By Imran Ahmad and Eloïse Gagné
In our last article, we briefly addressed the obligations of non-profit organizations in relation to the collection and use of personal information. We also provided an overview of information safeguards, noting that you have a duty to keep your records secure and up to date. But what exactly does all this involve? We will see this by examining the principles set out in the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies at the federal level, to the storage and destruction of information.
Principle 4.7 in Schedule 1 of the Act is clear: “Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.” This means that an entity that collects personal information must protect it from loss or theft and from unauthorized consultation, communication, copy, use or modification.
For example, principle 4.7.3 of Schedule 1 specifies that methods of protection should include:
(a) physical measures, for example, locked filing cabinets and restricted access to offices;
(b) organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and
(c) technological measures, for example, the use of passwords and encryption.
In addition to these mechanisms, it goes without saying that only authorized persons should have access to the personal information in an entity’s possession. Thus, it is particularly important to adopt and implement clear procedures. Entities should be able to answer the following questions at all times: If information is leaked, will we quickly be able to trace the source? What caused our failure to meet our obligations to protect privacy? Who is the person responsible for ensuring that information is protected?
The case of cloud computing
To meet these protection-related duties, it has become common to resort to cloud storage. This involves the use of software and equipment managed by third parties, in order, for example, to store files online or use webmail. Using this type of service entails storing data in far-away locations, sometimes even abroad, something that the law allows subject to certain conditions. As a result, it can be easy to lose control over the safekeeping of information, or even to be unable to guarantee that the data will not be shared for unauthorized purposes. However, an entity that uses these services remains responsible for protecting the personal information collected.
It is possible to contractually limit one’s liability by specifying that the service provider remains the one responsible for ensuring that information is protected. Confidentiality obligations should also be specified. However, it is important to read the terms of any contract carefully in order to guarantee that adequate measures are in place to ensure that these third parties’ systems are secure. This is especially true if these third parties or their servers are in a foreign country. In such a case, other privacy legislation may apply. Certain countries do not have legislation as stringent as Canada’s, so it is better to be cautious.
In addition, entities should choose what information they will store on the cloud. It might not be necessary to save everything on that platform. Depending on the quantity of information to be managed, one should assess whether the information should be encrypted or depersonalized (i.e. stored so that there is no way to connect it to any individuals) or whether there is a way to save the information in more than one place or on a variety of platforms.
In all cases, before resorting to cloud storage, it is essential to obtain the individual's consent to this type of storage because it involves disclosure to a third party. Make sure this is completely clear before transmitting the information to your service providers. Moreover, upon obtaining consent to collection, the fact that the information will be stored abroad should be disclosed.
Lastly—and we cannot repeat this enough—ensure you keep control over the information transmitted. You should have access to the data at all times so you can keep your records up to date, and potentially, destroy them. The service provider should use the information you transmitted only for limited purposes that comply with what you received consent from the individuals for. Third parties must not be able to disclose the information to other persons in a manner that has not been provided for.
At all times, you should be able to recover the information that you transmitted, and the third parties must take the appropriate measures to destroy the information in a way that complies with the law.
The quantity of information that can be stored is infinite. However, as we noted in our preceding article, the Act states that only the information pertinent to the intended use should be retained. For example, you might have procedures in place for the destruction of information related to accounts that have not been used for some time, or are no longer up to date. If so, how do you destroy the information properly?
Principle 5 of the Personal Information Protection and Electronic Documents Act (PIPEDA) states that “personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information.”
It is therefore important to have clear procedures in place so the information is not destroyed in an improvised fashion.
This also requires the records of the business to be as up to date as possible, with all the resources that this entails.
At the time of destruction, it is insufficient, as the Office of the Privacy Commissioner (the “Office”) has specified, to throw the records into the trash or into a bin. Use shredding or other methods so the information is completely destroyed. The recipient in which the personal information is stored (e.g. labelled pouches) should also be completely destroyed.
In the case of data stored digitally, adequate methods include overwriting the content or demagnetizing, depending on the case. The Office recommends referring to the NIST Guidelines for Media Sanitization for more information about appropriate destruction methods. Moreover, all copies and duplicates should be destroyed.
Third parties can also be used for destruction if you do not have the necessary resources. But you must do business with professionals that have the appropriate methods at their disposal. As with safeguarding, it is your responsibility to ensure that the third party is complying with its obligations and taking all measures to ensure the information is not disclosed and is adequately destroyed. You should also ensure that the information is transferred securely.
From the moment you begin collecting information, you have an obligation to ensure that the information held is protected so long as it is in your custody, or in the custody of third parties to whom you have disclosed the information. The information must also be destroyed securely if it is no longer necessary. Your obligations can be summarized as follows:
- Obtain consent to the storage of the information, and, at that time:
- describe how the information will be stored;
- disclose whom they will be transmitted to for the purpose of storage; and
- if the third parties are abroad, disclose this and explain that the laws of other countries may apply.
- Carefully review the terms of any contracts with third parties.
- Whether you do business with third parties or store the information on your premises, put mechanisms in place to protect the information.
- Ensure that you can quickly limit information leaks.
- Establish appropriate procedures and mechanisms for destroying information that is no longer necessary.
- Use secure information destruction tools.
About the authors:
Imran Ahmad is a business law partner in Miller Thomson's Toronto office. This post was prepared with the assistance of Eloïse Gagné.