Wednesday, June 07, 2006

Incident: Info on 300K+ CPAs goes missing along with hard-drive

If you don't need (really, really need) a particular type of personal information and it is at all sensitive, do not collect it. Do not keep it. If you have it, securely destroy it.

Privacy best practices world wide are pretty clear that you should only collect and retain personal information that is necessary for a clearly articulated purpose. In the CSA Model Code for the Protection of Personal Information, it is articulated thusly:

4.4 Principle 4 - Limiting Collection

The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

This goes hand-in-hand with the principle that you should only keep information for as long as is reasonably necessary to fulfil those clearly articulated purposes. Take it away, CSA Code:

4.5 Principle 5 - Limiting Use, Disclosure, and Retention

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.

Generally Accepted Privacy Principles produced by the Canadian Institute of Chartered Accountants in Canada and the American Institute of Certified Public Accountants include variations on these general rules:

4. Collection. The entity collects personal information only for the purposes identified in the notice.

5. Use and Retention. The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes.

So I guess you can draw from these examples that you should not collect or keep someone's social security number or social insurance number unless you really need it.

Interestingly and ironically, this lesson has just been learned the hard way by the American Insitute of Certified Public Accountants. The AICPA has just reached the conclusion that it should apply at least a portion of its own Generally Accepted Privacy Principles with respect to the personal information about its members that it collects and retains. It appears that a hard-drive containing personal information on 330,000 members, including social security numbers, has gone missing while in the custody of an overnight courier. While it is very easy to blame the courier, it is clear that the AICPA has no compelling reason to collect SSNs. In fact, there's no reason that even roughly corresponds to the risk associated with keeping such data around, let alone couriering it to a service provider.

To read more, check out: CPA group says hard drive with data on 330,000 members missing.

No comments: