This page contains a Flash digital edition of a book.
O INFORMATIONVERL O AD

W

By Nicholas F. Cheung

With the amount of data businesses collect on a daily basis, record management is now the responsibility of every employee

ith the amount of data businesses collect, organizations face the crit- ical issue of information overload.

It has been said that “information is power,” but as with any valuable resource, it must be managed to maximize benefit and minimize cost. This includes ensuring that information of a personal, sensitive or confidential nature is protected from falling into the wrong hands. Unlike other information, personal in-

formation (PI) requires special attention due to its importance and value to cus- tomers and the growing incidences of identity theft. An organization must ensure that its records management program se- cures, protects and disposes of PI ac- cording to its privacy policy, industry standards and legislative requirements. Key questions about privacy concerns and records management include:

• What type of information is being col-

lected? Knowing what type of information is being collected allows an organization to classify it properly and employ the ap- propriate means to protect it.



Is there a need to collect or is too much being collected? Collecting less

helps to minimize the risk that infor- mation may be misused, lost or stolen and minimizes the costs associated with storing it securely.

• To whom is information being dis-

closed? PI that has been collected re- mains the responsibility of the organization that collected it, regardless of whether that information has been disclosed to a third party. Organizations should ensure that contracts with third- party processors of such information incorporate privacy protections.

• What privacy laws and regulations

apply? Such organizations should seek legal advice to be informed about

12 SECURITY MATTERS • MAY/JUNE 2010

privacy risks and obligations. With respect to records management, GAPP recom- mends organizations consider the following: • Conducting a PI inventory and classifying PI;

• Disclosing how long they will retain PI under their control and ensuring records management policies properly reflect any provisions in the privacy policy per- taining to records management;

• Disposing PI once its use or retention is no longer required for business or legal purposes. PI should also not be re- tained or used for purposes that have not been disclosed in the privacy policy;

which laws and regulations apply to their operations, including cross-border transfers of PI.

• Is the organization disposing or de- stroying PI properly and on a timely

basis? Bob Johnson, executive director of the National Association of Informa- tion Destruction, says: “There are media reports literally every day about privacy breaches resulting from unsafe infor- mation destruction practices. While it certainly seems like common sense that discarded personal information should be destroyed, this is clearly not hap- pening.” If the disposal and destruction of records containing PI is outsourced to third parties, the organization should ob- tain assurances that it has been done properly and on a timely basis. Recently, a white paper was released

by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Account- ants (CICA) Privacy Task Force on how to integrate privacy into a records manage- ment program using Generally Accepted Privacy Principles (GAPP).

GAPP is a global privacy framework

consisting of 10 principles supported by 70 criteria to help organizations address

• Destroying PI at the end of the informa- tion life cycle in a manner that is secure and does not allow that information to be recovered;

• Ensuring appropriate measures are used to secure PI being stored physi- cally or electronically (e.g., as laptops and USB flash drives); and

• Establishing monitoring programs to en- sure that records management policies and procedures are being followed, such as reconciling PI inventory records and monitoring access to PI. Designing privacy into an organization’s records management policies and proce- dures is a critical component for a robust privacy program. Both records manage- ment personnel and privacy officers must work together to ensure that PI is properly and securely stored,

retained and de-

stroyed. GAPP provides a number of best practices that organizations should con- sider in their records management pro- gram to ensure privacy concerns have been addressed.

Nicholas F. Cheung, CA, CIPP/C (nicholas.cheung@cica.ca) is a principal with the CICA and the contributing author of The Canadian Privacy and Data Security Toolkit for Small and Medium Enterprises. The white paper “Records Management – Integrating Privacy Using GAPP” is available free of charge, from www.cica.ca/privacy. Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42
Produced with Yudu - www.yudu.com