Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 348 random sampling of the media demonstrates that the degaussing and sanitization process was effective. It is up to the organization to determine the appropriate percentage for random sampling. G. Auditing and Ensuring Compliance Secure destruction policies and procedures must be applied consistently to be effective. Organizations should document violations of their secure destruction policy by employees and service providers, including a description of the violation, the nature of the media, and any remedial action taken. The report of a violation can be given to the individual responsible for corporate security or human resources, or the supervisor responsible for the area where the violation occurred. Where the violation is a criminal act, a violation of contract or employment agreement, or involves the release of personal information, the organization should determine whether law enforcement, legal counsel or the Information and Privacy Commissioner of Saskatchewan should be contacted. (i) Employee Compliance Policies should detail how employee acceptance and championing of the secure destruction program will be obtained. Options for employee orientation and training may include a training class, completion of internet-based orientation training or self-study. Organizations should obtain from employees an acknowledgement to verify their understanding and agreement to comply with the secure destruction policy prior to handling any personal information. It should also be acknowledged by the employee that complying with the policy is a basis for continued employment, and that failure to adhere to the policy could result in disciplinary action or dismissal. The organization may wish to perform employee compliance audits where a designated individual, such as the employee’s immediate supervisor, records findings such as whether collection containers are deployed and compliant, and whether unused electronic equipment is secured. (ii) Service provider compliance When developing a secure destruction policy, consideration should be given to how a contracted secure destruction service provider could be audited, including the frequency of audits. When performing an announced or unannounced audit of a service provider, the organization should check that criminal history screening or police background checks are performed, only authorized employees have access to records to be destroyed and the processing area, each employee signs a confidentiality agreement, and there are
RkJQdWJsaXNoZXIy MTgwMjYzOA==