Privacy Principle 5: Security Safeguards Principle

Organizations must implement security safeguards and precautions to protect personal information from unauthorized access, use, destruction, disclosure, and modification.

Question: Do you have a sensitivity classification for personal information that defines security safeguards to protect personal information in all forms (e.g., on paper, disk, online, people, etc.)?

Discussion: The Security Safeguards Principle defines the intersection between the practices of information security and the protection of customer and employee privacy. A first critical step toward this protection is to classify and label personally identifiable information (PII) within the organization. A sensitivity classification defines the security controls that must be implemented to protect the data. These controls then follow the data throughout its "lifecycle" and into its various formats.

Organizations need to implement security safeguards for personal information in all forms, including, but not limited to, paper, electronic, CD, and even voice, when talking on the phone or in public. Recent privacy breaches in the news point to these common weaknesses. In early 2006, several thousand customer records were exposed by two Boston-based newspapers who had used improperly destroyed customer records for packing delivery boxes. Organizations continue to suffer as personal customer information flows on to personal laptops and other portable devices that are lost or stolen.

Suggested Policy: Company X must implement security mechanisms and procedures to protect personal information in all forms, including, but not limited to, electronic, paper, recorded voice, and personal conversations.

Read the assessment for Privacy Principle 4: Limiting Use, Disclosure and Retention Principle

Note: Assessment and discussion from the Privacy Management Toolkit, Version 1. The Privacy Impact Assessment within the Toolkit contains a complete assessment.