BC’s Personal Information Protection Act only makes general reference to technical safeguard standards for the proper storage and securing of personal data.
Here is a great guide to PIPA prepared by the Office of the Information and Privacy Commissioner of BC, explaining obligations in plain terms and providing best-practices:
Of note is how broad the technical safeguard standards are:
• Positioning computer monitors so that personal information displayed on them cannot be seen by unauthorized personnel or by visitors.
• Using password-protected computer screensavers so unauthorized personnel or visitors cannot see personal information.
• Ensuring your computers and network are secure from intrusion by using firewalls, intrusion detection software, antivirus software, and by encrypting personal information .
• Using strong and secure passwords to make sure that only authorized employees have access to computer storage devices or to the network. Changing those passwords on a regular basis.
• Encrypting personal information stored on mobile electronic devices such as laptops and USB flash drives.
• Securely wiping all personal information from hard drives before you discard them, sell them or donate them. Deleted files can be recovered while wiped files cannot. Wiping may require specialized software. If you are unsure, the most secure method is to physically destroy hard drives.
• Modifying equipment and software so credit card or debit numbers are removed or truncated from receipts.
No specific standards are set out, only general best practices.
This likely means it is up to the organization to adopt at least industry standard safeguards and show at least some due diligence was at play in its handling of personal information. But, is that enough?
To discuss this and other issues drop me a line: [email protected]