SafeGuards for PII – From IPC
From Information and Privacy Commissioner of Ontario
Safeguarding and managing personal information
Whether in paper, electronic or any other format, records of personal information must be safeguarded at all times.
As a service provider, you must take reasonable steps to protect personal information in your custody or control against theft, loss or unauthorized collection, use, disclosure, copying, modification or disposal.83There is no precise definition of a “reasonable step.” What is reasonable depends on the circumstances. It will change as you use new technologies, and as new threats or vulnerabilities emerge.
When determining how to protect personal information, you should assess the nature of the records, including:
- the sensitivity and amount of personal information in the record
- the number and nature of people with access to the information
- any threats and risks associated with the manner in which the information is kept
Based on this assessment, you should put in place measures to safeguard privacy. These measures should be regularly reviewed to ensure they continue to be reasonable. In many cases, reasonable measures will include the following safeguards:
Administrative Safeguards | Technical Safeguards to Protect Electronic Data | Physical Safeguards |
privacy and security policies and procedures staff training on privacy and security confidentiality agreements privacy impact assessments | strong authentication and access controls logging, auditing and monitoring strong passwords and encryption maintaining up-to-date software by applying the latest security patches firewalls, hardened servers, intrusion detection and prevention, anti-virus, anti-spam, and/or anti-spyware software protection against malicious and mobile code threat risk assessments | controlled access to locations where personal information is stored locked cabinets access cards and keys identification, screening and supervision of visitors |