Data Protection and Confidentiality Training Course

Data Protection is a legal requirement for every business and organization which must be able to demonstrate measures have been taken to ensure confidentiality and the safe handling of information. This is a legal duty on all sectors who collect and store any kind of information.

This online guide will help you to learn how to deal with confidentiality issues in the workplace.

At the end of this course, you will be able to:

Agenda

Agenda

Module 1: Introduction to Privacy

Module 2: Protecting PII

Module 3: Threats to PII and Reporting

Module One: Introduction to Privacy

Objectives

At the end of this module, you will be able to:

  1. Define privacy and understand the importance of privacy to the mission of SBE Canada.
  2. Understand your role in protecting privacy and the consequences of a privacy violation.
  3. Identify privacy related laws,guidance,and policies.
  4. Understand how privacy is put into practice.

What is Privacy?

Privacy is a set of fair information practices to ensure: 

  •  Personal information is accurate, relevant, and current.
  • All uses of information are known and appropriate.
  • Personal information is protected. Privacy also:
    1. Allows individuals a choice in how their information issued or disclosed.
    2. Assures that personal data will be used and viewed for business purposes only.
    3. Enables trust between SBE Canada's employees, customers and clients.

Key Privacy Laws

 Law(s):

PIPEDA: The Personal Information Protection and Electronic Documents Act (PIPEDA) is federal legislation passed in 2001 and fully implemented on January 1, 2004. While some provinces have passed their own privacy legislation, Ontario has not, so the federal legislation applies here.

The purpose of PIPEDA is to balance individuals' privacy rights with the need of organizations to collect, use or disclose personal information for reasonable and appropriate purposes.

Fair Information Practice Principles

  1. Accountability: organizations are accountable for the personal information they collect, use, retain and disclose in the course of their commercial activities, including, but not limited to, the appointment of a Chief Privacy Officer;
  2. Identifying Purposes: organizations are to explain the purposes for which the information is being used at the time of collection and can only be used for those purposes;
  3. Consent: organizations must obtain an Individual’s express or implied consent when they collect, use, or disclose the individual’s personal information;
  4. Limiting Collection: the collection of personal information must be limited to only the amount and type that is reasonably necessary for the identified purposes;
  5. Limiting Use, Disclosure, and Retention: personal information must be used for only the identified purposes, and must not be disclosed to third parties unless the Individual consents to the alternative use or disclosure;
  6. Accuracy: organizations are required to keep personal information in active files accurate and up-to-date;
  7. Safeguards: organizations are to use physical, organizational, and technological safeguards to protect personal information from unauthorized access or disclosure.
  8. Openness: organizations must inform their clients and train their employees about their privacy policies and procedures;
  9. Individual Access: an individual has a right to access personal information held by an organization and to challenge its accuracy if necessary; and
  10. Provide Recourse: organizations are to inform clients and employees of how to bring a request for access, or complaint, to the Chief Privacy Officer, and respond promptly to a request or complaint by the individual.

Roles and Responsibilities

 As a member of SBE Canada's workforce, you are responsible for following privacy policies and procedures.

Privacy policies and procedures require you to:

  • Collect, access, use, and disclose personal information only for reasons that are for a legitimate job function, support the mission of SBE Canada, and are allowed by law.
  • Safeguard personal information in your possession, whether it be in paper or electronic format.
  • Properly dispose of documents containing PII. Shred papers; NEVER place them in the trash. Contact the IT Department for proper disposal of equipment like copy machines and computers.
  • Report suspected privacy violations or incidents.

Privacy Framework in Action

Everyday, SBE Canada  employees should endeavour to support these principles and the commitment they represent.

Framework Example(s)
Authority and
Purpose
  • Privacy Act Statements
Accountability
  • Privacy Impact Assessments
  • Privacy training and awareness
Accuracy
  • PII updates records and seeks clarification from individuals (as needed)
Limiting Use, and Retention
  • Collecting minimum data on forms
  • Redacting records
  • Truncating data elements
  • Records are maintained and destroyed as required
  • PII collected for determination of benefits is not used for marketing
Individual Access
  • Individuals can request to review information about them maintained on record
  • Individuals can request that errors
    be corrected
Security
  • Encryption
  • Shredding
  • User Names and passwords
  • Locks
Openness
  • Privacy Act Statements

  • Privacy policy on Websites

 

Possible Consequences of Privacy Violations

Privacy violations have several possible consequences:

  • Employee discipline.
  • Fines.
  • Criminal charges.

Which one of the following shows respect for confidentiality of information?

  • Discussing confidential information over the telephone.
  • Disclosing confidential information only to authorised individuals.
  • Uploading confidential information to a shared web site.
  • Emailing confidential information to a colleague.
  • None of the above

How should confidential information be sent using an unsecured network?

