SafeGuards for PII – From IPC

From Information and Privacy Commissioner of Ontario

Safeguarding and managing personal information

Safeguarding and managing personal information

Whether in paper, electronic or any other format, records of personal information must be safeguarded at all times.

As a service provider, you must take reasonable steps to protect personal information in your custody or control against theft, loss or unauthorized collection, use, disclosure, copying, modification or disposal.83There is no precise definition of a “reasonable step.” What is reasonable depends on the circumstances. It will change as you use new technologies, and as new threats or vulnerabilities emerge.

When determining how to protect personal information, you should assess the nature of the records, including:

  • the sensitivity and amount of personal information in the record
  • the number and nature of people with access to the information
  • any threats and risks associated with the manner in which the information is kept

Based on this assessment, you should put in place measures to safeguard privacy. These measures should be regularly reviewed to ensure they continue to be reasonable. In many cases, reasonable measures will include the following safeguards:

Administrative SafeguardsTechnical Safeguards
to Protect Electronic Data
Physical Safeguards
privacy and security policies and procedures
staff training on privacy and security
confidentiality agreements
privacy impact assessments
strong authentication and access controls
logging, auditing and monitoring
strong passwords and encryption
maintaining up-to-date software by applying the latest security patches
firewalls, hardened servers, intrusion detection and prevention, anti-virus, anti-spam, and/or anti-spyware software
protection against malicious and mobile code
threat risk assessments
controlled access to locations where personal information is stored
locked cabinets
access cards and keys
identification, screening and supervision of visitors 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.