Here’s something you might want to know about: the Federal Government has introduced a law to impose stricter obligations with respect to information and security breaches. The Safeguarding Canadians’ Personal Information Act (Bill C-29) would:
Introduce new requirements for organizations to report material breaches of information security safeguards (data breaches) to the Privacy Commissioner of Canada and notify affected individuals and certain organizations when the breaches are deemed to pose a real risk of significant harm.
The Act would also allow organizations to share information in order to prevent fraud and aid in investigations of contraventions.
The proposed amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) have yet to pass second reading, and it’s hard to say when Bill C-29 might become law, if at all. There are good reasons organizations should take notice though, like the potential for the government to keep a closer eye on whether you’re keeping up with your obligation to destroy documents.
According to Workplace magazine and Shred-it, “As data leaks and security breaches hit the headlines, it’s inevitable that more stringent legislation will follow”.
If Bill C-29 does become law, its enhanced transparency requirements “will force organizations to improve the way they handle and store data, ensuring systematic procedures are in place for destroying confidential information”.
No one should be surprised that the people at Shred-it are interested in organizations destroying their documents that they no longer need. That’s their business. Nevertheless, those obligations are real, and the article offers the following tips to help prevent security breaches.
1. Identify security gaps
Conduct a security audit of your business’ security practices while keeping these questions in mind:
- Are there current procedures in place to properly secure or destroy sensitive data? If so, what are they?
- If security gaps are present, where do they lie?
2. List security gaps
List all potential risks specific to your organization. Some questions you should consider include:
- Are sensitive HR documents, such as employee records, only accessed by authorized personnel?
- Are there discrepancies between the security procedures involving print versus electronic documents?
- Are employees currently trained to dispose of paper waste using appropriate receptacles?
When compiling the list, remember to include both paper-based and electronic information sources. Also be sure to consider every stage of the information cycle, from data generation to document destruction.
3. Working from home
When employees must work from home, they must limit the printing of hardcopies and transferring sensitive information onto personal devices such as laptops or USB keys. Employees should also refrain from throwing information out in garbage cans, recycling bins and dumpsters.
4. Address security gaps
Create and develop a rigid security policy for your organization. Always remember to place sensitive information in secure areas and under password protection with limited access by employees. Delete or destroy all other data that are no longer required, and be sure to keep hard copies of confidential data under lock-and-key. Follow the document life cycle and implement company-wide policies that ensure all employees regularly destroy confidential documents using professional third party services.
I couldn’t say it better myself.
It’s also a good idea to make sure you recycle any appropriate documents. It should take little to no effort, and your customers and employees will approve.
To see the text of Bill C-29, the Safeguarding Canadians’ Personal Information Act, or follow its status, visit LEGISinfo.
First Reference publishes Finance and Accounting PolicyPro to help small and medium-sized businesses manage their obligations and comply with the law with respect to document security in general and document destruction specifically.
Adam Gorley
First Reference Human Resources and Compliance Editor