  • In an encrypted format.
  • In a compressed format.
  • In an attachment.
  • FedEX

Which one of the following is not a consequence of privacy violation?

  • Criminal Charges
  • Employee Discipline
  • Fines
  • Paid Suspension

Which of the following is not apart of the Privacy Framework?

  • Limiting Use and Disclosure
  • Consent
  • Accuracy
  • Monitoring and Controlling

What Privacy Policy/Law does SBE Canada Complies with?

  • SIPEDA
  • PIPEDA
  • PIPHA
  • SBE Confidentiality Law

Mark the following statements as true or false.

  • Because you work in a secure building, you can discuss confidential information in an open work area.
  • The PIPEDA and related policies only apply to electronic and hard copy records and does not apply to verbal discussions.
  • You should always lock your computer when you are away from your desk.

Match the correct term with the correct definition.

  • Limiting Collection
    the collection of personal information must be limited to only the amount and type that is reasonably necessary for the identified purposes;
  • Safeguards
    organizations are to use physical, organizational, and technological safeguards to protect personal information from unauthorized access or disclosure.
  • Accountability
    organizations are accountable for the personal information they collect, use, retain and disclose in the course of their commercial activities, including, but not limited to, the appointment of a Chief Privacy Officer;
  • Identifying Purposes
    organizations are to explain the purposes for which the information is being used at the time of collection and can only be used for those purposes;

How to Keep Your Password Safe

How can you keep your password secure?

  • Write it in your notebook.
  • Memorise it.
  • Tell a person who you know you can trust.

What is an example of a strong password?

  • 1234567890
  • G*rbea8$e
  • qwerty123
  • johndoe

Mark the following statements as true or false.

  • Your password should be changed regularly.
  • Whenever possible avoid using password managers.
  • It is OK to share your password with your colleagues.

Module Two: Protecting PII

Objectives

At the end of this module, you will be able to:

  • Define PII and identify common examples of PII in the workplace.
  • Identify privacy considerations throughout the information life cycle.
  • Know how to protect PII in different contexts and formats.

What is Personally Identifiable Information (PII)?

“…information which can be used to distinguish or trace an individual's identity, such as their name, Social Insurance Number (SIN), biometric records, etc. alone or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name,etc...”

Common Examples of PII we collect

  • Names of clients/customers/employees
  • Age, gender, ID numbers, health card numbers, SIN
  • Business and emergency contact information
  • Home/Cell contact information
  • Date of Birth
  • Dates on which pertinent information was sent out
  • Opinions, evaluations including performance evaluations, comments, disciplinary records, criminal records;
  • Credit Card information
  • Banking Information
  • Employee files, stated intentions to change jobs
  • Videotape, machine-readable record, sound recordings, photographs
  • Opinions Expressed
  • Website Cookies

PII Considerations for the Information Life Cycle

The Information Life Cycle defines how to handle data from inception to disposition. Protecting PII is important during each stage of the information lifecycle: 

Data Collection or Creation: Gathering PII for use. 

Data Storage: Maintaining or storing PII.

Data Usage: Using PII to accomplish a job function.

Data Sharing: Disclosing or transferring PII.

Disposition: Disposing of PII when no longer needed in accordance with record management requirements and organizational disposal policies.

Protect PII: Lock-It-Up

Personnel are required to protect PII in their possession.The following will help you keep PII safe from unintended use or disclosure.

Physical Protection

  • Lock your computer workstation (CTRL + ALT + DELETE).
  • Lock up portable devices (e.g., laptops, cell phones).
  • Lock up documents and files that contain PII.


Protect PII: Protections in Transit

Protect PII during transit.

  • Encrypt emails that contain PII.
  • Use an authorized mobile device with encryption to store PII.
  • Don’t forward work emails with PII to personal accounts (e.g., Yahoo, Gmail).
  • Don’t upload PII to unauthorized Websites (e.g., Wikis).

Protect PII: Protections During Travel

When traveling, keep equipment and papers that contain PII in your possession.

  • Do not place it in checked baggage or leave it in the trunk of a car.
  • Avoid leaving it in a hotel room unsupervised (e.g., use hotel safe).
  • Remember to pick up your laptop after the TSA security check at the airport.

Protect PII: Clean-It-Up

Maintain a clean work environment.

  • Don’t leave documents that contain PII on printers and fax machines.
  • Don’t leave files or documents containing PII unsecured on your desk when you are not there.

Protect PII: Faxing

Before faxing:

  •  Verify recipient’s fax number prior to sending PII.
  • Make sure someone authorized to receive the PII is there to receive the fax.
  • Use a fax transmittal sheet. 

