Securing Personal Information: A Self-Assessment Tool for Organizations
How well is your organization protecting personal information? The personal information security requirements under the Personal Information Protection Act (British Columbia), Personal Information Protection Act (Alberta) and the Personal Information Protection and Electronic Documents Act [PIPEDA] (Canada) require organizations to take reasonable steps to safeguard the personal information in their custody or control from such risks as unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction.
The first step in developing reasonable safeguards is to collect only the personal information that is needed for a particular purpose. If it is not needed, organizations should not collect it. But if they do, they need to take appropriate precautions.
Reasonable safeguards include several layers of security, including, but not limited to:
- risk management,
- security policies,
- human resources security,
- physical security,
- technical security,
- incident management, and
- business continuity planning.
The reasonableness of security arrangements adopted by an organization must be evaluated in light of a number of factors including:
- the sensitivity of the personal information,
- the foreseeable risks,
- the likelihood of damage occurring,
- the medium and format of the record containing the personal information,
- the potential harm that could be caused by an incident, and
- the cost of preventive measures.
Generally accepted or common practices in a particular sector or kind of activity may be relevant to the reasonableness of a security safeguard. However, generally accepted practices and technical standards must be complemented by elementary caution and common sense.
In creating this tool, we reviewed other standards (such as those produced by the ISO) and received feedback from various organizations in Alberta, British Columbia, and Atlantic Canada. The following links may be particular relevance and value:
- Bring Your Own Device (BYOD) guidance from Federal, British Columbia and Alberta privacy commissioners
- Personal Information Retention and Disposal: Principles and Best Practices guidance from the Office of the Privacy Commissioner of Canada
- IT Security and Employee Privacy: Tips and Guidance from the Office of the Information and Privacy Commissioner for British Columbia
In the tables below, questions with shading concern the minimum security requirements for any organization, regardless of its size or the sensitivity of the personal information it holds. The remaining questions help organizations raise their security standards beyond those minimum levels. The tables should be used as a tool for organizations to evaluate their information protection readiness. The goal is to be able to answer “yes” to each question. At the end of the process, results for the minimum and higher levels of security are tabulated separately.