Guide to FOIP-Chapter 6

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 97 • No access to the server allowed except for domain administrators • Data masks • Built-in ability for process audits301 Electronic environments introduce several security risks. Below are some examples of technical safeguards that help eliminate and/or mitigate those risks: • Restrict and control access to electronic files, directories, applications, databases, networks, etc. Access privileges should be based on job function and need-to-know. Regularly review and update staff access privileges. • Ensure all users are assigned unique User IDs and passwords. Users should be authenticated every time they log on before access is granted. • Require staff to use strong passwords (e.g., a minimum of 8 characters, use of both upper- and lower-case letters, numbers, and symbols). Passwords should be unique, difficult to guess and should not display on screen when being entered. Require staff to keep passwords confidential. • Have computers log users out after a set period of inactivity. Implement screen savers and passwords when computers are left unattended. Ensure these features cannot be overridden by users. • Protect networks with firewalls and anti-virus software. Monitor firewall logs to detect potential intruders. Regularly update anti-virus software. • Initiate system audit capabilities so that access and use of electronic networks can be monitored. • Implement user identification and strong authentication, encryption, network connection and access controls for all external connections with remote users. • Regularly back-up electronic systems and develop and implement strict controls over back-up processes. Review backed-up information regularly to ensure it can be restored if necessary. Migrate information to new media as necessary. Provide secure off-site storage for back-ups. • Completely delete or wipe all personal information no longer required for legal or business purposes from computer storage devices (diskettes, tapes, CD-ROMs, hard drives). If wiping is not possible, physically destroy the devices. 301 SK OIPC Investigation Report H-2005-002 at pp. 106 to 107. Quoted again in SK OIPC Report H2013-001 at [207].