Legislative Requirements and Managing Personal Information

Managing personal information is a challenge and a responsibility in today’s advanced business environment. There are rules and they are set out in the Personal Information Protection and Electronic Documents Act.  This Act is often referred to as PIPEDA (2004) and it applies to private enterprises across Canada.

PIPEDA  requires private-sector organizations to collect, use or disclose personal information by fair and lawful means, with consent, and only for purposes that are stated and reasonable.  Companies are also obliged to protect personal information through appropriate security measures, and to destroy it when it’s no longer needed for the original purposes.  Employees or members have the right to expect the personal information the organization holds about them, to ensure that it is accurate, complete and up-to-date.

Privacy Breaches – Documented Process Required:  If your organization is affected by a security breach, you should immediately seek legal advice in order to receive appropriate guidance in light of the particular nature and circumstances of the breach.  Privacy breaches may take place in numerous ways: data may be lost, improperly disposed of or improperly disclosed by the organization itself or by a subcontractor or service provider, or data may be stolen by an employee or third party.  Privacy commissioners in Canada have recently provided some guidance on what steps should be considered in the event of a security breach involving personal information.  The Ontario, British Columbia and Alberta privacy commissioners have each issued guidelines on this important subject, and the federal Commissioner is expected to follow suit.

Even before a privacy breach occurs, there are a number of proactive steps your organization might wish to implement:

  • Identifying the individual or team that should be assembled when there is a breach;
  • Drafting a policy/checklist tailored to your organization of steps to take in the event of a breach;
  • Ensuring that data retention policies are being followed (since, often, privacy breaches relate to information no longer used or relevant to your organization);
  • Ensuring that adequate security measures (including encryption, where appropriate) are in place in accordance with your organization’s applicable security policies;
  • Ensuring that front-line staff is adequately trained in respect of privacy matters, including through clear guidelines.

In the event a privacy breach occurs, your organization should assess the situation and implement an appropriate action plan in a timely manner. The key objectives should be to contain the breach, assess and mitigate the risk to your organization’s employees, clients and customers, develop and implement a notification strategy that is timely and comprehensive (where appropriate), and review existing policies and procedures to ensure that the breach does not happen again.

Tags: , , , ,

One Response to “Legislative Requirements and Managing Personal Information”

  1. Wesley Culbertson September 24, 2012 at 1:48 am #

    Very informative post. Thanks for taking the time to share your view with us.

Leave a Reply