• First Reference
  • About us
  • Contact us
  • 24th Annual Ontario Employment Law Conference 📣
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies
You are here: Home / Employee Relations / “Safeguarding” personal information clarified

By Christina Catenacci, BA, LLB, LLM, PhD | 3 Minutes Read December 8, 2016

“Safeguarding” personal information clarified

personal informationYou may be wondering, what exactly is “safeguarding” personal information? Thankfully, the Office of the Privacy Commissioner of Canada has clarified how safeguarding can reduce the risk of privacy breaches.

The Privacy Commissioner states that businesses have an obligation to protect personal information against loss, theft, and unauthorized access, disclosure, copying, use or modification. This protection must be used regardless of whether the format is electronic or paper form.

This is because safeguarding is one of the 10 principles set out in the Personal Information Protection and Electronic Documents Act (PIPEDA). Schedule 1 contains the 10 principles, and Safeguards is Principle 7.

Essentially, Principle 7 states that personal information must be protected by security safeguards appropriate to the sensitivity of the information. In addition to requiring protection against loss, theft, or unauthorized access, disclosure, copying, use, or modification as mentioned above, Principle 7 acknowledges that the nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, as well as the method of storage. In fact, more sensitive information should be safeguarded by a higher level of protection.

Principle 7 sets out methods of protection that are to be used when safeguarding personal information, including  physical measures (for example, locked filing cabinets and restricted access to offices), organizational measures (for example, using security clearances and limiting access on a “need-to-know” basis), and technological measures (such as using passwords and encryption). Further, care must be used when disposing or destroying personal information.

Employers are recommended to pay careful attention to the requirement contained in Principle 7 stating that organizations must make their employees aware of the importance of maintaining the confidentiality of personal information.

Therefore, not only are employers recommended to have a privacy policy that protects personal information through safeguarding, but they are also recommended to train employees in the policy—taking care to explain to employees the importance of maintaining the confidentiality of personal information.

How exactly does an employer use these physical, organizational, and technological measures to protect the information? How does this work practically?

Employers are recommended to survey their particular workplace in order to determine the particular personal information at issue, the sensitivity of that information, and what possible measures can be used in terms of physical measures, organizational measures, and technological measures. There is no one right answer here, because the answer depends on the particular workplace, personal information, and applicable measures. What can be said is, any information that has been identified as extra sensitive is recommended to be given high levels of protection.

We also know that the courts and the Privacy Commissioner have interpreted issues regarding the safeguarding of personal information that can provide some assistance.

Just to pick a few examples, we know that the disclosure of personal information, in itself, cannot be taken as evidence of inadequate safeguards. In fact, there was a case where there was a clerical error that caused the applicant’s personal medical information to be mailed to an incorrect address and to an unauthorized advisor, but this was not because of inadequate safeguards.

Furthermore, safeguarding policies and practices must be diligently and consistently followed in practice in order to be effective. Likewise, organizations must develop and implement procedures for the secure disposal of personal information. And this includes information that is inadvertently collected—the organizations must keep it secure until it can properly and legally be deleted.

What constitutes “sensitive information” that would require a higher level of protection? Payroll information, medical information, social insurance numbers, information about an employee’s work performance are some examples of highly sensitive information.

In terms of technology, there are several cases highlighting the fact that organizations must ensure that only the appropriate personal information is delivered and the proper destination address or fax number is being used to avoid unauthorized disclosure. Likewise, when emailing multiple recipients, it is important to ensure that individual email addresses are not disclosed. Fax cover sheets should not have any sensitive personal information. Last but not least, any personal information that is electronically stored must be adequately protected through the use of passwords or encryption; what is more, and portable electronic devices storing personal information must be secured at all times and backed up. It is up to organizations to keep up with technological advances in order to ensure that they have the appropriate safeguards in place.

When it comes to snail mail, organizations must ensure that no sensitive personal information is visible through the envelope window. There was a case concluding that safeguarding obligations are likely to be met when using first-class mail to deliver credit cards and other personal identification numbers. Also, hard copy documents with personal information must be stored in an appropriate location to prevent unauthorized access.

Do individuals have any responsibility to protect their own personal information? The answer is yes. Individuals have some responsibility to take appropriate precautions, such as using a properly labeled coversheet and security settings.

  • About
  • Latest Posts
Follow me
Christina Catenacci, BA, LLB, LLM, PhD
Christina Catenacci, BA, LLB, LLM, PhD, is a member of the Law Society of Ontario. Christina worked as an editor with First Reference between 2005 and 2015 working on publications including The Human Resources Advisor (Ontario, Western and Atlantic editions), HRinfodesk, and First Reference Talks blog discussing topics in Canadian Labour and Employment Law. She continues to contribute to First Reference Talks as a regular guest blogger, where she writes on privacy and surveillance topics. Christina has also appeared in the Montreal AI Ethics Institute's AI Brief, International Association of Privacy Professionals’ Privacy Advisor, Tech Policy Press, and Slaw - Canada's online legal magazine.
Follow me
Latest posts by Christina Catenacci, BA, LLB, LLM, PhD (see all)
  • Home Depot disclosed personal information without valid consent - March 24, 2023
  • Facebook class action goes ahead - March 17, 2023
  • Hefty GDPR fine for Meta - January 20, 2023

Article by Christina Catenacci, BA, LLB, LLM, PhD / Employee Relations, Privacy, Union Relations / confidentiality of personal information, employment law, personal information, Personal Information Protection and Electronic Documents Act, PIPEDA, privacy policy, safeguarding personal information, safeguards

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

Electronic monitoring

About Christina Catenacci, BA, LLB, LLM, PhD

Christina Catenacci, BA, LLB, LLM, PhD, is a member of the Law Society of Ontario. Christina worked as an editor with First Reference between 2005 and 2015 working on publications including The Human Resources Advisor (Ontario, Western and Atlantic editions), HRinfodesk, and First Reference Talks blog discussing topics in Canadian Labour and Employment Law. She continues to contribute to First Reference Talks as a regular guest blogger, where she writes on privacy and surveillance topics. Christina has also appeared in the Montreal AI Ethics Institute's AI Brief, International Association of Privacy Professionals’ Privacy Advisor, Tech Policy Press, and Slaw - Canada's online legal magazine.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2023 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy