- 14        Is information anonymized when used for planning, forecasting, or evaluation purposes?

Government of Ontario                                                               11/30/2010                                                                            Page 3
Privacy Risk Assessment Template                                                                                                    11295477-f7f3-4f4d-a992-2b3d8cbaeca0.xls

        A B                                                                             C                                                                          D     E     F
 86     P4- 15 Is access to data strictly restricted to authorized and accountable personnel?
 87     P4- 16 Is the personal information used for any other purposes or disclosed to any other organizations or business units?
 89         (Max. 1000 characters)
 91                                     Principle 5: Limits for Using, Disclosing and Keeping Personal Information
                                                                                                                                                                   YES   NO   DON'T
  92                                                                                                                                                                          KNOW
  93 Number                                                                            QUESTION                                                                     0    0      0
  94 P5- 1 Is personal Information used only for the stated purposes, or for uses that are demonstrably consistent with those purposes?
  95 P5- 2 Has the linkage of personal information across multiple databases been avoided? NEW
      P5- 3       If not, is that linkage performed only with internal identifiers (as opposed to widely used identifiers such as the social insurance number or
  96              OHIP number)?
  97 P5- 4 Where data matching or profiling occurs, is it consistent with the stated purposes for which the personal information is collected?
  98 P5- 5 Is there a record of use maintained for any use or disclosure not consistent with original stated purposes?
  99 P5- 6 Is the record of use attached to the personal information record?
 100 P5- 7 Is there any data matching between the responsible organization and other organizations, governments, and/or private sector partners?
      P5- 8 Where personal information is disclosed to an authorized data mart or data warehouse, does the head of the responsible organization approve
 101          each new use, user, and matches?
 102 P5- 9 Is the individual to whom the information pertains informed of the disclosure?
      P5- 10 Do you use contracts to ensure the protection of personal information transferred to a third party for processing?
 103             If so,
 104 P5- 11          Does the contract limit the third party's use of information to purposes necessary to fulfil the contract?
 105 P5- 12          Does the contract require the third party to refer any requests for access or complaints about the information transferred to you?
 106 P5- 13          Does the contract specify how and when a third party is to dispose of or return any personal information it receives?
 107 P5- 14 Is there a timetable for retaining and disposing of personal information?
      P5- 15 When personal information is no longer required for the identified purposes or it is no longer required by law, is it destroyed, erased or made
 108          anonymous?
 110      (Max. 1000 characters)
 112                                                    Principle 6: Keeping Personal Information Accurate
                                                                                                                                                                   YES   NO   DON'T
 113                                                                                                                                                                          KNOW
 114 Number                                                                   QUESTION                                                                              0    0      0
 115 P6- 1       Does the responsible organization document when and how personal information is updated, to ensure its accuracy?

Government of Ontario                                                                 11/30/2010                                                                              Page 4
Privacy Risk Assessment Template                                                                                                          11295477-f7f3-4f4d-a992-2b3d8cbaeca0.xls

     A B                                                                           C                                                                                     D     E     F
 116 P6- 2 Has the responsible organization ensured that personal information received from a third party is accurate and complete?
 117 P6- 3 Do records of personal information indicate the last update date?
 118 P6- 4 Is a record kept of the source of the information used to make changes to personal information (e.g., paper or transaction records)?
     P6- 5 Where applicable, is there a procedure, automatically or at the request of the individual, to provide notices of correction to third parties to whom
 119         personal information has been disclosed?
 120 P6- 6 Are records kept regarding requests for a review for accuracy, corrections, or decisions not to correct personal information?
     P6- 7 When an individual challenges the accuracy of a record, is he or she provided with information about the ministry contact person responsible
 121         for the records?
     P6- 8 When the individual and the ministry program representative cannot reach agreement regarding the accuracy of the record(s), is the individual
 122         advised of his or her right to file a statement of disagreement?
     P6- 9 Does the custodian of the record note the statement of disagreement on the record(s) in such a manner as to ensure that subsequent users
 123         who access the record(s) through any service channel are aware that the accuracy of the record(s) is disputed?
 125     (Max. 1000 characters)
 127                                                     Principle 7: Safeguarding Personal Information
                                                                                                                                                                         YES   NO   DON'T
 128                                                                                                                                                                                KNOW
 129   Number                                                                         QUESTION                                                                            0    0      0
 130    P7- 1    Have you reviewed your physical, technological and administrative security measures?
 131    P7- 2       If so, have these safeguards been selected on the basis of a Threat Risk Assessment, and
 132    P7- 3       Have the recommended safeguards been approved and funded by the responsible management?
 133    P7- 4    Do they prevent improper access, modification, collection, use, disclosure and/or disposal of personal information?
 134    P7- 5    Is personal information protected by security safeguards that are appropriate to the:
 135                    sensitivity of the information?
 136                    scale of distribution?
 137                    format of the information?
 138                    method of storage?
 139    P7- 6    Has a "need-to-know" test been developed to limit access to personal information to what is necessary to perform assigned functions?
 140    P7- 7    Have project staff been trained about security practices to protect personal information?
        P7- 8    Is your staff aware that they should properly identify individuals and establish their right to access the personal information before disclosing it?
 142 P7- 9 Are there rules about who is permitted to add, change or delete personal information?
 143 P7- 10 Is there a user registration system that assigns user accounts, access rights and security authorizations?
 144 P7- 11 Are measures in place to ensure that no unauthorized parties may dispose of, obtain access to, modify or destroy personal information?

Government of Ontario                                                                    11/30/2010                                                                                 Page 5
Privacy Risk Assessment Template                                                                                                         11295477-f7f3-4f4d-a992-2b3d8cbaeca0.xls

       A B                                                                              C                                                                                D     E     F
       P7- 12 Has there been an expert review of all the risks and the reasonableness or proportionality of countermeasures taken to secure against
               unauthorized or improper access, collection, use, disclosure, and disposal through all access channels, such as with a Threat Risk
 145           Assessment?
       P7- 13 Do written security policies and procedures exist to protect the confidentiality, integrity and availability of personal information, or will they exist
 146           before the project is completed?
       P7- 14 Have staff been trained in requirements for protecting personal information and are they aware of policies regarding breeches of security or
 147           confidentiality?
 148   P7- 15 Are there controls in place over the process to grant authorization to add, change or delete personal information from records?
 149   P7- 16 Is the system designed so that access and changes to personal information can be audited by date and user identification?
 150   P7- 17 Is user access to personal information limited to only that required to discharge the assigned functions?
 151   P7- 18 Are security measures commensurate with the sensitivity of the information recorded?
 152   P7- 19 Are there contingency plans and mechanisms in place to identify security breaches or disclosures of personal information in error?
 153   P7- 20           a. Are there mechanisms in place to communicate violations to stakeholders and to data subjects to mitigate collateral risks?
       P7- 21           b. Are there mechanisms in place to advise appropriate ministry, corporate or other law enforcement authorities of security
 154                    breaches?
       P7- 22 Are there adequate ongoing resources budgeted for security upgrades, with specific measurable performance indicators in systems
 155           maintenance plans?
 157       (Max. 1000 characters)
 159             Principle 8: Making Information about Policies and Procedures Available to Clients
                                                                                                                                                                         YES   NO   DON'T
 160                                                                                                                                                                                KNOW
 161 Number                                                                    QUESTION                                                                                   0    0      0
      P8- 1 Do information management policies and/or records list all personal information banks collected under the control of the resoponsible
 162          organization or a contracted 3rd party, including:
 163 P8- 2       a. Where information is transferred to support indirect collection
 164 P8- 3       b. The operation of shared or multi program data systems
 165 P8- 4       c. Data marts or warehouses
 166 P8- 5       d. Data transferred to a third party for business processing (e.g., credit and debit settlements)
 168      (Max. 1000 characters)
 170                                          Principle 9: Providing Client Access to Personal Information
                                                                                                                                                                         YES   NO   DON'T
 171                                                                                                                                                                                KNOW

Government of Ontario                                                                   11/30/2010                                                                                  Page 6
Privacy Risk Assessment Template                                                                                                        11295477-f7f3-4f4d-a992-2b3d8cbaeca0.xls

        A B                                                                               C                                                                            D     E     F
 172   Number                                                                        QUESTION                                                                          0     0     0
 173    P9- 1  Are project staff aware of the time limits the law allows to respond to access requests?
 174    P9- 2  Can project staff retrieve personal information to respond to individual access requests with a minimal disruption to operations?
 175    P9- 3  Can personal information be made available to the individual at minimal or no cost?
 176    P9- 4  Are requesters advised of costs, if any, before personal information is retrieved?
 177    P9- 5  Is an individual's response to being notified of the cost of retrieving personal information recorded?
        P9- 6  Is personal information provided in a form that is generally understandable? (For example, are abbreviations, acronyms and technical terms
 178           explained?)
 179    P9- 7 Are procedures in place for responding to requests for personal information from persons with perceptual or physical limitations?
 180    P9- 8 Is the project designed to ensure that access to all of the subject’s data can be achieved with minimal disruption to operations?
        P9- 9 Are the data subject’s access rights assured for all the data sets of all the parties in the information life cycle, including private sector partners
 181           and subcontractors, 3rd parties provided subject information through profiling/matching?
        P9- 10 Are all custodians aware of the right to access, formal or informal request procedures, mandatory advising of formal appeal procedures to data
 182           subjects, fees, and limits of their decision making authority?
        P9- 11 Does the data subject have access to his or her records of personal information and records related to requests for review or correction?
 185        (Max. 1000 characters)
 187                                                             Principle 10: Challenging Compliance
                                                                                                                                                                       YES   NO   DON'T
 188                                                                                                                                                                              KNOW
 189   Number                                                                     QUESTION                                                                              0    0      0
 190   P10- 1Can an individual easily find out how to file a privacy complaint related to the project?
 191   P10- 2Are privacy complaints dealt with in a timely fashion?
 192   P10- 3Are all privacy complaints investigated?
 193   P10- 4Are customer assistance and other front-line staff able to distinguish a privacy complaint under the law from a general inquiry?
 194   P10- 5If unsure, do they discuss this with the individual?
 195   P10- 6Are individuals advised about all available avenues of complaint, including the responsible Privacy Commissioner?
 196   P10- 7Are staff responses to public inquiries, requests and complaints reviewed to ensure they are handled fairly, accurately and quickly?
       P10- 8Have measures been developed to ensure that, when a complaint is found to be justified, the necessary changes are made to policies,
 197         procedures and staff awareness?
 198 P10- 9 Are complaint procedures established, including links to partnership agreements and staff role assignments?
     P10- 10 Has a procedure been established to log and periodically review complaints and their resolution with a view to establishing improved
 199         information management practices and standards?

Government of Ontario                                                                   11/30/2010                                                                                Page 7
Privacy Risk Assessment Template                                                                                           11295477-f7f3-4f4d-a992-2b3d8cbaeca0.xls

        A B                                                                          C                                                                 D   E    F
       P10- 11 Are oversight and review mechanisms, comparable to those ensuring the accountability of public sector bodies covered by ATIPPA, being
 200            implemented?
 201   P10- 12 Have regular compliance audits of partner information practices and privacy requirements been established as contract deliverables?
 203        (Max. 1000 characters)

Government of Ontario                                                           11/30/2010                                                                     Page 8
         A           B                                            C                                             D                                                E                                                F
                                                                                                    RISK ANALYSIS
     Definitions for Severity ratings:
              3 HIGH         Could reasonable be expected to cause severe personal injury, such as irrecoverable financial loss, loss of life, health or safety, lasting social hardship, or other severe and/or lasting
3                            detrimental impact.
4             2 MEDIUM       Could reasonably be expected to cause significant personal injury, such as recoverable financial loss, or short-term problems for relationships or reputation.
              1 LOW          At the most, might result in minor injury to the individual, such as minor inconvenience or other recoverable effects on privacy from which the individual would suffer no more than
5                            minimal and very temporary detrimental effects.
     Question Risk Item? Description of Risk                                                                Severity                                   Mitigation Measures                                  Severity after
                                                                                                             before                                                                                          mitigation*
8                                                                                                          mitigation*
                             (Briefly describe the nature of the risk associated with the identified  3=High,            (Briefly describe measures to be taken and their expected effect. Max 1000           3=High,
                             response. Max 1000 characters. Cross reference separate attachments if 2=Medium,            characters. Cross reference separate attachments if necessary.)                     2=Medium,
 9                           necessary.)                                                              1=Low                                                                                                    1=Low
11   P1-1          FALSE     -                                                                                           -
12   P1-2          FALSE     -                                                                                           -
13   P1-3          FALSE     -                                                                                           -
14   P1-4          FALSE     -                                                                                           -
15   P1-5          FALSE     -                                                                                           -
16   P1-6          FALSE     -                                                                                           -
17   P1-7          FALSE     -                                                                                           -
18   P1-8          FALSE     -                                                                                           -
19   P1-9          FALSE     -                                                                                           -
20   P1-10         FALSE     -                                                                                           -
21   P1-11         FALSE     -                                                                                           -
22   P1-12         FALSE     -                                                                                           -
23   P2-1          FALSE     -                                                                                           -
24   P2-2          FALSE     -                                                                                           -
25   P2-3          FALSE     -                                                                                           -
26   P2-4          FALSE     -                                                                                           -
27   P2-5          FALSE     -                                                                                           -
28   P2-6          FALSE     -                                                                                           -
29   P2-7          FALSE     -                                                                                           -
30   P2-8          FALSE     -                                                                                           -
31   P3-1          FALSE     -                                                                                           -
32   P3-2          FALSE     -                                                                                           -
33   P3-3          FALSE     -                                                                                           -
34   P3-4          FALSE     -                                                                                           -
35   P3-5          FALSE     -                                                                                           -
         A     B         C   D       E   F
36   P3-6    FALSE   -           -
