In part three of this four part series of articles we delved into the how companies can ensure materials meet privacy expectations for PIPEDA. The final part of this series will touch upon the remaining action items that need to get done before you are PIPEDA compliant.
7. Ensure Effective
Security and Safeguards
It is not sufficient to have good informational privacy polices and procedures. They must be accompanied with good security. Safeguards should be appropriate to the sensitivity of the information.
The security safeguards that protect personal information must comprehend a range of potential events such as loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. It is important that entities protect personal information regardless of the format or the location in which it is held.
Obviously, the nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, as well as the method of storage. More sensitive information should be safeguarded by a higher level of protection.
It is also important that entities make their employees aware of the entity’s policies regarding personal information and the importance of maintaining the confidentiality of personal information.
Various methods can be employed to ensure the safeguarding of personal information, including:
· Physical measures, for example, locking filing cabinets and restricting access to offices;
· Organizational measures, for example, security clearances and limiting access on a “need to- know’ basis; and
· Technological measures, for example, the use of passwords and encryption.
Finally, when the personal information is no longer required for the purpose for which it was collected, care should be taken in the disposal or destruction of that information to prevent unauthorized access to the information.
8. Ensure the Accuracy of Personal Information
Using or releasing personal information, even when consent has been obtained, requires care to ensure that the information is accurate.
As a best practice, personal information should be as complete, accurate, and up-to-date as is necessary for the purposes for which it is to be used. Determining accuracy, given the rapid decay of personal information accuracy, is a matter of judgement.
However, as a general rule, personal information should be sufficiently accurate to minimize the possibility that inappropriate, inaccurate, incomplete or out of date information may be used to make a decision about the individual.
Accuracy of personal information raises another issue of whether to periodically update files containing personal information (this may be the most effective means to ensure that information in large databases is current), or to update them as required on a case-by case basis. Many jurisdictions stipulate that personal information shall not be routinely updated unless such a process is necessary to fulfil the purposes for which the information was originally collected.
This may require changes to incorporate ad hoc updating and related changes to systems and procedures.
However, the converse situation also arises in that personal information that is used on an ongoing basis, including information that is disclosed to third parties, should generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out.
Clearly the accuracy principle may require changes to business practices.
9. Limit the Use, Disclosure and Retention of Personal Information
Associated with ensuring the accuracy of the information, is the requirement to limit its use, disclosure and retention. Many countries require that personal information only be used or disclosed for the purpose for which it was collected. While there are exceptions, most require the data subject to give consent for additional use.
Retroactively obtaining consent is often time consuming, expensive and sometimes impossible to obtain within a reasonable period.
Clearly, large databases, and the applications that access personal information stored on them, will have to change to reflect these realities. Having the personal information does not necessarily convey the right to use it as you will.
It also speaks volumes for having legal counsel involved in drafting the privacy clauses that address the original collection of that information. Further, some storage techniques such as CDROM, DVD, microfiche and microfilm do not allow the elimination of single records about a particular data subject.
Retention is another issue that must be addressed. Many countries have adopted privacy legislation requiring personal information to be retained only as long as necessary for the fulfilment of those purposes.
Again, legal counsel’s involvement early in the process can save thousands of dollars, or worse still, prevent the inability to use information already collected.
Best practices suggest that entities develop guidelines and implement procedures with respect to the retention of personal information. These guidelines should include minimum and maximum retention periods. Personal information that has been used to make a decision about a data subject should be retained long enough to allow the data subject access to the information after the decision has been made.
Clearly retention of personal information raises significant issues. “How long is sufficient?”
“Will the entity be able to adequately protect itself in employment equity litigation if they destroy the applications of unsuccessful candidates once the position has been filled?”
“What are the penalties for keeping the information?” “Is the entity’s purpose statement broad enough to allow it to address reasonable business uses?”
10. Train Personnel Involved in Customer Activities
The introduction of informational privacy initiatives requires that the entity’s personnel be adequately trained in the policies, procedures and implementation considerations.
They may also require training in dealing with difficult situations.
Personal information can be a very touchy subject. Individual feelings on the issues surrounding the collection, use and disclosure of personal information run high. Front line personnel are frequently required to enforce or explain what the data subject may interpret as unreasonable demands for information.
Adequate training will ensure the entity’s customers and clientele have trust in the way the information will be handled and confidence in its subsequent use or disclosure.
Informational privacy is not a new concept. It is, however, for some entities, a new way of conducting business. There will be fallout. Some businesses that survive by trading on personal information may have to change their modus operandi. However, change they must.
As we enter the 21st Century, we are entering a world with a new economic order, a global economy, and reliance on products and services born through digital evolution. New rules of the road are being written. Privacy is one of them.
In fact, informational privacy may the price of entry to the global economy.
Robert Parker, a partner in the Toronto Office of Deloitte & Touche, is responsible for providing information security and control, data integrity and personal information privacy services to major clients. He served on the International Board of Directors of the Information Audit and Control Association and was International President in 1986 -1987. Currently, he is on the Research Board, the Journal Editorial Board and is Liaison to the CICA’s Specialization Committee. He represented the Canadian Institute of Chartered Accountants on an ISO personal information privacy committee, and is currently assisting clients assess their readiness status and future strategy to deal with Canada’s new Personal Information Protection (and Electronic Documents) Act.