Nicholas Cheung

Nancy Cohen

Protecting Personal Information

It has been said that “information is power.” But as with any valuable resource, it must be managed to maximize benefit and minimize cost.

October 18, 2010
by Nicholas Cheung, CA, CIPP/C and Nancy Cohen, CPA.CITP


Unlike other information, personal information (PI) requires special attention due to its importance and value to customers and the growing incidences of identity theft. An organization must ensure that its records management program secures, protects and disposes of PI according to its privacy policy, industry standards and legislative requirements. For example, for some firms “secures” can refer to putting documents in a locked drawer, while “protects” refer to putting the file in a waterproof container.

Key questions about privacy concerns and records management include:

  • What type of information is being collected?  Different types of information require different levels of protection. Knowing what type of information is being collected allows an organization to classify it properly and employ the appropriate means to protect it.
  • Is there a need to collect or is too much being collected?  Collecting unrequired personal information may be prohibited under privacy legislation. In addition, an organization must take the appropriate measure to protect such information, so collecting less helps to minimize the risk that information may be misused, lost or stolen and minimizes the costs associated with storing it securely.
  • To whom is information being disclosed?  PI that has been collected remains the responsibility of the organization that collected it, regardless of whether that information has been disclosed to a third-party.  Organizations should ensure that contracts with third party processors of such information incorporate privacy protections.
  • What privacy laws and regulations apply?  Organizations may be subjected to a number of laws and regulations that apply to the protection of personal information depending on the state, province or country. Such organizations should seek legal advice to be informed about which laws and regulations apply to their operations, including cross-border transfers of PI
  • Is the organization disposing or destroying PI properly and on a timely basis?  Disposing of records containing PI in the garbage or recycling bins without secure and proper shredding has led to many cases of privacy breaches. If the disposal and destruction of such records is outsourced to third parties, the organization should obtain assurances that it has been done properly and on a timely basis. Security Engineered Machinery  is a company that CPA firms can use to destroy tapes and hard drives and actually watch the process in person.  Other firms offering similar services include IntelliShred and Safe Shredding LLC.
  • Are employees given the appropriate level of access to personal information? Access to personal information should be restricted to a minimum number of employees and to only those whose job responsibilities require such access. Organizations should have controls, procedures and mechanisms in place to maintain and monitor these authorized-access lists. Organizations should ensure employees receive the appropriate level of access to carry out their job responsibilities.

With respect to records management, Generally Accepted Privacy Principles (a global privacy framework to help organizations address privacy risks and obligations) recommends organizations consider the following:

  • Conducting a PI inventory and classifying PI. Conducting a PI inventory refers to determining what PI is being collected and by whom to determine whether or not the PI being collected is necessary and if proper measures are in place to store and dispose of it securely. On the other hand, classifying PI as to its type can be exemplified as public, business confidential or secret that can enable the monitoring of its use, disclosure and retention.
  • Disclosing how long they will retain PI under their control and ensuring records management policies properly reflect any provisions in the privacy policy pertaining to records management.
  • Disposing PI once its use or retention is no longer required for business or legal purposes. PI should also not be retained or used for purposes that have not been disclosed in the privacy policy.
  • Destroying PI at the end of the information life cycle in a manner that is secure and does not allow that information to be recovered.
  • Ensuring appropriate measures are used to secure PI being stored physically or electronically (such as laptops and USB flash drives).
  • Establishing monitoring programs to ensure that records-management policies and procedures are being followed, such as reconciling PI inventory records and monitoring access to PI.

Both records management personnel and privacy officers must work together to ensure that PI is properly and securely stored, retained and destroyed. There is a subtle difference between “store” and “retain.” Stored tends to be a more casual or informal way of retaining, while retention is more formal and generally subject to some type of policy. GAPP provides a number of best practices that organizations should consider in their records management program to ensure privacy concerns have been addressed. You can view more information in the free white paper, Records Management — Integrating Privacy Using GAPP.

Rate this article 5 (excellent) to 1 (poor). Send your responses here.

Nicholas F. Cheung, CA, CIPP/C is a principal with the Canadian Institute of Chartered Accountants. He is a staff liaison of the AICPA/CICA Privacy Task Force and a member of the Advisory Board for IAPP Canada. Nancy A. Cohen, CPA, CITP, CIPP is a senior technical manager principal with the American Institute of Certified Public Accountants. She is a staff liaison of the AICPA/CICA Privacy Task Force.