From Information and Privacy Commissioner of Ontario

Safeguarding and managing personal information

Safeguarding and managing personal information

Whether in paper, electronic or any other format, records of personal information must be safeguarded at all times.

As a service provider, you must take reasonable steps to protect personal information in your custody or control against theft, loss or unauthorized collection, use, disclosure, copying, modification or disposal.⁸³There is no precise definition of a “reasonable step.” What is reasonable depends on the circumstances. It will change as you use new technologies, and as new threats or vulnerabilities emerge.

When determining how to protect personal information, you should assess the nature of the records, including:

• the sensitivity and amount of personal information in the record
• the number and nature of people with access to the information
• any threats and risks associated with the manner in which the information is kept

Based on this assessment, you should put in place measures to safeguard privacy. These measures should be regularly reviewed to ensure they continue to be reasonable. In many cases, reasonable measures will include the following safeguards:

Administrative Safeguards	Technical Safeguards to Protect Electronic Data	Physical Safeguards
privacy and security policies and procedures staff training on privacy and security confidentiality agreements privacy impact assessments	strong authentication and access controls logging, auditing and monitoring strong passwords and encryption maintaining up-to-date software by applying the latest security patches firewalls, hardened servers, intrusion detection and prevention, anti-virus, anti-spam, and/or anti-spyware software protection against malicious and mobile code threat risk assessments	controlled access to locations where personal information is stored locked cabinets access cards and keys identification, screening and supervision of visitors