You might be asking, what principles can I use to make sure I'm acting in good faith with respect to the personally identifying data of my employees, customers, and partners? The Canadian Personal Information Protections and Electronic Documents Act described in Table 4-1 contains 10 principles that, if modified slightly, can serve as a guide:
- Accountability
Your organization is responsible for the personal information under its control and must designate someone who is accountable for complying with these principles.
- Identifying purposes
Any project must specify why it is collecting personal information at or before the time it does so.
- Consent
The subject's consent is required for the collection, use, or disclosure of personal information. Exceptions should be documented.
- Limiting collection
Projects may collect only the personal information that's necessary for the purpose they've identified, and must collect it by fair and lawful means.
- Limiting use, disclosure, and retention
Unless a project has the consent of the subject, or is legally required to do otherwise, projects may use or disclose personal information only for the purposes for which they collected it, and they may retain it only as long as necessary for those purposes.
- Accuracy
The subject's personal information must be accurate, complete, and up to date.
- Safeguards
Security safeguards must be employed to protect personal information.
- Openness
The project must make its personal information policies and practices known to people from whom they collect information.
- Individual access
Subjects must be able to access personal information about them, and be able to challenge the accuracy and completeness of it. Exceptions should be documented.
- Challenging compliance
Subjects must be able to present a challenge about the project's compliance with the privacy policy to the person that the organization has designated as accountable.
Even though these principles are not the law in the U.S., or even for most industries in Canada, they provide good guidance for how an organization can protect personally identifying information and be fair about the information they collect. If your organization ignores any of these principles, you should ensure that it does so by choice rather than accident and that the risks are thoroughly explored.
Get Digital Identity now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
