What is PIPEDA and how is it relevant to your organization?
All companies conducting “commercial activity” in the Province of Ontario are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), which is the federal privacy law for private-sector organizations. It sets out the ground rules for how businesses must handle clients and employees’ personal information in the course of commercial activity, including how it must be protected from unauthorized access.
Failure to comply with PIPEDA can have serious consequences for your organization.
In November 2013, Human Resources and Skills Development Canada employees misplaced an external hard drive containing the personal information (names, social insurance numbers, birth dates, loan and contact information) of more than 500 000 Canadians, as well as the personal contact information for 250 employees. Less than a month later, they reported having lost another USB drive that included personal information on 5000 Canadians. Had this data been used by identity thieves, it could have led to serious legal consequences for all parties involved, and compromise the financial security of over half a million Canadians.
Does your data security plan include IT Asset Disposition?
Information Technology Asset Disposition (ITAD) is a relatively new concept. It’s important to have a conversation with your company’s IT leadership; discussing and having a formal plan for safe electronic asset disposal will ensure none of your company’s sensitive data is released to the public.
Here are a few pointers on what to consider:
Make an inventory of all devices containing data
Computers, laptops, phones and tablets are not the only devices holding data. USB sticks, external hard drives, SD cards, floppy disk, CDs and DVDs are also data storage devices; and they can retain data fragments after being formatted up to three times.
There are also devices you may not expect to retain data such as printers, photocopiers/scanners and faxes.
Making a list of every device containing data in your facility, which is regularly updated, will help you in managing your data security.
Have a plan for how to safely dispose of end of life IT equipment
Creating a plan to formalize how to deal with end of life IT equipment will reduce the risk of those devices endangering your company’s reputation. Guidelines can include:
- How to safely store your devices awaiting disposal
- How to securely transport your devices
- Define whether you need the assets rendered inoperable at your location prior to transport to your data destruction provider’s facility
- Define whether you’ll require certificates of destruction, witnessed destruction
- Define your recycling and environmental legal responsibilities and/or best practices