As on-line and off-line consumers, we are constantly prompted to disclose our personal information to organizations. But with each disclosure comes the risk that one’s information will be mismanaged, accessed without authorization or stolen. In fact, it is estimated, that about one in 10 Canadians has been a victim of identity theft.

As personal information becomes an increasingly valuable asset, it is important for individuals to take their privacy seriously. By simply following some of the following key steps, you will be in a much better position to protect your information and identity.

1. Your On-line Presence

- The importance of choosing strong passwords cannot be overemphasized. When creating passwords, avoid a commonly used nickname, family member or pet’s name, or your on-line screen name. Instead, use a phrase or a series of letters and/or numbers (at least that you can easily remember but that would be hard for others, including password sniffers, to guess.

- Look for privacy policies on the websites you visit, particularly if you will be entering your information on the site. You need to understand with whom your information will be shared, and how it will be secured before providing it.

- Be extremely cautious when providing credit card or other sensitive information on-line. Only provide such information on a secure site. Always check for a lock symbol at the bottom of your browser page and the letters “https” in front of the organization’s Web site address to confirm information is encrypted when transmitted to the organization’s server.

- If you are especially concerned about protecting your privacy on-line, there are an increasing number of programs being offered, such as Anonymizer, that enable consumers to make transactions on-line through third parties and keep their personal information private.

2. Understand and Manage E-Mail Risks

E-mail has become a preferred method of communicating, but what comes in or leaves your e-mail server may introduce information risks. Here are some things you can do to minimize these risks:

- E-mail is like an open postcard - it’s possible for someone who is not the intended recipient to access your e-mail using a simple e-mail sniffer. Never send highly sensitive information like credit card details or medical information through an unencrypted e-mail.

- As soon as you see spam (bulk, unsolicited e-mail messages), delete them immediately. Don’t click on any embedded links, don’t buy anything, don’t even reply by asking to unsubscribe. Keep in mind that any response or activity keeps spammers coming back.

- No matter how exciting or dreadful the news, always be skeptical of e-mails requesting password updates or your financial information.

- Never open an e-mail attachment unless you are expecting it from someone you trust.

- Make sure to install and regularly update antivirus and anti-spam software. Also, an up-to-date firewall will reduce the risk of an intrusion.

- Protect your e-mail address as best as possible by setting up one e-mail for your trusted personal and business contacts, and a separate one for other on-line usage.

3. Be Diligent when using a Fax Machine

In order to reduce the risks associated with faxing out personal information (such as dialling a wrong number, having your fax picked up by the wrong individual, or having your fax sit in an insecure location), try to adopt the following measures:

- Only fax personal information that needs to be sent out immediately, and call to confirm its receipt.

- If you wouldn’t feel comfortable discussing the information over the telephone, chances are it’s best not to fax it either.

- If its sensitive information, check to see if the recipient has a password feature on their fax machine, ensuring that only authorized recipients are able to access what you’ve sent over.

4. Limit the Personal information you Provide

To place a limit on where your personal information ends up, you can do the following:

- When signing up for a reward points program or completing a sales agreement, understand how your information will be used. Carefully check to see if your contact information will be sent to a marketing list or “affiliated” companies. You may need to check a box in order to prevent the transfer of your information.

- Remember that you never need to provide information to an organization if its not essential to the provision of products or services to you. For example, a retail store cashier or a warranty card may collect information for marketing purposes - you don’t need to provide it.

5. Safeguard your Identity

There are a number of additional proactive steps consumers can take to ensure their personal data is protected:

- Never carry more personal information with you than is necessary. In particular, leave your SIN card and passport at home.

- Choose complex PIN numbers, memorize them well, change them often and do not write them down in a place that is easily accessible. Make sure to always shield yourself when keying in a PIN at a store or bank machine.

- Obtain an annual credit report from a credit reporting agency to ensure there are no suspicious activities.

- Consistently check your bank, credit and debit card statements to ensure all account activity is legitimate.

- Invest in a good quality cross-cut shredder. Shred documents containing personal information you no longer need.

- Always remove your mail promptly from your mailbox so as to prevent identity thieves from finding and recording any personal information.

With identity theft on the rise, safeguarding personal information is not just an organizational responsibility. In our day to day interactions, we as consumers must make a firm commitment to taking steps to protect our personal identity.

When privacy threats are on the rise, and identity theft is the fastest-growing crime, your privacy documentation should clearly demonstrate your commitment to information protection. Putting well-designed privacy policies and procedures in place is not just good risk management; it empowers you to create a trusting relationship with your customers, and guides your employees on how to handle information. Here’s a quick summary of what you need to implement:

Corporate Privacy Policy: The Corporate Privacy Policy is the centerpiece of your privacy documentation - the document that should be available to the public and that provides a clear understanding of why you need to collect their personal information, how you safeguard it, and whom you share it with. This policy must clearly and succinctly outline how you comply with privacy best practices. You build rapport with prospective and current customers when you show them how your organization protects information, and when they know what control they have over how their information is used.

