Canada PIPEDA Principle 7 Safeguarding Personal Information
Canada’s Personal Information Protection and Electronic Documents Act sets out 10 Principles governing the collection, use, safeguarding and disclosure of personal information.
Its the CIO’s and CTO’s of our clients who usually motivate conversations around data protection. The concern about properly handling personal information should be an organization wide concern and that culture should be established by all directors and managers of a company.
Companies that are subject to PIPEDA need to take their obligations under the Act seriously. The government has proven it has an appetite to take action against non-compliant companies, enforce provisions of the Act and levy material fines.
The Office of the Privacy Commission of Canada and canadian security has published a practical guide to PIPEDA which includes actionable advice and best practices. You can check it out here: https://www.priv.gc.ca/information/pub/ar-vr/pipeda_sa_tool_200807_e.pdf
For those interested in the technical how-to of complying with PIPEDA, we are pasting Principle 7 Safeguard standards from page 23 of the guide below, for your ease of reference.
If you have any questions about collection, use, safeguarding and disclosure of personal information please contact me directly: [email protected] or visit us at our Vancouver office.
PRIncIPlE 7 – SAfEGuARDS
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
your organization’s Privacy Responsibilities
Under the “Safeguards” principle, your organization must:
• Protect personal information by security safeguards appropriate to the sensitivity of the information;
• Institute security safeguards that will protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification;
• Protect personal information regardless of the format in which it is held;
• Make employees aware of the importance of maintaining the confidentiality of personal information; and
• Use care to prevent unauthorized access when destroying or disposing of personal information.
Under the “Safeguards” principle, your organization should:
• Safeguard more sensitive information with a higher level of protection;
• Include among its methods of protection:
– physical measures such as locked filing cabinets and restricted access to offices;
– organizational measures such as security clearances and limiting access on a “need to know” basis; and
– technological measures such as use of passwords and encryption.
Under the “Safeguards” principle, your organization may:
• Use a variety of safeguards, depending on the information’s sensitivity, amount, distribution, format, and method of storage.
how to meet these objectives
Establishing an Informational Security Policy
• Review your present information security practices, policies, and systems to determine whether your organization is currently meeting its responsibilities outlined above. Take appropriate measures as recommended below to address any deficiencies; and
• Develop and implement a policy, or update your existing procedures, consolidating your information security practices and procedures in accordance with the “Safeguards” principle. Include a requirement and procedures for documenting and following up on security breaches and informing the individuals affected. Ensure that your policy addresses the following responsibilities as applicable.
offIcE of thE PRIvAcy commISSIonER of cAnADA PIPEDA SElf-ASSESSmEnt tool 23

Physical Safeguards
• Implement physical measures as necessary to ensure the security of personal information holdings, including:
– locked filing cabinets;
– clean-desk policy;
– restricted access to personal information;
– secured premises; and
– alarm systems.
• Ensure that physical safeguards are appropriate to:
– the sensitivity of the personal information
(e.g., higher level of protection for information such as medical or financial records);
– the amounts and types of information held;
– the manner and extent of distribution or transmission;
– format(s) (e.g., paper or electronic files);
– method(s) of storage.
• Ensure that physical safeguards are sufficient to protect against loss or theft, and against unauthorized access, disclosure, copying, use, and modification.
Organizational Safeguards
• Implement organizational measures as necessary to ensure the security of personal information holdings, including:
– authorization and limiting access on a “need-to-know” basis;
– security clearances and classifications;
– confidentiality agreements;
– specific security procedures;
– information security training;
– regular internal monitoring of information security systems; and
– regular independent monitoring and audit of information security systems.
• Ensure your organizational safeguards are appropriate to:
– the sensitivity of the personal information
(e.g., higher level of protection for information such as medical or financial records);
– the amount of information held;
– the manner and extent of distribution or transmission;
– format(s) (e.g., paper or electronic files); and
– method(s) of storage.
• Make certain that your organizational safeguards are sufficient to protect against loss or theft, and against unauthorized access, disclosure, copying, use, and modification.
offIcE of thE PRIvAcy commISSIonER of cAnADA PIPEDA SElf-ASSESSmEnt tool 24

Technological Safeguards
• Implement the technological measures necessary to ensure the security of personal information holdings including:
– identification requirements (especially for online transactions) to establish legitimate identity for accessing personal information;
– authentication (i.e., passwords or other unique identifiers for ensuring authorized
access to personal information) See the OPC’s Guidelines for Identification and Authentication available at http://www.privcom.gc.ca/ ;
– system access controls;
– secure channels for transmissions of personal information;
– encryption of sensitive data for storage and transmission;
– firewalls and intrusion detection systems and procedures;
– automatic audit trails for personal information processing systems;
– system security maintenance controls including logs; and
– security incident procedures and logs.
• Ensure that technological safeguards are appropriate to the:
– sensitivity of the personal information (e.g., higher level of protection for information such as medical or financial records);
– amounts and types of information held; and
– manner and extent of distribution or transmission.
• Ensure that technological safeguards (regardless of whether wired or wireless technology is used) are sufficient to protect against loss or theft, unauthorized access, disclosure, copying, use, and modification; and
• When disclosing personal information, take measures appropriate to the sensitivity of the information and the method of disclosure to authenticate the identity of the individual.
Employee Awareness
• Set appropriate limits to employees’ access to, and use of, personal information held by your organization. As a general rule, grant authorization for access to personal information on a “need to know basis”
(i.e., information required to perform defined job functions);
• Specify who is authorized to access and handle personal information held by the organization;
• Make employees aware of the importance of maintaining security and privacy of personal information. Where personal information is sensitive or where the potential consequences of improper disclosures are significant, use confidentiality agreements with employees;
• Train your staff on your organization’s policies and procedures for maintaining the security and confidentiality of personal information; and
• Conduct regular education and training to ensure continuing awareness and secure information handling on the part of employees.
offIcE of thE PRIvAcy commISSIonER of cAnADA PIPEDA SElf-ASSESSmEnt tool 25

Secure Disposal
• Institute procedures for secure disposal or destruction of personal information or the equipment or devices used for storing personal information;
• When disposing of or destroying personal information, take appropriate measures to prevent unauthorized parties from gaining access; and
• When disposing of equipment or devices used for storing personal information (such as filing cabinets, computers, diskettes, and audio tapes), take appropriate measures to remove or delete any stored information or otherwise to prevent access by unauthorized parties.
Telework & Working outside the Office
• Develop formal procedures for employees removing personal information outside the company, including
the use of PDAs and laptops, working offsite or teleworking. Analyze the particular security risks which these situations create and develop solutions to limit the risks.
Securing Transmissions by Fax
• When transmitting personal information by fax, take security precautions as recommended
in the OPC fact sheet, Faxing Personal Information available at http://www.privcom.gc.ca/ ; and
• If you must send sensitive personal information, consider more secure alternatives to transmission by fax.
