Order of Privacy Officers

How to Store Personal Information

The following checklist may be helpful for storing personal information. It is intended to be helpful, but it is not legal advice.

It is at a high level of generality to provide the new or busy privacy officer with a quick and useful overview of the requirements under PIPEDA. Many people have invested much thought to create other helpful guidance documents with lower levels of generality and additional detail. Several very helpful ones are listed below the following checklist.

Checklist

Determine whether the Personal Information is sensitive.

Store it sufficiently securely for its sensitivity.

Store it with a key to evidence of consent to disclosed purposes of use or disclosure.

Store it so that it is retrievable for updating accuracy, destruction, rendering anonymous, or response to a request for access to the Personal Information.

Insure sufficient:

1) Physical security (locked doors, locked vaults, in locations not access by unauthorized people).

2) Within organization personnel access security (restrict access to personnel with an organizational need to access the information who have contracted to comply with your privacy policies, and who have been trained regarding your privacy policies).

3) Technological security (firewalls, passwords, physical security of the back-ups).

You collected and stored it to use it or disclose it. Now you need to think about How to Use or Disclose Personal Information.

Compliance Guides with lower levels of generality

Canada's Privacy Commissioner's "Guide for Businesses and Organizations to Canada's Personal Information Protection and Electronic Documents Act" is helpful.
Canadian Institute of Chartered Accountants' Privacy Package contains a link to their free downloadable AICPA/CICA Privacy Framework. The AICPA/CICA Privacy Framework is the best and most helpful single document we have reviewed. It has a low level of generality and the detail may be daunting for some. However, the benefits available through the additional effort required to review and understand it are, in our opinion, well worth the time and concentration investment required.
Industry Canada's Privacy for Business
Industry Canada's Online E-security and Privacy Guide
Treasury Board of Canada Secretariat's Privacy Impact Assessment (PIA) E-learning tool
The Information and Privacy Commissioner of Ontario's Privacy Diagnostic Tool (PDT) Workbook They describe it as a self-assessment program used to help businesses gauge their privacy readiness.