Employee Privacy Policy: When you respect your employees’ rights and interests, you command their loyalty. Your employee privacy policy sends a clear message that safeguarding employee information is a priority to you. The policy should outline exactly what information you collect, why you need it, and whom you share it with. It should also outline your employees’ right to access their personnel file, and how long you retain their information. Equally important, the policy should indicate the limitations on your employees’ privacy rights, e.g., the use of video surveillance and the monitoring of company resources (such as e-mail and Internet activity).

Web Site Privacy Policy: The Web Site Privacy Policy addresses the protection of personal information online and should clearly tell your Web site visitor how the information collected on the site will be used (including any marketing purposes). Compliance with laws in various jurisdictions must be considered, e.g., for a site directed at children under 13, the policy should outline the need for parental consent (due to the United States Children’s Online Privacy Protection Act), and a site with numerous links to other sites should specify that your organization is not responsible for the privacy practices or content of any sites it links to. This policy should also cover technical details such as the use of cookie files and server log files which will inform your user whether data collected is anonymous or whether such logs may be linked to personally identifiable information.

Privacy Breach Response Policy: This policy ensures a consistent approach when privacy is violated. A step-by-step guide helps your organization leap into action, minimize response time, and therefore mitigate the negative impact of the breach. The policy should address the following steps for responding to the breach:

- Breach containment and preliminary assessment;
- Evaluating the risks associated with the breach;
- Determining the cause and extent of the breach;
- Assessing the foreseeable harm from the breach to individuals and the company;
- Notifying individuals who may be potentially harmed and determining when and how to notify them, as well as the content of the notification. Guidance should also be provided on when to contact others such as regulators, police, insurers, or credit card companies; and
- Preventing future breaches. The prevention plan may include a security audit or employee training.

Employee Procedures for Safeguarding Personal Information: Implementing a formal procedure for safeguarding personal information internally guides your employees and contractors on how to manage privacy issues daily. The procedure should address, to name a few safeguards, securing one’s unattended work environment (by activating password-protected screen savers and not leaving confidential information in plain view); access controls; precautions to take when faxing or emailing sensitive information; secure disposal of records, escorting visitors; reporting lost security access cards; and laptop best practices.

Access to Personal Information Procedure: This procedure specifically applies to situations where customers or employees seek access to review their own files. The internal procedure for handling access requests should cover:

- Initiating an access request;
- Authenticating the requestor;
- When access must be provided, when it may be denied, and when part of the record must be released;
- How access should be provided (e.g., in person, couriered, or faxed);
- Fees that can be charged for access; and
- The time frame for responding to an access request.

Information Security Policies: Because security threats have increased exponentially over the past decade, securing systems from internal and external threats has become a priority for many companies. A security policy establishes the importance of security within the organization and should include the endorsement of upper management. The most important criterion of a good security policy is that it is useable. Its many sections can be grouped into three categories:

1. The parameters of the policy, including definitions of information security concepts;

2. A risk assessment to determine what threats exist for systems within an organization. The level of security needed for particular systems to provide the optimum protection should be outlined, using security classifications. Security measures can then be determined, based on these classifications.

3. The actual policies, including security planning and oversight; security education, training and awareness; backups and business continuity plans; physical security; access controls; authentication; network security; encryption; acceptable use policies; auditing and review, and enforcement of the security policies.

A good security policy is so much more than just a listing of rules. It dictates the scope, direction, and priority for security within an organization. Such a policy can mean the difference between a comprehensive security posture and a document that is neither regarded nor implemented with any conviction. A large security budget does not ensure success. What does ensure success is a security policy that is descriptive, disseminated, and enforced within a company.

Privacy Risk Assessment Questionnaire: When introducing a new product or service that involves the collection, use, or disclosure of customer or employee information, privacy should be considered early in the planning stages. Departments should be required to assess the impact of an initiative on privacy. For example: Will additional consent be required? Will information be transferred to another jurisdiction with different data privacy laws/expectations? By requiring a standard set of questions to be answered regarding the management of personal information, risks can be identified early and plans can be put in place to mitigate these risks.

Focus on the 3 Cs:

- Clear
- Concise
- Consistent

Your suite of privacy documentation should provide a detailed picture of your organization’s perspective on privacy It is imperative that the adopted policies and procedures be consistent with daily practices. If not, the resulting disconnect will undermine the potential for success. Thus, regular review, at least annually, will ensure that your privacy program is lockstep with the documentation, resulting in greater organizational responsibility while minimizing exposure to privacy risks.