This article highlights how information collection continues to climb as businesses seek to analyze data sources to improve customer service and efficiency, yet neglect regulatory compliance. This leads to increased risk and damages to an organization. See here for how Blue-Pencil can help your team focus on developing guidelines, procedures, and ensuring compliance to Personal Information Protection and Electronic Documents Act(PIPEDA) with information destruction, leading your business to sustain its reputation and competitive positioning.
See here for a quick video summary from the Office of the Privacy Commissioner on protecting customer privacy.
Get started now by requesting Blue-Pencil’s Information Destruction Policy template to help you begin gearing up for PIPEDA compliance.
Implications for PIPEDA Compliance
The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) sets out ground rules on how private organizations can collect, use, disclose, and dispose of information as part of commercial activity. This act is applicable to all provinces and industries other than Quebec, British Columbia, Alberta, and the health-care sector in Ontario. The following excerpts from a government resource in document destruction require that organizations:
-Develop guidelines to manage the destruction of personal information
-Implement procedures to manage the destruction of personal information
-Ensure due diligence during disposal or destruction of personal information
These implications are a direct result of principle 5 of PIPEDA, which states that “personal information that is no longer required to fulfill the identified purposes should be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information.” In addition, Paragraph 4.7.5 specifies that care shall be exercised in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information.
Collect only Crucial Personal Information for Organizational Use
EMC2 predicts that by 2020 the quantity of digital data will nearly rival the stars in the universe. Organizations represent a significant driver in the growing data footprint as each transaction or customer contact can generate data. Organizations must determine what information is necessary for collection and justify its use. Reducing the amount of personal information from being collected up front helps reduce the magnitude of data exposure downstream. Periodic reviews of essential personal information for organization activity are recommended, as managing and storing unused information increases operating costs.
Develop Guidelines and Procedures to Dispose of Information in a Timely Manner
Guidelines and procedures help organizations implement the right timing for information destruction in order to support organizational activity and regulatory requirements. The guidelines/procedures developed by your organization must address types of information collected and which ones must be managed via a process of due diligence. Knowing the requirements of both your organization and regulatory mandate helps identify time frames during which information should be available for use and when it is to be disposed of. The guideline and policy must address the safeguarding of private information throughout its lifecycle as there are vulnerabilities at each stage.
Business and institutional clients continue to make Blue-Pencil their go-to provider in information destruction. Here is what a recent customer had to say about Blue-Pencil:
Our company has utilized Blue-Pencil for the past 6 years for their secure shredding service.They are efficient, reliable and their teams from head office along with the service technicians are highly professional and a pleasure to communicate with. We would without hesitation, recommend their services: they will not disappoint. – Carolin
See here for more reviews.
The Privacy Commissioner offers a checklist for creating such organizational guidelines some of which include the following:
-“Is there a governance process in place to track personal information through its lifecycle?”
-“Are information holdings periodically being reviewed to determine whether the purpose of the collection has been fulfilled? How often?”
-“Is there a specific minimum retention period that is statutorily required?”
-“Is staff aware and knowledgeable about the proper handling and disposal of personal information?”
For a full list of the Commissioner’s checklist see here. Refer to the full PIPEDA for details on requirements for your specific industry.
Guidelines and Procedures Should Utilize Best Practices of Information Destruction and Varied Information Storage Media
An organization’s guidelines and procedures are most effective when it understands and applies the best practices to managing physical and electronic information. Both have their specific requirements for due diligence in complying with PIPEDA. The Privacy Commissioner offers these tips:
-“Rewriting data on electronic storage to circumvent data recovery methods”
-“Completely destroying media whether it is physical or electronic”
Ensure Due Diligence in Personal Information Destruction
Compliance to due diligence requires that an organization has done what is reasonably required to safeguard the privacy of personal information collected. An organization may elect and train designated staff to manage personal information destruction or contract third-parties. With the added cost of certification and disposal equipment and other logistics, it is recommended that businesses and institutions engage third-party services for secure information destruction.
Organizations partnering with a third-party are to be aware that they are still responsible for ensuring proper information disposal, though this function is managed by an external party. The Privacy Commissioner offers the following for working with the right partner:
-“Ensure privacy protection clauses in contracts”
-“Monitor and audit to ensure track record and quality control.”
Must-Have Qualities That Blue-Pencil Offers in Information Destruction Service
Blue-Pencil is an experienced service provider in helping clients remain compliant and competitive. Clients receive the best in class service through these areas of focus:
High standards in information destruction services with NAID AAA and Privacy+ certification
Expert recommendations in strategic information management and practical hands-on experience
Ability to deliver compliance while managing organizational efficiency
Proven system for managing information retention schedules
Training, resources, and support for your staff to become adept at information management
Personal Information Retention and Disposal: Principles and Best Practices
PIPEDA is available online
Top 5 Tips To Decrease The Risk Of A Confidential Information Leak