Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 347 to be destroyed. This will ensure that all parties fully understand their respective roles and responsibilities. An organization’s secure destruction policy should specify the required elements of a service provider contract, and may include for example: • The requirement that the service provider has written policies and procedures, which the organization should keep on file, and appended to the contract. • That the service provider accepts fiduciary responsibility to protect and destroy the organization’s materials in accordance with the service provider’s written policies and procedures. • That the service provider can demonstrate that it maintains indemnification coverage for any contractual liability it accepts. • How the destruction will be accomplished, under what conditions and by whom. • The time within which records collected from the organization will be destroyed and require secure storage pending such destruction. • That a Certificate of Destruction be issued upon completion of the destruction. • A provision that would allow the organization to witness the destruction, wherever it occurs, and to visit the service provider’s facility. • That there may be announced and unannounced audits of the service provider’s processes to verify adherence to the service provider’s written policies and procedures. • That employees must be trained in and understand the importance of secure destruction of personal information. • That the service provider must ensure the particles are disposed of in a secure manner and will not be placed at risk of unauthorized access. • That the service provider must notify the organization ahead of time if any of the work is subcontracted to a third party, and that a written contractual agreement with the third party be consistent with the service provider’s obligation to the organization. F. Disposal of Securely Destroyed Materials An organization’s secure destruction policy should include a requirement to discard securely destroyed materials such as paper particles after destruction. Materials should be restricted from public access, and a record should be created documenting the destination and disposal of the media particles. Following degaussing or sanitization, access to the media must also be restricted and further distribution delayed until an internal audit of a percentage
RkJQdWJsaXNoZXIy MTgwMjYzOA==