Recently, the office of the Information and Privacy Commissioner of Ontario released a “Fact Sheet” concerning the secure destruction of personal information.

BY RICK BENSON
Over the last six months I have been writing about the document destruction industry and some of the do's and don’ts when it comes to the destruction of records that contain personal information. Recently, the office of the Information and Privacy Commissioner of Ontario released a “Fact Sheet” concerning the secure destruction of personal information. This fact sheet contains not only some goodrecommendations that I thought I would comment on and include for you, but a sample contract that you could use with a document destruction service provider if they don’t provide one for you.

This fact sheet follows on the Commissioners first order (HO-001) under the Personal Health Information Protection Act-2004 (PHIPA) that was directed at all health information custodians (HIC’s) in Ontario. HIC’s are any organization that collects or uses personal information in the health or a health related field. This fact sheet demonstrates that the Province is taking on a greater role in actively promoting and educating the public on the best practices for the destruction of personal information. The fact sheet is useful for everyone that collects and uses personal information.

I recently wrote an article for Business Link entitled “We are all responsible”. This article focused on the role each of us (legislators, businesses, employers and individuals) plays in being responsible for secure information collection, handling and destruction for the prevention of identity loss or theft. Dr Ann Cavoukian goes one step further stating “it’s not just a matter of being responsible, protecting one’s reputation, or preventing identity theft – it’s the law. In Ontario, four pieces of legislation require that personal information be “disposed of in a secure manner, whether it be in paper or electronic format”. The Province is regulated by the Freedom of Information and Protection of Privacy Act, Municipalities by the Municipal Freedom of Information and Protection of Privacy Act, health information custodians by PHIPA, and the private sector by the Federal Personal Information Protection and Electronic Documents Act.

The Fact sheet focuses on two key areas. Firstly, match the destruction method to the media, and secondly, select and engage your service provider with due diligence. The IPC says “For paper records destruction means cross-cut shredding, not simply continuous (single strip) shredding, which can be reconstructed”. Also noted is that not only “official files” but duplicate files need shredding and that all documents should carry “shred after” dates or “do not copy” warnings. For electronic and wireless media (disks, CD’s, USB keys, PDA’s, hard drives) destruction means “either physically damaging the item (rendering it unusable) and discarding it, or if for reuse, within the organization, employing wiping utilities provided by various software companies”.

The IPC says “If you are engaging an external business to destroy records be selective”. The fact sheet further states, “Look for a provider accredited by an industrial trade association, such as the National Association for Information Destruction (see my last month’s article“NAID…working for you”), or willing to commit to upholding its principles (www.naidonline.org), including undergoing independent audits. Check references, and insist on a signed contract spelling out the terms of the relationship”.

Few document destruction firms will offer you a contract up-front. When they do, most of the contacts are for the provision of services that require you to utilize their services on a regular basis and at a specific cost. Ask your service provider upfront if they provide a contract that meets the requirements of the IPC. If not, they probably do not offer the protection that you require.

All businesses and organizations should have a copy of the fact sheet as reference for understanding the basics of secure destruction of personal information. The fact sheet can be obtained at www.ipc.on.ca.

Download the full atricle in PDF format.