37   P3-7    FALSE   -           -
38   P3-8    FALSE   -           -
39   P3-9    FALSE   -           -
40   P3-10   FALSE   -           -
41   P3-11   FALSE   -           -
42   P3-12   FALSE   -           -
43   P3-13   FALSE   -           -
44   P3-14   FALSE   -           -
45   P3-15   FALSE   -           -
46   P3-16   FALSE   -           -
47   P3-17   FALSE   -           -
48   P3-18   FALSE   -           -
49   P4-1    FALSE   -           -
50   P4-2    FALSE   -           -
51   P4-3    FALSE   -           -
52   P4-4    FALSE   -           -
53   P4-5    FALSE   -           -
54   P4-6    FALSE   -           -
55   P4-7    FALSE   -           -
56   P4-8    FALSE   -           -
57   P4-9    FALSE   -           -
58   P4-10   FALSE   -           -
59   P4-11   FALSE   -           -
60   P4-12   FALSE   -           -
61   P4-13   FALSE   -           -
62   P4-14   FALSE   -           -
63   P4-15   FALSE   -           -
64   P4-16   FALSE   -           -
65   P5-1    FALSE   -           -
66   P5-2    FALSE   -           -
67   P5-3    FALSE   -           -
68   P5-4    FALSE   -           -
69   P5-5    FALSE   -           -
70   P5-6    FALSE   -           -
71   P5-7    FALSE   -           -
72   P5-8    FALSE   -           -
73   P5-9    FALSE   -           -
74   P5-10   FALSE   -           -
75   P5-11   FALSE   -           -
76   P5-12   FALSE   -           -
77   P5-13   FALSE   -           -
          A     B         C   D       E   F
 78   P5-14   FALSE   -           -
 79   P5-15   FALSE   -           -
 80   P6-1    FALSE   -           -
 81   P6-2    FALSE   -           -
 82   P6-3    FALSE   -           -
 83   P6-4    FALSE   -           -
 84   P6-5    FALSE   -           -
 85   P6-6    FALSE   -           -
 86   P6-7    FALSE   -           -
 87   P6-8    FALSE   -           -
 88   P6-9    FALSE   -           -
 89   P7-1    FALSE   -           -
 90   P7-2    FALSE   -           -
 91   P7-3    FALSE   -           -
 92   P7-4    FALSE   -           -
 93   P7-5    FALSE   -           -
 94   P7-6    FALSE   -           -
 95   P7-7    FALSE   -           -
 96   P7-8    FALSE   -           -
 97   P7-9    FALSE   -           -
 98   P7-10   FALSE   -           -
 99   P7-11   FALSE   -           -
100   P7-12   FALSE   -           -
101   P7-13   FALSE   -           -
102   P7-14   FALSE   -           -
103   P7-15   FALSE   -           -
104   P7-16   FALSE   -           -
105   P7-17   FALSE   -           -
106   P7-18   FALSE   -           -
107   P7-19   FALSE   -           -
108   P7-20   FALSE   -           -
109   P7-21   FALSE   -           -
110   P7-22   FALSE   -           -
111   P8-1    FALSE   -           -
112   P8-2    FALSE   -           -
113   P8-3    FALSE   -           -
114   P8-4    FALSE   -           -
115   P8-5    FALSE   -           -
116   P9-1    FALSE   -           -
117   P9-2    FALSE   -           -
118   P9-3    FALSE   -           -
119   P9-4    FALSE   -           -
          A      B         C   D       E   F
120   P9-5     FALSE   -           -
121   P9-6     FALSE   -           -
122   P9-7     FALSE   -           -
123   P9-8     FALSE   -           -
124   P9-9     FALSE   -           -
125   P9-10    FALSE   -           -
126   P9-11    FALSE   -           -
127   P10-1    FALSE   -           -
128   P10-2    FALSE   -           -
129   P10-3    FALSE   -           -
130   P10-4    FALSE   -           -
131   P10-5    FALSE   -           -
132   P10-6    FALSE   -           -
133   P10-7    FALSE   -           -
134   P10-8    FALSE   -           -
135   P10-9    FALSE   -           -
136   P10-10   FALSE   -           -
137   P10-11   FALSE   -           -
138   P10-12   FALSE   -           -
                    A                    B                                                      C
 1                                                        RISK SCORING SHEET
 3             MESSAGES:            -
 7 METRIC                                      RECOMMENDATION
   Number of Privacy Principle           0
 9 Risk Items
11 Severity, Unmitigated
12                            HIGH:      0     Implement mitigation measures for these items as a matter of the highest priority.
13                          MEDIUM:      0     Implement mitigation measures for these items before project goes operational.
14                            LOW:       0     Implement mitigation measures for these items as the opportunity arises.
15 Severity Score, Unmitigated:          0
17 Severity, Mitigated
18                            HIGH:      0     OK
19                          MEDIUM:      0     OK
20                            LOW:       0
21 Severity Score, Mitigated:            0
23 Risk Reduction Value:                 0
24 Avg. Reduction per Item:             0.00
   Adjusted Percentage Risk             0%     This is the percentage severity reduction achieved by the mitigation measures, adjusted to account
26 Reduction:                                  for the fact that the severity of any one risk item can never be zero.
28 PII count threshold                   2
29 PII score threshold                   2
30 Principles response count
    Cell: B26
Comment: Alec Campbell:
          adjusted to account for the fact that the workbook does not allow risk to be reduced to zero, even though in some cases a reduction to near
          zero may be possible. The risk reduction value is increased by adding half the difference between the number of mitigated and unmitigated
          LOW items, to a maximum percentage value of 99%.

Description: Business Strategy Analysis of Pia document sample