Guide to FOIP-Chapter 6

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 338 Best Practices for the Secure Destruction of Personal Information834 A. Develop and Implement a Secure Destruction Policy (i) Take a team approach Organizations developing secure destruction policies should use a team approach by consulting internally with the organization’s records management, risk management, information technology, security, privacy, facilities management, and auditing departments. Secure destruction policies should be part of a complete Corporate Policy Manual that addresses all aspects of FOIP. Organizations may wish to also consult with legal counsel and potential service providers. (ii) Determine in advance what records should be destroyed An organization may choose to destroy records confirmed to have personal information only if the organization has very well-controlled and well-organized documentation regarding its information holdings. Alternatively, an organization may choose to securely destroy: 1) all records, 2) records where there is an absence of information about whether personal information is contained in the record(s), or 3) only those records where there is likelihood that personal information is contained, but it is impractical to confirm that fact (i.e., it would cost the same or more to confirm rather than securely destroy). These decisions should be made taking into consideration the types of records and the nature of the medium that may contain personal information. (a) Types of records The secure destruction policy should outline which types of records the policy applies to, such as stored records, duplicate records, incidental records, and electronic media, as well as email and voice mail. Policies should refer to the organization’s records retention and information classification policy in defining what information is to be considered confidential and should also require document labeling or access 834 The following sections are adapted from ON IPC resource, Get rid of it Securely to keep it Private: Best Practices for the Secure Destruction of Personal Health Information, October 2009, at p. 3. Available at naid.pdf (ipc.on.ca). Accessed on December 17, 2022.

RkJQdWJsaXNoZXIy MTgwMjYzOA==