How safe is your personal information?
What steps can you take to protect your personal information?
Start by developing a ‘personal information inventory' – a list of all the personal information that you give or collect. This inventory should help you to keep track of where your information is going and how much information you are providing. Consider how much you trust a business to manage your information before you freely give it. Remember, the more sensitive the information, the more careful you need to be. For example, the type and amount of personal information that you are willing to give to your school, doctor, gym, e-bay, or door prize entry form should be very different.
From a business perspective, you need to consider the risks to personal information each time you prepare for a new (or modified) project or process in order to be accountable to your clients.
So, what does it take to be truly accountable?
Consider putting a privacy management program in place. In the document “Getting Accountability Right“, the Federal, British Columbian and Alberta Privacy Commissioners state that, at the minimum, private sector organizations require the following internal policies:
- Collection, use, and disclosure of personal information
- Access to and correction of personal information
- Retention and disposal
- Responsible use (including safeguards)
- Challenging compliance
Businesses might need to complete a threat risk assessment (TRA) or a privacy impact assessment (PIA). These are tools to help you to review the risks and identify administrative, technical, or physical safeguards or strategies to limit the risks. “Securing Personal Information: A Self-Assessment Tool for Organizations” is a checklist that you can use to start your TRA.
Do you have vendors or contractors who work for you and have access to personally identifying or sensitive information? You need to ensure that the vendor has policies, procedures and safeguards to protect your information. You may also need an Information Manager Agreement (IMA) or Business Associate agreement (BA).
Do your staff work alone?
You might have an employee who works alone for part of their shift in your practice. Maybe employees work at the same time but at opposite ends of the office. If an employee cannot be seen or heard by co-workers who can offer assistance, they are considered ‘working alone’. The employer is required to conduct a hazard assessment and must establish an effective strategy to reduce the risk of harm. Here are some tips to help you assess your risk.
Information Manager Agreements watch the video from Information Managers.
Cyber risk assessment and management from BENS and NCSA.
Workplace Security Risk Calculator from EMC2/RSA – Play the game to find out how some of the things many of us do every day could be exposing your organization to risk. Just answer 12 questions to calculate your workplace security risk score.
- Carefully consider if you should share your personal information each time you're asked for it.
- Does your organization have a listing of personal information that you collect, use, and disclose? When was this last reviewed? If it has been more than two years, it is time to review it again.
- Does your organization have a risk assessment or privacy impact assessment? When was this last reviewed? If it has been more than two years, it might be time to review it again.
Share Privacy Challenge #13!
target=”_blank”>Email a Friend.