When an organization collects any type of personal information, it is responsible for safeguarding the data from loss, misuse, modification, unnecessary disclosure and unauthorized access. When gathering data, keep in mind that some types of information may not be considered “personal information” on its own. However, when combined with other types of information, it might be necessary to safeguard it. By understanding the dynamic nature of the information kept within your organization and knowing how to protect personal information, you ensure the security of those who trust the services the organization provides and ensure compliance with privacy laws.
How to Protect Personal Information in Documents
1. Know about the types of personal information kept within the organization and their locations.
Assess the types of information your organization keeps, their locations in physical and computer files, and the individuals who have access to it. Have a good understanding of how the organization uses this information and how it moves. Other steps to take include:
- Identifying the risks that different types of information pose.
- Inventorying all electronic devices that store personal information, including devices that employees can remove from the building, such as smartphones and tablets.
- Knowing the types of information collected at each entry point and where it’s stored.
- Knowing about the types of sensitive information that each employee is privy to.
2. Only keep the sensitive information that your business needs.
Make a policy to collect only the types of information that your organization legitimately needs. Then keep the information only for as long as necessary.
In addition to knowing about the type of information collected, be aware of how the organization passes it along to third parties for processing, storage or destruction.
3. Keep the information physically and electronically secure.
The best way to secure personal information depends on the data collected and applicable laws. Good security plans include:
- Physical security: Paper documents, CDs, flash drives, external hard drives and several types of electronic equipment are vulnerable to becoming lost or stolen. Keep documents and electronic devices in locked rooms or file cabinets. Then limit who has access to them and when.
- Electronic security: Understand all the vulnerability’s within the organization’s network, firewalls, software programs, operating systems, email system and antivirus programs. Implement password management policies, as well as policies regarding encryption, the use of portable electronic devices, remote access to sensitive information, digital copies and Web applications.
An important element in document security is periodically training employees on how to protect personal information, as the best data security plans are only as strong as those who use it. In addition, ensure that the contractors and service providers that the organization uses have security protocols and practices that align with yours.
4. Create a destruction policy.
All personal information has a lifecycle. Make sure the life of the protected information at your organization ends successfully with its proper destruction. For instance, with paper documents, this may mean shredding files from accounts that have been inactive for a certain number of years.
Destroying electronic documents and data takes more than merely deleting files. To destroy digital data, organizations should use special programs that completely erase, or wipe, data.
5. Know how to respond to security incidents.
Just as you have a disaster preparedness and recovery plan for your business, create one for the physical and electronic documents based on the types of incidents to which they are vulnerable. Having a response plan allows the organization to reduce the impact on its business operations, employees and customers.
A security breach that compromises personal information in the wake of a disaster can be just as devastating and costly as the physical damages. Start protecting your documents with Polygon’s Code Blue Program. The no-cost program helps an organization inventory and learn more about the documents that it maintains so Polygon can execute a custom recovery plan in the event of a physical disaster, saving time and ensuring quicker business continuity. Talk to a Polygon representative today to sign up for Code Blue and to get started on a document recovery plan for your organization.
[Photo from DaveBleasdale via CC License 2.0]