Guide to FOIP-Chapter 6

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 98 • If the organization prints receipts for customer transactions, employ equipment that truncates or otherwise obscures credit card and debit card numbers on printouts.302 There is extensive information available on the appropriate management of user access privileges as they relate to personal information. One leading authority is the International Organization for Standardization (ISO). The ISO recommends the following concerning managing user access privileges: Objective: To ensure authorized user access and to prevent unauthorized access to information systems. Formal procedures should be in place to control the allocation of access rights to information systems and services. The procedures should cover all stages in the life cycle of user access, from the initial registration of new users to the final de-registration of users who no longer require access to information systems and services. Special attention should be given, where appropriate, to the need to control the allocation of privileged access rights, which allow users to override system controls. … Implementation guidance The access control procedure for user registration and de-registration should include: …c) checking the level of access granted is appropriate to the business purpose (see 11.1) and is consistent with organizational security policy, e.g., it does not compromise segregation of duties (see 10.1.3); …i) periodically checking for, and removing or blocking, redundant user IDs and accounts (see 11.2.4).303 For some additional information on technical safeguarding, see the following SK OIPC resources: 302 AB IPC resource, Personal Information Protection Act (PIPA), PIPA Advisory #8: Implementing Reasonable Safeguards at pp. 10 to 11. 303 ISO Standards, Information Technology – Security Techniques – Code of practice for information security management, International Standard ISO/IEC 17799, (2005) at p. 61. See also SK OIPC Investigation Report F-2012-005 at [92].