Safeguarding and managing personal information

Whether in paper, electronic or any other format, records of personal information must be safeguarded at all times.

As a service provider, you must take reasonable steps to protect personal information in your custody or control against theft, loss or unauthorized collection, use, disclosure, copying, modification or disposal.83There is no precise definition of a “reasonable step.” What is reasonable depends on the circumstances. It will change as you use new technologies, and as new threats or vulnerabilities emerge.

When determining how to protect personal information, you should assess the nature of the records, including:

  • the sensitivity and amount of personal information in the record
  • the number and nature of people with access to the information
  • any threats and risks associated with the manner in which the information is kept

Based on this assessment, you should put in place measures to safeguard privacy. These measures should be regularly reviewed to ensure they continue to be reasonable. In many cases, reasonable measures will include the following safeguards:

 

Administrative Safeguards Technical Safeguards
to Protect Electronic Data
Physical Safeguards
  • privacy and security policies and procedures
  • staff training on privacy and security
  • confidentiality agreements
  • privacy impact assessments
  • strong authentication and access controls
  • logging, auditing and monitoring
  • strong passwords and encryption
  • maintaining up-to-date software by applying the latest security patches
  • firewalls, hardened servers, intrusion detection and prevention, anti-virus, anti-spam, and/or anti-spyware software
  • protection against malicious and mobile code
  • threat risk assessments
  • controlled access to locations where personal information is stored
  • locked cabinets
  • access cards and keys
  • identification, screening and supervision of visitors

 

 

Under Ontario’s health privacy law, the IPC reviewed a privacy breach involving a hospital clerk who viewed hundreds of patients’ records without authorization. The hospital discovered the privacy breach during a proactive audit and reported it to the IPC.

In PHIPA Decision 64, the IPC reviewed and summarized the hospital’s privacy policies, confidentiality agreements, privacy warnings, staff training and auditing policies. The IPC concluded that although the employee’s use of information was unauthorized, in the circumstances of the breach and the hospital’s response to and investigation of it, the hospital had taken reasonable steps to protect the information.

 

83. CYFSA, ss. 307 and 308(1)