Receiving faxes:

  • Quickly retrieve faxes transmitted to you.
  • Secure faxes that have not been retrieved.
  •  If you are expecting a fax and have not received it, follow-up to ensure the sender has the correct fax number.

Protect PII: Mail

Interoffice mail:

  • Send in a confidential envelope.
  • Follow-up to verify that the recipient received the information.

Postal mail (“snail mail”):

  • When possible, use a traceable delivery service (like FedEX).
  • Package in an opaque envelope or container.

Email:

  • Double-check the recipient’s address before sending.
  • Encrypt email.

Protect PII: Telework

There are special responsibilities for protecting PII during telework. 

  • You must follow standard security procedures when removing official records from the office, and have permission from your manager to transport, transmit,remotely access or download sensitive or classified information during telework.
  • Store sensitive information on authorized mobile devices or remote systems with appropriate safeguards (e.g., HHS encryption).
  • Remotely access sensitive information by using authorized methods (e.g., Virtual Private Network(VPN)).

Work with your manager for approval and to ensure that your equipment has safeguards inplace to protect sensitive information during telework.

Protect PII: SIN Protections

Employees that handle SINs need to take extra precautions. Misuse of SINs canput individuals at risk for identity theft. 

Employees should:

  • Use the SIN only when it is required.
  • Truncate or mask the SIN in systems or on paper printouts whenever possible.
  •  Disclose SINs only to those that have a need to know and are authorized to receive the information.
  • Documents containing SINs should be locked up and put away so they are not left out when away from your desk. 
  • Identify and implement ways to eliminate the use of SINs, when possible (e.g., removalfrom forms, assigning a randomly generated identifier).

Protect PII: Disposition

  • Review records retention requirements prior to destroying information.
  • Shred papers containing PII.
  • Dispose of equipment by returning to the IT Department.

Protect PII: Beware of Phishing

Phishing is an attempt to steal personal information. Most times it involves an e-mail,although other forms of communication can be used, which claims to be a legitimate business or person in an attempt to scam you into surrendering PII or downloading malicious software.

Be suspicious of any email that:

  •  You were not expecting to receive.– Requests your PII (account numbers, SSN, username, passwords, birth date, etc.).
  • Requires you to urgently take action (e.g., verify your account or log-in to prevent your account from being closed).
  • Does not look like a legitimate business Website (e.g.logos look funny, spelling errors).
  • Has a different URL than the one you are familiar.
  • Contains a document that shuts down and re-launches after you open it.

On the right, are some examples of phishing emails.Take the following actions if you believe you received an e-mail that is a phishing attempt:

  • Do not respond to phishing emails.
  • Delete suspected phishing emails.
  • Do not open attachments in phishing emails.
  • Do not click hyperlinks in a phishing email.
  • Contact the Help Desk if you think you have responded to a phishing email.

Module Three: Threats to PII and Reporting

Objectives

At the end of this module, you will be able to:

  • Recognize an incident of privacy and identify common scenarios.
  • Understand the effect of a privacy compromise.
  • Report suspected incidents.

What is a Privacy Incident?

“the loss of control, compromise, unauthorized disclosure, unauthorized acquisition,unauthorized access, or any similar terms referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information,whether physical or electronic.”

Common Scenarios

Privacy incidents most often occur from:

  • Loss, damage, theft, or improper disposal of equipment, media, or papers containing PII.
  • Accidentally sending a report containing PII to a person not authorized to view the reportor sending it in an unprotected manner (e.g., unencrypted). 
  • Allowing an unauthorized person to use your computer or credentials to access PII. 
  • Discussing work related information, such as a person’s medical health records, in a public area. 
  • Accessing the private records of friends, neighbors, celebrities, or any other person when not authorized to do so.
  • Any security situation that could compromise PII (e.g., virus, phishing email, social engineering attack).

Effects of Compromised Privacy

Loss of privacy threatens people and SBE Canada. It can result in:

  • Exploitation of an individual
  • Embarrassment or other harms to individuals.
  • Damage to the reputation of SBE Canada.
  • Loss of trust between SBE Canada and the public.

How to Report

  • Do not investigate the incident on your own - immediately report suspected incidents that could compromise PII in any format (electronic, paper, or oral communications).
  • Any employee can report an incident. You are not required to speak to your Manager before reporting an incident but should keep management informed when incidents occur.
  • Report incidents to your Privacy officer. Contact information for SBE Canada's privacy officer can be found at:http://
  • You can also report directly to the SBE Canada Privacy Officer by email [email protected]

Wrap Up

Breaches of workplace confidentiality can result in a range of problems. Customers tend not to work with companies they think are untrustworthy, and consumers may specifically warn people away from companies that have mishandled private information.

This course has been produced so that employees are aware of the ways dealing with confidential information and keeping company data safe.