As a business owner in Canada, you have more to worry about than securing your premises against burglars in the middle of the night. You need to protect personal and identifiable information on the people you work with and work for.
In Canada, personal information obtained by businesses for both customers and employees is protected by the law. PIPEDA, the Personal Information Protection and Electronic Documents Act, is the Canadian legislation that governs how businesses collect, use and disclose personal information.
PIPEDA is broken down into 10 governing principles:
- Be accountable: you, as a business, are responsible for the personal information you collect and must assign someone to be accountable for your organization’s compliance with PIPEDA.
- Identify purposes: you must identify the reasons you are collecting personal data when or before you collect the information.
- Obtain consent: you must receive consent from the person you are collecting, using and disclosing personal data on.
- Limit collection: You will only collect the minimal information required for the purposes that have been identified (Principle 2).
- Limit use, disclosure and retention: you will not use or disclose the information for purposes other than those identified unless you have obtained additional consent and information will only be retained for as long as is necessary to meet its purpose.
- Be accurate: information must be accurate, complete and up to date.
- Protect information: you must protect personal data appropriately.
- Be open: you must make policies and practices relating to personal information accessible.
- Give access: you must inform individuals of the existence, use and disclosure of their personal information, when requested. The individual may also challenge the accuracy of the information and amend it.
- Provide recourse: individuals must be able to address a challenge of personal information with a designated person within your organization (Principle 1).
Last month, additional requirements were implemented that now compel private-sector businesses to report when there has been a privacy breach.
In other words, if personal information, in your possession, is lost, accessed without authorization or mistakenly shared, you must report it to the individual whose information was breached and with the Office of the Privacy Commissioner. Failure to do so could result of fines up to $100,000 for each affected individual.
As a business who collects personal data, it is important, both in light of this revision and in consideration of Principle 7, that your business takes the necessary measures to protect data.
Specifically, organizations must implement safeguards to protect the data from being stolen, accessed without authorization, copied, used or modified, regardless of the format in which it is held (i.e. electronic, hardcopies, etc.).
While the safeguard used is not specified, it must be appropriate to the sensitivity of the information collected – what it contains, how much there is, how it is distributed and its format.
To protect your personal data, consider these eight tips:
- Know what information you have, where and how it is stored and what is being done with it.
- Understand your vulnerabilities and determine how this personal information can be accessed – is it online? Do you store hard copies?
- Know what is happening in your industry – criminals will often use the same method of attack on organizations in the same industry.
- Protect data on laptops, hard drives and USBs with encryption, passwords and firewalls. Monitor your intrusion prevention systems to see if additional safeguards are required.
- Only collect and retain the most necessary information and dispose of it appropriately – you can’t lose what you don’t have.
- Create internal policies and procedures and ensure staff are trained to manage data.
- Limit access to personal information to employees who require access and monitor who is accessing it and when.
How managed access control can help
Whether protecting devices when not in use, safeguarding servers or securing hard copies of personal data, Sonitrol Western Canada’s access control solutions can help restrict and track access to personal information.
Managed access control, or keyless entry, is one of the easiest, most cost-effective ways for you to increase security.
Access control allows you to track and restrict who goes where and when, whether it is access to your business as a whole or to specific areas and rooms where data is stored. This limits the risk of internal theft and external threats. Controlled access gives you more oversight of your facility's activity while saving you money and time.
Sonitrol access management system is integrated with our Sonitrol intrusion detection system so different employees can have different access levels. Employees who are authorized will be allowed access and be able to disarm the security system. Employees who are not authorized will not be allowed access to the facility when the security system is armed.
When an employee leaves, or is reassigned, our uniquely designed access control cards are easily deactivated and updated, or new cards can be issued whenever needed. No more lost keys. Eliminate the expense of installing new locks or re-keying.
For more information on Sonitrol Access Control and how it can help you protect personal information, contact us today.