Skip to: content | sidebar

[2019-07-01] Near Source IT becomes official Canadian distributor of the FUDO Network Security Appliance

PIPEDA Compliance

The "Personal Information Protection and Electronic Documents Act" mandates that all Canadian businesses follow specific procedures when collecting, storing, using, and disclosing personal information in the course of commercial business.

When a business collects personal information they are responsible for safeguarding that information against loss, theft, unauthorized access, disclosure, copying, usage or modification, regardless of the format in which that information is held. This includes: physical measures such as locked filing cabinets; restricting access to sensitive storage areas and offices; organizational measures such as limiting which personnel have access on a "need-to-know" basis; and technological measures, specifically strong authentication (passwords, biometrics), and strong cryptography and encryption. The business is also responsible for proper disposal and destruction of such personal information once it is no longer needed. This includes preventing unauthorized parties from gaining access to the information. Paper records must be properly destroyed. Physical media such as computer disks (floppy, cd, dvd, tapes) must be irretrievable destroyed, and storage devices (hard drives and flash devices) must be properly wiped using at a minimum the RCMP TSSIT OPS-II drive sanitation algorithm. This is particularly important for computers that are leased, or which will otherwise be returned, sold or recycled; it is the business's responsibility to ensure that no usable data remains on the disk.

Our team can help you to meet your legal obligations and show your customers that you take their privacy very seriously. Proper encryption, authentication, and authorization techniques ensure that your data is not disclosed, altered or misused. Authentication ensures the identity of the person accessing the data using one or more of the three factors of authentication; ownership - something the user has, such as a security token or ID card; knowledge - something the user knows, such as a passphrase or PIN number; and inherence - something the user is, such as a fingerprint, retinal scan or signature. Authorization ensures that the identified person is allowed to perform the action that they are requesting; whether that is accessing the information - thus implementing "need-to-know", or modifying the information, thus preventing accidental or malicious alteration or destruction of the data. Authorization can also apply to timing: denying access to sensitive information outside of regular business hours can help prevent that information from being incorrectly used or disclosed. Your business cannot afford to fail to implement proper policies to protect the sensitive private information that has been entrusted to you. Call us today, before your business is the next headline.