The Privacy Commissioner of Canada has an Interpretation Bulletin dealing with privacy safeguards that can serve as helpful guidance for organizations who are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA).
This post reviews the meaning of safeguards and explores the Interpretation Bulletin to provide guidance for organizations for creating policies, practices and procedures and for addressing employee training.
What are safeguards?
Schedule 1 of PIPEDA contains Principle 4.7, which states that personal information must be protected by security safeguards appropriate to the sensitivity of the information. Security safeguards must protect information against loss or theft, and unauthorized access, disclosure, copying, use, or modification. Organizations that are subject to PIPEDA must protect personal information, regardless of the format.
The nature of the safeguards varies depending on: the sensitivity of the information that is collected; the amount, distribution, and format of the information; and the method of storage of information. Indeed, the more sensitive information must be safeguarded by a higher level of protection. Some information (for instance, medical records and income records) is almost always considered to be sensitive; that said, any information can be considered sensitive, depending on the context. The names and addresses of subscribers to a news magazine may generally not be considered sensitive information, whereas the names and addresses of subscribers to some special-interest magazines could be considered sensitive.
Typically, there are three kinds of methods of protection that include physical measures, organizational measures, and technological measures. An example of physical measures could be taking steps to use locked filing cabinets. Organizational measures could include requiring security clearances for only certain individuals to access certain information. An example of technological measures could be using strong passwords and encryption.
From an employment point of view, this next rule is very important – organizations must make their employees aware of the importance of maintaining the confidentiality of personal information.
Moreover, personal information that is no longer required to meet the identified purposes must be destroyed, erased, or made anonymous; organizations must develop guidelines and procedures to govern this type of information destruction. In terms of safeguards, care must be taken in the disposal or destruction of personal information to prevent unauthorized parties from gaining access to the information.
What does the Interpretation Bulletin say?
In the Interpretation Bulletin, the Privacy Commissioner of Canada provides examples to illustrate how this safeguard principle can apply the contexts. With regard to policies, practices and procedures, the Privacy Commissioner discusses the following features with respect to how the safeguard principle has been interpreted and applied:
- Organizations must put in place security safeguards that are commensurate with the level of sensitivity of the personal information involved
- Safeguarding policies and practices must be diligently and consistently followed in practice in order to be effective
- Organizations must develop and implement procedures for the secure disposal of personal information
- One of the best safeguarding practices an organization can have is not to collect or retain more personal information than is necessary
- Organizations that inadvertently collect personal information must keep it secure until it can be properly (and legally) deleted
- Proper safeguarding of personal information includes diligent and accurate record-keeping practices that clearly document original authorizations and any irregular uses or disclosures
- Organizations that collect personal information about customers must collect and store the information in a manner that does not permit customers to view or hear the personal information of other customers
Concerning employee training, organizations must communicate their safeguard procedures to their employees and provide employees with training to ensure the procedures are implemented correctly.
Let us explore this concept of employee training with an example. In PIPEDA Decision 2012-009, the complainant, an employee of a hair salon, was thinking about leaving her employer and setting up her own home hair salon; to that end, she contacted an insurance company to inquire about obtaining business insurance. The insurance agent responded at a later time by calling her at her workplace, and left a recorded message on the employer’s general voicemail system asking for more details about the home business. This led to the complainant’s termination and ultimate complaint to the Privacy Commissioner.
In relation to the safeguards issue, the Privacy Commissioner found that the insurance company revealed more information than was necessary for the complainant to return the insurance representative’s call. In fact, in this context, the information in question was considered to be sensitive personal information.
It was clear from the safeguards principle set out in Schedule 1 (PIPEDA Principle 4.7) that personal information had to be protected by security safeguards appropriate to the sensitivity of the information. Further, organizations were required to make their employees aware of the importance of maintaining the confidentiality of personal information. In this situation, minimal safeguards were not provided to protect the complainant’s personal information. What is more, the complainant’s personal information appeared to be sensitive enough to lead to her termination of employment.
The Privacy Commissioner stated that these types of disclosures could be avoided when organizations took proper precautions to call back clients in accordance with policies that dictated to its staff how to leave messages to clients. In fact, the Privacy Commissioner expressed concern that the insurance company had no policy communicating to its employees how messages were to be elected for clients on telephone messaging systems in order to protect personal information. It was essential for organizations to train staff and communicate the importance of complying with the organization’s policies and practices.
Ultimately, the organization complied with the Privacy Commissioner’s recommendations to develop policies to reduce the risk of disclosing personal information of clients to unauthorized third parties when leaving messages for clients, and also to provide training to the privacy officers and employees of the organization.
Accordingly, the complaint was well-founded and resolved. What employers can learn from this case is that, to protect personal information, organizations had to have proper procedures in place, communicate these procedures to their staff, and provide their staff with training to ensure that staff implements the procedures correctly. Furthermore, it was critical to take proper care and protect personal information by using safeguards appropriate to the sensitivity of the information.
What can employers do with this information?
As can be seen from above, it is important for employers to have security safeguards in place that respond to the sensitivity levels of the personal information. It is important to have policies and procedures in place, and properly dispose of personal information in accordance with established procedures. One strategy is to not collect or retain more personal information than is necessary, and in cases where this is not possible and the organization inadvertently collects extra personal information, it is important to keep it secure until it can be properly destroyed. Not only do organizations need to use diligent and accurate record-keeping practices, but they also need to ensure that any information collected about customers is collected and stored in ways that does not allow other customers to view/hear this information.
It is critical for organizations to communicate safeguard procedures to their employees and provide employees with training to ensure that the procedures are implemented correctly. As can be seen from the above decision, organizations need to be careful and take proper precautions when calling back clients and leaving messages – and staff needs to be trained in these policies and procedures.