legislation leader - shred-it...storage and disposal of confidential information. this legislation...
TRANSCRIPT
We protect what matters.
Legislation LeaderCOMPLIANCE TOOLKIT CANADA
2Legislation Leader | COMPLIANCE TOOLKIT
Table of Contents
3 Overview
4 Canadian Legislation » Privacy Act » Personal Information Protection and
Electronic Documents Act (PIPEDA)
8 Infographic
9 Best Practices & Tips
10 Special Handling
3
Overview
Extensive legislation governing privacy in Canada makes it challenging for organizations to ensure their information security policies and procedures are fully compliant with the current law.
As new threats to data security emerge, legislation consistently change to protect personal information. Organizations can struggle to meet information security requirements, which can result in significant fines and serious consequences.
The first step in mitigating this risk is understanding the role information security policies and procedures play in remaining compliant with legislation related to the storage and disposal of confidential information.
This Legislation Leader Compliance Toolkit is designed to help you navigate your legal requirements concerning the storage and destruction of confidential data.
4Legislation Leader | COMPLIANCE TOOLKIT
Canadian Legislation
There are Canadian Federal and Provincial regulations that apply to any and all information about an identifiable individual in any form.
When an organization is found to have violated the law, the Federal Privacy Commission is authorized to publicize the findings, identify businesses found to be non-compliant and refer complaints to the Federal Court for enforcement.
Fines and even industry or regulatory sanction at times could be imposed and there is no ceiling on monetary damages that the court may charge.
5
Privacy Act
What is it?
The Federal Privacy Act imposes privacy obligations on the collection, use and disclosure of private information by government institutions and Crown corporations. The Federal Privacy Commission oversees and enforces the Act. While this Act sets out rules for the collection, handling, disclosure and use of any information about an identifiable individual, each province and territory has their own public sector legislation similar to the federal Privacy Act.
Who is affected?
All federal government departments, government agencies and crown corporations.
You must:
» Review the rules as set out by the federal Privacy Act
» Review the rules as set out by provincial/territorial legislation
» Apply the rules appropriate for your jurisdiction
Provincial and Territorial Legislation Direct Links:
» Alberta
» British Columbia
» Manitoba
» New Brunswick
» Newfoundland and Labrador
» Nova Scotia
» Northwest Territories
» Nunavut
» Ontario
» Prince Edward Island
» Quebec
» Saskatchewan
» Yukon
6Legislation Leader | COMPLIANCE TOOLKIT
Personal Information Protection and Electronic Documents Act (PIPEDA)
What is it?
The Personal Information Protection and Electronic Documents Act (PIPEDA) governs how private sector organizations handle private and confidential information that is collected or used during the course of commercial activities. It applies even when there are overlapping provincial or sector-specific privacy laws.
Who is affected?
All federally- and provincially- regulated organizations including banks, airlines telecommunications companies, retail stores, publishing companies, the service industry and manufacturers.
You must:
» Have procedures in place to protect personal information in your possession from unauthorized access
» Employ document retention policies to safeguard confidential data while it is being used or stored
» Have destruction procedures that ensure all personal information that is no longer needed for the purposes it was collected is securely and permanently destroyed
7
8Legislation Leader | COMPLIANCE TOOLKIT
9
Best Practices and Tips
Understand your legal obligations
Conduct a comprehensive assessment
Conduct regular audits to monitor effectiveness and compliance
Establish detailed policies and procedures for confidential information
Include document security in crisis management plans
In Order to... Businesses Should...
Better secure physical assets » Provide employees with filing cabinets that can be locked
» Eliminate unsecure recycling bins and provide secure shredding containers for the secure destruction of documents
» Securely destroy old hard drives once they are no longer needed
» Use laptop locks that prevent physical theft
Better secure digital information » Encrypt employee smartphones so that data is secure if phones are lost or stolen
» Regularly update software to ensure security holes are patched
» Limit access to network folders with sensitive information
» Install anti-malware software on all computers and block access to risky sites
Instill a culture of security » Develop rules for proper document management that include storage and disposal
» Implement policies that describe the equipment, data and documents that employees are not permitted to remove from the office
» Train all new employees on information security policies and procedures
» Tie adherence to information security policies to the performance review process
10Legislation Leader | COMPLIANCE TOOLKIT
Department What Needs to be Handled Why
Human Resources » Job applications» Health and safety documents» Medical records» Payroll information» Performance appraisals» Training information and manuals
Most of the documents within thisdepartment contain the confidentialand personal information of youremployees and/or potentialemployees.
Sales / Marketing » Customer lists and contract» Financial information» Application forms» Strategic plans» Product samples» Launch calendars» Budgets and forecasts
The documents within thisdepartment often contain the privateand confidential information of yourclients and customers. Additionally,they may contain business strategyand the “big ideas” which you donot want exposed.
Accounting » Contracts» Invoices» Customer lists» Internal reports» Payroll statements» Supplier information» Financial applications
These documents contain yourorganization’s’ financial information.If compromised they have thepotential to cause significantmonetary damages to yourorganization.
Special Handling
Almost every department within your organization has information that should be securely stored and destroyed once no longer needed, both for privacy protection purposes as well corporate competitiveness. The table below contains a quick summary of typical departments and some of the document types that require special attention.
11
Department What Needs to be Handled Why
IT » Hard drives» Memory Sticks» CDs» Zip disks» Access codes» Network configuration details
Your digital assets contain as muchconfidential information aboutyour organization as your paperdocuments. It’s also easier to bedisseminated.
Procurement » Corporate records» Supplier purchase orders» Supplier records» Supplier specification documents» Credit card information» Financial applications
Similar to accounting, yourprocurement department containsfinancial and historical records ofnot only your organization, but ofyour suppliers as well.
Research &
Development
» Appraisals» Product test results» Formulas» Product plans» New product information» Reports» Specification drawings» Prototypes
This department holds on toinformation that makes yourorganization more competitive.Losing these documents caneliminate your company’scompetitive edge.
Management » Budgets» Correspondence» Customer lists» Legal contracts» Forecasts» Strategic plans
Your management team mayhave information that is not onlyconfidential to external audiences,but also to your own employees.
Shred-it is the global leader in information security, providing information destruction services to over 300,000 customers worldwide.
Shred-it Secure Document and Hard Drive Destruction
» Secure end-to-end chain of custody » Certificate of Destruction after every service » Tailored solutions to your organization’s needs
Advice and Expertise
» Trained experts in information security » Provide a Security Risk Assessment at your organization » Helpful resources available at shredit.com/resource-center
Call Shred-it today at 800-697-4733 or visit us at shredit.com
How Shred-it® Can Help
Shred-it® is a Stericycle solution. © 2017 Shred-it International. All rights reserved.