Principle 7: Safeguards
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
The security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held.
The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection. The concept of sensitivity is discussed in Clause 4.3.4.
The methods of protection should include
(a) physical measures, for example, locked filing cabinets and restricted access to offices;
(b) organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and
(c) technological measures, for example, the use of passwords and encryption.
Organizations shall make their employees aware of the importance of maintaining the confidentiality of personal information.
Care shall be used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information (see Clause 4.5.3).