We want to extend a huge THANK YOU to everyone who registered for and attended the webinar we sponsored with the help of our partners OECM and NAID. It was incredibly successful, and we hope to continue to do more in the future. For those of you who registered but did not attend or missed out entirely, we thought we would put together a short recap post for you.
Data security and compliance are critical topics for all organizations to consider and we want to ensure you have the information and tools available to you to begin putting the proper processes in place now.
PIPEDA & PHIPA
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the overarching federal privacy law for private-sector organizations in Canada. It sets out the ground rules for how businesses/institutions must handle personal information in the course of commercial activity.
Step one in making sure your business and your people are on the way to being compliant: awareness. Share this link to information from the Office of the Privacy Commissioner of Canada about PIPEDA and its significance with everyone in your office to help increase awareness. For those in the Ontario health care sector, the Personal Health Information Protection Act (PHIPA) is your data security guide.
Data Breach Notification Responsibility
Data breaches do happen. Even if your company or organization is being careful and following processes, there is always risk involved when dealing with sensitive data. Knowing your responsibility when/if it does happen is key to demonstrating awareness and compliance. Here are the data breach notification steps you need to follow:
- Determine if the breach poses a real risk of significant harm to the individual whose personal data was compromised.
- Notify the individual(s) involved as soon as possible.
- Report the breach to the Privacy Commissioner as soon as possible.
- Notify any third party that may be able to help mitigate the risk of harm.
- Maintain a record of the breach and make it available to the Privacy Commissioner.
If your company or organization does not already have processes in place around data security, it can seem daunting and scary to think about where to start. We'd like to make it a little less scary - here's what you need to know:
- Organizational Accountability: have a specific employee in charge of compliance.
- Employee Training: have a guide book or document available to staff that explains the steps that need to be taken when a breach happens.
- Contract Elements: have a comprehensive and legally binding contract in place with the vendor you choose that can be shown to auditors.
- Vendor Qualifications & Selection Process: have a specific list of criteria to evaluate, select, and hire the data destruction/electronics recycling vendor. Price and location are NOT good enough reasons to hire a team.
Helpful hint - look for a vendor team that doesn't shy away from helping you write your policies, procedures, and a proper contract. NAID certified companies will have all of the information available to them to be able to support you in these efforts.
Plotting a Course:
In a data breach situation, auditors are not looking to throw the book at you, and can, in fact, be very understanding if shown that reasonable measures have been taken to be compliant. If you have followed the list of procedures above, you have begun to plot your course to compliance and are showing that you have taken the time to understand expectation.
We hope the information in this post has helped you to better understand your responsibilities as an organization when it comes to data security. It does not have to be a difficult or unpleasant experience to be compliant. Remember, just being able to demonstrate compliance is in fact compliance.