What are your obligations for a client’s personal information, and for what purpose can you use it?
A basic principle of privacy law is that personal information must only be used or disclosed for a specific purpose, as long as you have the permission of the person.
Protect personal information
During the time that you have a client’s personal information, you are required by law to protect it by taking reasonable measures to prevent other people from accessing it without permission. You can ensure your client’s information is protected by:
- never revealing, verbally or otherwise, any personal details about your clients or customers
- restricting access to files and databases as appropriate
- using highly secure passwords and firewalls
- locking filing cabinets
- never leaving laptops and other mobile devices unattended
- monitoring and investigating if you have reasonable grounds to believe that personal information is being collected, used or disclosed inappropriately
Defining personal information
Legally speaking, personal information comprises the unique identifiers of an individual such as their race, age, marital status, education, medical, criminal, employment or financial history, personal address and telephone number, and details about real and personal property ownership. This information is presumed to be private and unique to the person.
On the other hand, a person’s name, title, business address and telephone number, and email are not considered personal information if such information is publicly available.
Destroying personal information
You must take due care even when getting rid of personal information so that you prevent unauthorized access to clients personal information. Don’t simply toss documents or disks in your waste bin or throw in a dumpster where someone could access it. And remember that trash and recycle bins in your computer must be deleted, otherwise information inside can be recovered.
Digital security
Confidentiality and security are not guaranteed when personal information is transmitted through e-mail or other wireless communication. The most effective prevention is to secure your computer data, email and other digital accounts with secure passwords.
- Always keep your password secret.
- Create passwords that are nearly impossible for someone to guess, or for a hacker’s software to decode, but which you can remember without writing down.
- Use “two-factor authentication” (2FA) so that in addition to a username and password you have a second level of security such as a PIN number, code, second password.
- Download and install anti-malware software from a reputable source.
- Make sure to download the most up-to-date firewall and anti-virus technologies available.
- Never conduct confidential business over unsecured wifi services in a coffee shop or other public spaces.
So, if you suspect you’ve made the mistake of submitting a client’s person information through an email such as account numbers or passwords, make a call immediately to warn them and the banks and credit card companies involved.
If a criminal has hacked into your email and used your identity and email address to send a phishing scam to a client, you should contact everyone with whom you are dealing in a large transaction, and alert them of a potential fraud.
Remember, when you protect your client’s personal information, you are also protecting yourself.