Office of the Saskatchewan Information and Privacy Commissioner. Best Practices for Mayors, Reeves, Councillors and School Board Members. Effective 27 Dec. 2017. Updated 02 Oct. 2023. 7 When considering using a third party to dispose of personal information, an Elected Official should consider the sensitivity of the personal information and take steps to manage the risks accordingly. An Elected Official should ensure that the third party contractor has verifiable credentials and can guarantee both a secure transfer of records from the Elected Official’s office to their own destruction facility, and a secure destruction method that matches the media and the sensitivity of personal information. If an Elected Official decides to contract out, he or she should keep in mind that he/she remains responsible for the information to be disposed of. Best practices when dealing with third parties include: • Entering into a written contract with the contractor. • Including privacy protection clauses in the contract to ensure the third party provides an appropriate level of protection. • Including monitoring and auditing clauses in the contract to ensure tracking of the personal information and quality control. Putting it All Together: Developing Internal Policies & Procedures In setting up policies and procedures, an Elected Official should consider the following checklist: • Is information in the Elected Official’s office periodically being reviewed to determine whether the purpose of the collection has been fulfilled. How often. • Is there an inventory of what personal information is being retained, for which purpose and for how long and is it related to the local authorities’ business or its own. • Are security measures (password protection, role-based access) in place to ensure only those with a ‘need to know’ have access to the personal information. • Are audit functions built into electronic systems to ensure unauthorized access is traceable. • Is personal information being segregated and stored in a secure area with restricted access. • Have you developed a records retention and disposal schedule. • Does personal information exist in multiple copies. Are there back-ups. If so, where and how are the copies and back-ups stored.
RkJQdWJsaXNoZXIy MTgwMjYzOA==