Individual Personal Data Protection in Ontario
In Ontario, the privacy of an individual’s personal information used by public institutions is covered by specific provincial legislation. Ontario also has separate legislation for health care providers, but nothing specifically for private organizations.
In the latter case, client, employee or patient information privacy is covered by Canada’s Personal Information Protection and Electronic Documents Act abbreviated as PIPEDA.
Why Your Organization Must Protect Personal Data
Besides enforcing standards as to collection methods, and requiring disclosure of what information an organization collects and its use, these acts also require that an organization safeguard such information.
Protecting personal data is important for three reasons:
- To prevent unauthorized access to data such as credit card numbers, social insurance numbers, birth dates, medical or legal records.
- To ensure that an individual can access their personal information at any time as required by law.
- To protect an organization’s investment in these data and to preserve an audit trail if a complaint is made or a data breach occurs.
Collected personal information may come in many forms including paper, hard drive records, digital storage media and imprinted objects such as identification tags. Access to all such media must be restricted and tracked, which requires high quality locks, fire-resistant cabinets and access control devices that are either manual or electronic.
Guidelines to Protect Private Data within Your Organization
1. Physical files, disks or other digital media should be kept in a strong cabinet with pick-proof locks.
2. Self-closing, self-locking doors should be used to secure the room in which the media cabinets are placed.
3. Control access to the media room by electronic means, such as a card reader.
4. Do not allow modifications or copying of personal data without auditing safeguards.
5. Use only a highly reputable firm for off-site or on-site shredding or wiping of media that are being disposed of.
If the destruction is on-site, an employee should monitor the process.
6. All employees require education on privacy requirements and should sign a confidentiality agreement.
7. Computer hard drives containing personal information must be encrypted.
8. Computer network infrastructure must prevent unauthorized outside access.
Consequences of Carelessness in Handling Private Information
Should client, employee or patient information be compromised or misused, the organization may find it is unable to comply with an individual’s request to view their information as law requires. In cases where private data are improperly shared with third parties, the organization may face legal action against it.
In recent years, there have been several high-profile privacy lawsuits. Netflix settled a class action suit for $9 million for maintaining viewer’s selections long after they had canceled their subscriptions. Advocate Health in the U.S. is being sued for a data breach of 4 million medical records resulting from the theft of unsecured, unencrypted laptops.
The Finest Security Industry Expertise in Ontario
Our team helps you ensure that private client or employee records are stored and accessed securely by reviewing your current security setup and suggesting improvements if necessary. Call today for a free consultation to make certain your data safeguards are the best possible.
