Identity theft

Protect your business and customers

Effective ways for businesses to protect client confidentiality and information

Businesses and organizations are responsible for protecting their customers’ personal information.

Below are tips from Businesses and Identity Theft, a document released by the Office of the Privacy Commissioner of Canada. These tips will help protect your organization’s reputation and your customers’ personal information.

Steps for reducing the risk of identity theft

1. Limit the amount and type of information collected

  • collecting less information reduces the potential damage if there is a breach and also lowers the cost of collecting, storing and archiving data

2. Limit how long you keep the information

  • keep personal information only for as long as it’s needed and destroy information that is no longer needed for an identified purpose or legal requirement
  • develop guidelines and procedures for retaining and destroying personal information, including maximum and minimum retention periods (taking into account legal requirements, restrictions and redress mechanisms)
  • conduct regular reviews and establish a retention schedule to determine if information is still required
  • dispose of any information that’s no longer needed in a way that prevents improper access (such as shredding paper files with a cross-cut paper shredder, or securely deleting electronic records)

3. Protect personal information against loss or theft

  • develop, implement and regularly review a security policy to protect personal information from unauthorized access, disclosure, copying, use or modification
  • protect computers and paper files with physical security measures, such as locks, restricted-access areas and alarms
  • use organizational controls to prevent “inside jobs”, including employee and contractor security clearances, limiting access on a “need-to-know” basis and staff training
  • train employees on security safeguards and protecting personal information—everything from not leaving laptops in cars to more detailed information about technological safeguards
  • if there is personal information that has no relevance to the transaction, either remove it or block it out when providing copies of information
  • keep sensitive information files in a secure area or computer and limit access to individuals on a “need-to-know” basis only
  • when selecting appropriate safeguards, consider: 
    • sensitivity of information
    • amount of information
    • extent of distribution
    • format of information (electronic or physical)
    • type of storage

4. Safety at the check-out counter

  • ensure customers can enter their debit card PINs in a secure way by:
    • adding shields to key pads
    • regularly checking point-of-sale equipment to see if it’s been tampered with
    • having cashiers verify photo ID and signatures on credit cards, especially if signatures don’t match or the signature on the back of the card is smudged
    • using equipment that doesn’t print the entire debit or credit card number on a receipt
  • when selling online, use encryption software and other security technologies to prevent against fraud. Update regularly

5. Avoid collecting Social Insurance Numbers (SINs)

SINs are the key identity document used by identity thieves

  • don’t ask for SINs as a piece of ID, unless required by law
  • only collect, use and disclose SINs for legislated purposes

6. Adopt good authentication processes

  • authenticate customer identity, especially if it’s related to an account or to obtain records relating to an account
  • authentication processes can help protect privacy by reducing the risk of unauthorized disclosures of personal information
  • design authentication processes to be aware of sensitivity of information and the risks of sharing information
  • don’t ask for unnecessary authentication, since it can be seen as intrusive

7. What to do when there is a breach

  • Inform individuals as soon as possible that their personal information has been compromised, particularly when there is a risk of identity theft or some other harm. The following information and assistance needs to be given to the individual:
    • A list of the type of personal information disclosed;
    • An assessment of the risk of identity theft as a result of the breach;
    • A description of the measures taken or that will be taken to prevent further unauthorized access to personal information;
    • Contact information for affected individuals to obtain more information and assistance; and
    • Information and advice on what individuals can do to protect themselves against identity theft and fraud.
    • An organization responsible for a data breach should provide assistance, such as paying for credit monitoring, to the people whose information has been compromised.

OPC’s Guidelines for Identification and Authentication

Contact this service

(Edmonton and area)

(Other areas in Alberta, toll free)

8:15 am - 4:30 pm (Monday to Friday, closed statutory holidays)

Related services

Consumer Measures Committee: Identity theft kit for business

Office of the Privacy Commissioner Alberta

Office of the Privacy Commissioner of Canada