|
|
|
The Personal Information Protection and Electronic Documents Act
|
|
The requirements set forth:
An organization is responsible for the personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
Organizations shall implement policies and practices to give effect to the principles, including implementing procedures to protect personal information.
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.
Organizations should develop guidelines and implement procedures with respect to the retention of personal information.
Personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous.
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
The security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held.
The methods of protection should include, among others, technological measures, for example, the use of passwords and encryption.
Click here to return...
|
|
