On November 6, 2011 the online version of the Globe & Mail (Toronto) reported a story that confidential tax files of 2,700 Canadians had been downloaded to 16 CDs, taken home by an employee and at least 1 of the CDs had been uploaded to a friend’s laptop. This was in 2006, and was not reported to the Privacy Commissioner of Canada.
Both federal and provincial laws require private organizations to protect personal information and personal health information with appropriate security safeguards, including physical, organizational and technical measures.
The federal government (Canada) has two federal privacy laws. The Privacy Act imposes obligations on federal government departments and agencies to respect privacy rights by limiting the collection, use and disclosure of personal information and provides individuals with the right to access the information. Unless exempted by the federal government, the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to all organizations engaged in commercial activities (private sector) in the collection, use and disclose personal information in the course of commercial activities, and provides individuals with the right to access the information.
In Ontario the Freedom of Information and Protection of Privacy Act, and the Personal Health Information Protection Act (PHIPA) apply. PHIPA has been recognized as substantially similar to PIPEDA and therefore governs the collection and disclosure of personal health information gained in the course of commercial activities in Ontario.
Data Protection Requirements
Most companies and organizations are aware of the general requirement to protect the privacy of personal information and personal health information. The real issue is: in this era of mobile devices and remote access, are you doing this? Consider the following:
- Password protection is the bare minimum and in and of itself is insufficient. A company with this as the only means of protection may be held responsible if there is a violation of privacy.
- Encryption of all mobile devices, including laptops, notebooks, smartphones, flash drives and other mobile devices where information may be downloaded. This has been accepted by the federal Privacy Commissioner as long as it is with well recognized software, effective and in accordance with accepted industry standards.
- Do you have clear policies in place AND are your employees, agents and subcontractors aware of the importance of maintaining confidentiality of private information?
- Do you have educational sessions with your people on a regular basis?
- Have your employees, agents and subcontractors signed confidentiality agreements related to maintaining not only the company information confidential, but also personal information that they access as part of their duties and services?
- Do you monitor your systems regularly (for hacking as an example).
- Do you block the ability to download to portable storage devices?
- Or, do you allow remote access only through a virtual desktop?
In this era of increased connectivity, with technology becoming ever more sophisticated and our faces and personal information accessible easily (witness this photo), it is up to each of us to ensure we are complying with the law and taking the steps required to honour and respect the personal information of others.