PIPEDA Fair Information Principle 7 – Safeguards
More about Safeguards
Reviewed: May 2019
Protect personal information in a way that is appropriate to how sensitive it is.
Protect all personal information (regardless of how it is stored) against loss, theft, or any unauthorized access, disclosure, copying, use or modification.
NOTE: PIPEDA does not specify particular security safeguards that must be used. Your organization must continually ensure it adequately protects the personal information in its care as technologies evolve and as new risks emerge.
How to fulfill these responsibilities
- Develop and implement a security policy to protect personal information.
- Use appropriate security safeguards to provide necessary protection. These can include:
- physical measures (e.g., locked filing cabinets, restricting access to offices, and alarm systems);
- up-to-date technological tools (e.g., passwords, encryption, firewalls and security patches);
- organizational controls (e.g., security clearances, limiting access, staff training and agreements).
- Consider the following factors when selecting the right safeguard:
- the sensitivity of the information and the risk of harm to the individual. For instance, health and financial information would be considered highly sensitive;
- the amount of information;
- the extent of distribution;
- the format of the information (e.g., electronic or paper);
- the type of storage; and
- the types and levels of potential risk your organization faces.
- Review security safeguards regularly to ensure they are up to date, and that you have addressed any known vulnerabilities through regular security audits and/or testing.
- Make your employees aware of the importance of maintaining the security and confidentiality of personal information, and hold regular staff training on security safeguards.
- Make sure personal information that has no relevance to the transaction is either removed or blocked out when providing copies of information to others.
- Keep files that contain sensitive information in a secure area or on a secure computer system, and limit employee access to a "need-to-know" basis.
Note: For information on breaches, see the section on this topic.
Report a problem or mistake on this page
- Date modified: