You may be wondering, what exactly is “safeguarding” personal information? Thankfully, the Office of the Privacy Commissioner of Canada has clarified how safeguarding can reduce the risk of privacy breaches.
The Privacy Commissioner states that businesses have an obligation to protect personal information against loss, theft, and unauthorized access, disclosure, copying, use or modification. This protection must be used regardless of whether the format is electronic or paper form.
This is because safeguarding is one of the 10 principles set out in the Personal Information Protection and Electronic Documents Act (PIPEDA). Schedule 1 contains the 10 principles, and Safeguards is Principle 7.
Essentially, Principle 7 states that personal information must be protected by security safeguards appropriate to the sensitivity of the information. In addition to requiring protection against loss, theft, or unauthorized access, disclosure, copying, use, or modification as mentioned above, Principle 7 acknowledges that the nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, as well as the method of storage. In fact, more sensitive information should be safeguarded by a higher level of protection.
Principle 7 sets out methods of protection that are to be used when safeguarding personal information, including physical measures (for example, locked filing cabinets and restricted access to offices), organizational measures (for example, using security clearances and limiting access on a “need-to-know” basis), and technological measures (such as using passwords and encryption). Further, care must be used when disposing or destroying personal information.
Employers are recommended to pay careful attention to the requirement contained in Principle 7 stating that organizations must make their employees aware of the importance of maintaining the confidentiality of personal information.
How exactly does an employer use these physical, organizational, and technological measures to protect the information? How does this work practically?
Employers are recommended to survey their particular workplace in order to determine the particular personal information at issue, the sensitivity of that information, and what possible measures can be used in terms of physical measures, organizational measures, and technological measures. There is no one right answer here, because the answer depends on the particular workplace, personal information, and applicable measures. What can be said is, any information that has been identified as extra sensitive is recommended to be given high levels of protection.
We also know that the courts and the Privacy Commissioner have interpreted issues regarding the safeguarding of personal information that can provide some assistance.
Just to pick a few examples, we know that the disclosure of personal information, in itself, cannot be taken as evidence of inadequate safeguards. In fact, there was a case where there was a clerical error that caused the applicant’s personal medical information to be mailed to an incorrect address and to an unauthorized advisor, but this was not because of inadequate safeguards.
Furthermore, safeguarding policies and practices must be diligently and consistently followed in practice in order to be effective. Likewise, organizations must develop and implement procedures for the secure disposal of personal information. And this includes information that is inadvertently collected—the organizations must keep it secure until it can properly and legally be deleted.
What constitutes “sensitive information” that would require a higher level of protection? Payroll information, medical information, social insurance numbers, information about an employee’s work performance are some examples of highly sensitive information.
In terms of technology, there are several cases highlighting the fact that organizations must ensure that only the appropriate personal information is delivered and the proper destination address or fax number is being used to avoid unauthorized disclosure. Likewise, when emailing multiple recipients, it is important to ensure that individual email addresses are not disclosed. Fax cover sheets should not have any sensitive personal information. Last but not least, any personal information that is electronically stored must be adequately protected through the use of passwords or encryption; what is more, and portable electronic devices storing personal information must be secured at all times and backed up. It is up to organizations to keep up with technological advances in order to ensure that they have the appropriate safeguards in place.
When it comes to snail mail, organizations must ensure that no sensitive personal information is visible through the envelope window. There was a case concluding that safeguarding obligations are likely to be met when using first-class mail to deliver credit cards and other personal identification numbers. Also, hard copy documents with personal information must be stored in an appropriate location to prevent unauthorized access.
Do individuals have any responsibility to protect their own personal information? The answer is yes. Individuals have some responsibility to take appropriate precautions, such as using a properly labeled coversheet and security settings.