Guide to LA FOIP-Chapter 6

Office of the Saskatchewan Information and Privacy Commissioner. Guide to LA FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 309 restrictions. Every organization has a ‘daily waste stream’ (or incidental records), usually paper, which is made of discarded records such as printing mistakes, notes and memos. This stream of records should be addressed in the secure destruction policy and should not be categorized as simple recycling if it may contain personal information. (b) Types of media Secure destruction policies must address all media that may be destroyed, including, but not limited to, paper, micro media (film media, such as microfilm and microfiche), magnetic tape media (reels, VCR, cassette), optical media (DVD, CD) and storage media (computers, hard drives, mobile phones, and portable memory devices). If office machines such as photocopiers, fax machines, scanners or printers contain storage devices, ensure that these devices are overwritten, erased, removed or destroyed when the machines are replaced. The policy should describe the specific methods for destroying each different type of media, the different internal authorizations for destruction, if any, and requirements for securing the media before destruction. If there are several accepted processes for destroying a type of media, the policy should identify the preferred process. For example, magnetic tape may be destroyed by degaussing, shredding or incineration, and the organization’s policy should specify which method is to be used. See also ‘Determine Best Methods of Destruction’ section below. (iii) Define roles and responsibilities An organization’s secure destruction policy should designate a policy compliance officer who will be the person ultimately responsible for organizational compliance, as well as compliance officers for each of the organization’s physical locations. Ensuring compliance need not be a full-time job and can be simply part of an individual’s job description to be responsible for the location complying with the organization’s destruction policy. In addition to naming compliance officers, the policy should state that the employees’ immediate supervisor is responsible for ensuring compliance with the policy daily. The policy should also name the individuals responsible for development of the policy, approval of the policy, employee orientation and training regarding the policy, contracting destruction services or equipment, performing internal audits, distributing updated policies and informing employees about updates. In addition, organizations should consider whether they wish to have someone witness the destruction. Note, some destruction companies offer the option for witnesses to view the destruction through a webcam over the Internet.

RkJQdWJsaXNoZXIy MTgwMjYzOA==