Privacy Revisited

I recently visited a local business, where I noticed that their handwritten appointment book was full of client Credit Card numbers and Expiry Dates.  I immediately pointed this out to management, but it made me wonder – are small businesses taking security & privacy seriously?

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) became law in April, 2000.  The act has several implications for any business which collects and retains customer information.  Under the law, organizations are required to:

• Obtain consent when they collect, use or disclose their personal information;
• Supply an individual with a product or a service even if they refuse consent for the collection, use or disclosure of your personal information unless that information is essential to the transaction;
• Collect information by fair and lawful means; and
• Have personal information policies that are clear, understandable and readily available

PIPEDA also stipulates security requirements for client data stored in computer systems, including the use of safeguards such as firewalls, passwords, and data encryption.

10 years have passed since the implementation of PIPEDA, but the requirements on businesses remain the same.  Perhaps now is an ideal time for businesses to revisit their practices around the collection, storage, and use of customer data.

Here’s a Privacy Guide for Small Businesses(pdf) to get you started, along with a quick Privacy Policy quiz:

1. What personal information does your organization or branch collect and why do you collect it?
2. How does your organization safeguard customers’ personal information?
3. Who is the point of contact in this organization for more information about your privacy policy, to clarify the policy or to register a privacy complaint?
4. Under what circumstances does your organization disclose personal information, such as to credit agencies or collection agencies?

If your company could benefit from some expert advice in ensuring that your customer data is secure, and meeting applicable regulations, ask us. We’d be happy to conduct a Network Security Assessment, and identify areas where your current security practices can be improved.