On a recent sales presentation with a medium sized company, I was asked, by our then potential customer (and now our customer), “what is considered as confidential information?”
For context, this person does understand the need for data privacy and protection, perhaps more so than an average individual, as he is the company’s CFO. Our discussion was in relation to securitizing paper information versus using a general recycling program. Now, on the face of it, it was a straightforward and a simple question, it made me realize how little awareness (and perhaps misinformation) exists about data security and privacy, however.
So, here’s my humble attempt to provide some high-level information about the topic of privacy and the need for data security, hopefully without inundating you with technicalities.
PART 1: WHAT IS CONFIDENTIAL INFORMATION?
What is Privacy?
“You have zero privacy anyway,” Sun Microsystems chief executive Scott McNealy famously said in 1999. “Get over it.”
This grim view about privacy is strongly held by a lot of tech companies, largely because, as consumers of digital media, we share a vast amount of information, personal and otherwise, with these companies.
Personally, I prefer to view my privacy is my right and one that I defend vigorously. According to the Office of the Privacy Commissioner of Canada, “Privacy is not simply a precious and often irreplaceable human resource; respect for privacy is the acknowledgement of respect for human dignity and of the individuality of man.”
Privacy equals freedom: https://www.priv.gc.ca/en/opc-news/news-and-announcements/2019/oped_190128/
The Privacy Act offers protections for personal information, which it defines as any recorded information “about an identifiable individual.” It can include your race or colour; national or ethnic origin; religion; age; marital status; blood type; fingerprints; medical, criminal or employment history; information on financial transactions; home address; and your Social Insurance Number (SIN), driver’s licence or any other identifying number assigned to you.
When you do business with a company, you do more than simply exchange money for a product or service, such as: your name, address, credit card number and spending habits are all information of great value to somebody, whether that’s a legitimate marketer or an identity thief.
In Alberta, the Personal Information Protection Act (PIPA), sets the ground rules for handling of personal information in course of commercial activities. It applies equally to small and big businesses, whether they operate out of an actual building or only online. The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to private enterprises across Canada.
What Is Confidential Information or Vital Record?
Broadly speaking, there are two types of vital records that an organization or an individual may possess that are considered confidential. Both require a different approach to retention and disposition.
- Retained/Controlled Record: A record that must be retained for a period of time on a non-discretionary basis, as determined by its usefulness, relevant regulatory requirements, or historical value. Some examples of vital records include birth, marriage, and death records, medical records, business records, employee records, tax records, condo documents, land titles, government/municipal records, historical records, deeds/wills, blueprints, patents, contracts or archival photographs.
- Incidental Record: A record created for temporary use (subject to no retention requirement), including but not limited to phone messages, notes, sketches, drafts, forms, drawings, memos, email, mail, electronically recorded voice mail, and photos, regardless of the media on which they are recorded or the method by which they are recorded.
For a comprehensive listing of vital records and regulations, refer to http://www.pulpshred.com/regulations.php
What Type of Confidential Information Needs Strict Data Protection?
Most businesses, regardless of size, collect sensitive information from both clients and employees, such as personal information, birth dates, addresses, social insurance numbers and much more. In the wrong hands, this information can cause a lot of problems with identity theft for both the individual and the company.
In general, there are four categories of information that need to be strictly protected to safeguard confidentiality:
- Personally Identifiable Information (PII)
Personally identifiable information (PII) is information that identifies, locate or contact a person in some way, such as name, address, birth date, phone number, and personal identification numbers. Identity thieves use this data to commit offenses or create new identities – and apply for loans or credit cards and file fraudulent tax returns, etc. PII is also sold to marketing firms or companies that specialize in spam campaigns.
- Data Protected by Privacy Laws
This includes data handled by governments, public or private organizations, and other individuals that store and use personal and confidential information of individuals. There are many privacy laws in place at different levels of government and by industry sector. Become aware of privacy laws and regulations. Non-compliance of privacy laws can lead to large fines.
- Corporate Information
Anything that may pose a risk to a company if a competitor or the general public gets a hold of it, needs to be protected. This information includes trade secrets, acquisition plans, financial data, and supplier and customer information; also, executive-level correspondence, contracts, and HR data like medical records, payroll information and performance appraisals.
- Financial Information
Data used by an individual or company in banking, billing, and insurance must be protected. It includes credit and debit card information and data that can be used to access accounts or process financial transactions.
- Personally Identifiable Information (PII)
What is Records & Information Management (RIM) Framework?
A carefully designed Records & Information Management (RIM) Framework provides guidelines related to the integrity, accuracy, compliance and overall governance of all records and information, regardless of media, including records retention (storage), document imaging (scanning), data backup and secure information destruction.
Organizations must resist the temptation to save everything, “just in case.” A much more prudent approach is to develop effective document management practices, typically dictated by a document retention and destruction policy.
One of the major components of the RIM framework is the Records Retention & Destruction Policy. A Records Retention & Destruction Policy determines how long specific classes and categories of records are to be retained and destroyed, as determined by their usefulness, regulatory requirements and historical significance.
Does Your Company Have A Records & Information Management (RIM) Framework?
In Part 2 of this series, we will delve into the concept of developing effective records management principles and procedures for safeguarding information and data in private companies.