Safeguards

June 2015

One of the Commissioner’s primary roles is to investigate and try to resolve privacy complaints against organizations. The Commissioner’s findings will depend on the facts of each case and will be informed by evolving jurisprudence. Over time, findings on certain key issues crystallize into general principles that can serve as helpful guidance for organizations.

In an effort to summarize the general principles that have emerged from court decisions and the Commissioner’s findings to date, the OPC issues Interpretation Bulletins on certain key concepts in PIPEDA. These Interpretation Bulletins are not binding legal interpretations, but rather, they are intended as a guide for compliance with PIPEDA. As the Commissioner issues more findings, and the courts render more decisions, these Interpretation Bulletins may evolve and be further refined over time.

I. Relevant Statutory Provisions of PIPEDA

Principle 4.7: “Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.”

Principle 4.7.1: “The security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held.”

Principle 4.7.2:  “The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage.  More sensitive information should be safeguarded by a higher level of protection.  The concept of sensitivity is discussed in Clause 4.3.4.”

Principle 4.7.3:“The methods of protection must include
(a) physical measures, for example, locked filing cabinets and restricted access to offices;
(b) organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and
(c) technological measures, for example, the use of passwords and encryption.”

Principle 4.7.4:  “Organizations shall make their employees aware of the importance of maintaining the confidentiality of personal information.”

Principle 4.7.5:  “Care shall be used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information (see Clause 4.5.3).”

II. General Interpretations by the Courts

  1. “Video recordings kept in a locked location that are only accessed by responsible managers or corporate police officers following a reported incident are considered to be adequately safeguarded.  Video recordings that do not capture incidents should be destroyed within an appropriate time frame. (Eastmond v Canadian Pacific Railway 2004 FC 852, [2004] FCJ No 1043)
  2. The appropriateness of a security safeguard is to be evaluated based on existing circumstances, not hypothetical new uses of existing technologies or new technologies that have yet to be developed. (Turner v TELUS Communications, 2005 FC 1601,[2005] FCJ No 1981)
  3. An organization can implement safeguarding measures that involve employee biometrics as long as that information is properly safeguarded. In this case, the information was sufficiently safeguarded by converting a vocal tract into a matrix of numbers that are stored under substantial security. (Turner v TELUS Communications, 2005 FC 1601,[2005] FCJ No 1981)
  4. Disclosure of personal information, in itself, cannot be taken as evidence of inadequate safeguards.  In this case, a clerical error caused the applicant’s personal medical information to be mailed to an incorrect address and to an unauthorized advisor. (Townsend v Sun Life Financial 2012 FC 550, [2012] FCJ No 777)

III. Application by the OPC in Different Contexts

Whether an organization can be said to meet its safeguard obligations under PIPEDA will vary depending on the facts of each complaint and investigation. The following examples illustrate how the safeguard principle has been interpreted and applied by the OPC and some of its general findings derived from different contexts.

Policies, Practices, and Procedures

More Sensitive Information Requires Higher Level of Protection

Employee Training

Third Party Organizations

Client Identification and Authorization

Mail, E-Mail, and Fax

Internet and Technology

When Breaches do Occur

Storage of Personal Information

Individual Accountability

Date modified: