This page contains a Flash digital edition of a book.
PRIVACY MATTERS with Meaghan McCluskey

PRAIRIES

PRIVACY IN THE

Amendments to Alberta’s privacy law place new and stricter obligations on companies to safeguard information in their possession

A

mong the major changes in the pri- vacy landscape in 2009 were amend- ments to Alberta’s Personal Information Privacy Act (PIPA), which came into effect on May 1. There are two amendments to PIPA worth highlighting: 1) the need to destroy personal information, and 2) that breaches of personal information may trigger notification obligations. Companies across the country should be aware of these changes as many jurisdictions, in- cluding federally, are contemplating en- acting privacy legislation that contains these types of obligations. Previously, PIPA only required organi- zations to retain information for as long as is reasonable for legal and business pur- poses. The amendments now create a

14 SECURITY MATTERS • MAY/JUNE 2010

positive obligation on organizations to de- stroy personal information where it is no longer reasonable to retain it for legal or business purposes. As an alternative, the organization could alter the personal in- formation such that it can no longer be used to identify the individual. This obli- gation to destroy or “anonymize” must be fulfilled within a reasonable timeframe once it is no longer required. Where organizations have retained per-

sonal information and that information is lost, accessed or disclosed without au- thorization, the amendments create an obligation to notify the Alberta Privacy Commissioner when the breach could pose a real risk of significant harm to an individual. Once notified,

the Commis- sioner may conduct an investigation that

could result in requirements for the or- ganization to notify affected individuals or fulfill additional steps. It is an offence under PIPA to fail to notify the commis- sioner of a serious security breach or ob- struct

the commissioner’s subsequent investigation.

Strict retention policies should be the first line of defence in information secu- rity, retaining only the minimum amount of information required for legal and busi- ness purposes, anonymizing information where possible and securely destroying in- formation once the purposes for which it was retained have expired. Secure de- struction techniques, according to the United States National Institute of Stan- dards and Technology special publication 800-88, include shredding, disintegrating, Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42
Produced with Yudu - www.yudu.com