The Personal Information and Electronic Documents Act (PIPEDA) is a privacy law that imposes rules on the collection, use, and disclosure of the Personally Identifiable Information of Canadians. This law requires certain websites to have a compliant Privacy Policy, to honor consumer requests to exercise their privacy rights and to follow the ten PIPEDA Fair Information Principles. In this article, we will discuss the PIPEDA Fair Information Principle: Safeguards and its requirements for securing PII.
What is the PIPEDA Fair Information Principle: Safeguards?
The safeguards principle states that you must protect the PII that you collect by implementing security measures appropriate relative to the sensitivity of that PII. You must protect all PII against loss, theft, or any unauthorized access, disclosure, copying, use or modification. Due to the rapid evolution of technology and its associated risks and threats, the law does not provide a specific list of security safeguards that you must implement, but instead provides guidance on how to determine the safeguards that are appropriate to your organization.
How to select the right safeguards
The PIPEDA Fair Information Principle: Safeguards states that the following factors should be taken into account when choosing what safeguards to implement:
- The sensitivity of the PII and the risk of harm to the individual;
- The amount of PII that you store;
- The extent of distribution;
- The format of the PII;
- The type of storage; and
- The types and levels of potential risk that your organization faces.
The above factors should be reviewed frequently as your practices and the technology that you use change as these changes will affect the safeguards that are appropriate for your organization.
Examples of measures under PIPEDA Fair Information Principle: Safeguards
Once you perform an assessment of the factors above, you will need to choose the safeguards for the PII that you control. Safeguards can include physical measures, up-to-date technological tools and organizational controls. The following is a list of examples of safeguards that you may want to consider:
- Using SSL or other secure connection technologies;
- Destroying the PII that you no longer need;
- Performing regular risk assessments;
- Screening all employees with access to PII;
- Training all employees;
- Encrypting laptops, USBs and other portable media;
- Maintaining up to date software; and
- Performing due diligence of vendors.
Finally, once you determine the appropriate safeguards and implement them, your Privacy Policy must state how you protect the PII under your control. Use Termageddon’s Privacy Policy generator to help create your PIPEDA ready Privacy Policy and avoid privacy-related fines.
