The 10 Privacy Principles of PIPEDA – Safeguards
The seventh principle of the 10 Privacy Principles of PIPEDA is Safeguards.
Safeguards
The principle of Safeguards states that your organization should protect personal information with security safeguards that are appropriate for the sensitivity of personal information held.
Personal information should be protected against loss or theft, unauthorized access, disclosure, copying, use or modification, regardless of what format it is stored in (paper, electronic, etc).
What type of Safeguards Should My Business Use?
If you own a small business and collect customers’ email addresses for an online newsletter, for example, you might store the emails in a spreadsheet. It then may be reasonable to password protect the spreadsheet and/or encrypt it so that if the spreadsheet were stolen, it would be difficult to decrypt and retrieve the email addresses.
If your organization were to collect more sensitive personal information, such as credit card numbers, your organization would be expected to have much stronger safeguards in place to protect that information.
Your organization should determine how sensitive personal information is and implement safeguards to protect it. It is always good business sense to enact safeguards that provide better-than-average protection for the personal information it protects — after all, the last thing your organization wants is to suffer a privacy breach.
Methods of Protection
Organizations should use physical, organizational, and technological methods to protect personal information.
Physical Methods
Your organization should use physical methods to protect personal information whenever possible. Lock cabinets, safes, doors, and offices when they are not in use. Restrict access whenever possible.
When printing or receiving faxes, retrieve the documents immediately. Some office printers allow employees to print papers once they approach the printer and key in their personal code.
Ensure that sensitive and confidential personal information is not visible to the public.
Organizational Measures
Many organizations give employees RFID tags which open doors according to a security access level. Limit information to a need-to-know basis.
Some organizations wisely choose to pre-screen their employees for criminal records and bad credit histories before giving them access to sensitive information.
Implement and enforce a “clear desk policy”. Employees should have their desks clear and free of any papers containing sensitive personal information or confidential company information. Employees should lock this information in a private filing cabinet.
Technological Measures
Enforce strong passwords and have employees change them on a scheduled basis.
Implement encryption whenever possible, especially when dealing with sensitive personal information such as credit card numbers. Consider encryption at all stages of transit.
Train Your Employees
Your organization’s privacy officer should ensure that all employees are aware of the importance of maintaining the confidentiality of personal information. This can be done initially upon training, by having routine “refresher” sessions, and through documentation.
Be Careful When Destroying Personal Information
Organizations should exercise great care when disposing or destructing personal information.
News headlines are increasingly reporting businesses who foolishly dispose of sensitive personal information, often by throwing un-shredded papers into the trash which then become public property.
Email, Print, Bookmark, or Share!
