Chapter 12: Records Security and Information Privacy
http://web.archive.org/web/20050301010413/http://xnet.rrc.mb.ca/recmgmt/chapter12.htm
One library tech's insight into the world of libraries - working the way up from top to bottom - on the way to take over the world!
Monday, May 25, 2015
Monday, May 18, 2015
Records security and information privacy
Content security
- Provision for the protection against intentional destruction, disclosure, modification, or breach of confidentiality of information
- Based on principal people have right to decide what personal information they wish to divulge, to whom and for what purpose. People have right to expect the information will be kept private and used only for purposes for which it was obtained.
- Growing proliferation of electronic databases containing personal information
- Government: health, income tax, census, military, etc.
- Private sector: credit cards, affinity cards, etc.
- Information highway: integrated computer, communication, and cable/satellite TV networks
- Need to balance need for access with protection from unauthorized users
- Officer of the Privacy Commissioner of Canada http://www.priv.gc.ca/index_e.asp
- Access to Information and Privacy Homepage
https://www.tbs-sct.gc.ca/atip-aiprp/index-eng.asp - In order to help requestors find government records and determine where to send their requests, the Access to Information Act and the Privacy Act require each government institution subject to the two Acts to describe the nature of their records in Infosource http://infosource.gc.ca
- Personal Information Protection and Electronic Documents Act
- All Canadian Provinces were to pass like legislation by January 1, 2004 or fall under the Federal Legislation
- Electronic and paper documents are equivalent
- Freedom of Information and Protection of Privacy Act (FIPPA) http://www.gov.mb.ca/chc/fippa/index.html
- Personal Health Information Act (PHIA) https://www.gov.mb.ca/health/phia/index.html
- Voluntary programs by businesses are emerging in the private sector
- Altruistic motives
- Voluntary compliance to head off legislated compliance
- Self protection from law suits for the breach of confidentiality and invasion of privacy
- Voluntary Privacy Codes http://web.archive.org/web/20100211204326/http://www.ic.gc.ca/eic/site/oca-bc.nsf/eng/ca01361.html
- The following Associations are examples of Canadian organizations which have developed important voluntary codes dealing with privacy:
- Canadian Association of Internet Providers
- Canadian Bankers Association
- Canadian Marketing Association
- Canadian Medical Association
- Insurance Bureau of Canada
- Establish objectives
- Define responsibilities
- Assess risk
- Establish into security policies and procedures
- Audit, monitor, and evaluate security management
- Security measures vary from organization to organization
- System of controlled access must be established to maintain safeguards against unauthorized invasion of equipment and records
- Primary criterion for entrance: admit only those whose work requires access
- Keys
- Easily duplicated and lost
- Anyone can use
- Lock itself vulnerable
- Electric, electronic, or mechanical entry (keypad systems)
- People forget the code or record it where others may find it and use it
- Combination can be shared easily
- Vulnerable to electronic lock picking
- Plastic cards with coded strips
- Card can be lost (should carry no ID which allows finder to know what it unlocks)
- More difficult to duplicate
- Biometric and physical attributes
- Match individual characteristics electronically
- Biometric devices: fingerprints, voice, chromosomes in strand of hair, retinal eye patterns
- Combination systems
- Ability to record an audit trail of all access attempts can be built into many of the area and facility access systems
- Printouts showing who has had access, date and time of entry, unauthorized entry attempts, etc.
- Useful in monitoring access system
- Procedures for controlling theft and unauthorized access must be provided
- Keep current inventory including date of purchase, serial no., cost
- Tag with ID no. both inside and out
- If employees can borrow have sign out system with due dates for return
- Supervise and monitor equipment use during breaks, lunch, after hours
- Train building security guard to check for computer equipment, etc.
- Need to balance security with employee privacy rights
- Cables
- Locking cabinets
- Computer alarms
- Anchoring pads
- Desirable to have central source with one person responsible for compliance with company guidelines
- Guidelines to be written, disseminated and enforced
- Review of personal record
- 2 pieces of ID, completion of authorization form
- Copy of personal record
- 2 pieces of ID, completion of authorization form, plus signature for receipt of copy
- Company employee
- Signature on receipt for copy, or signature on a log identifying record logged out
- Request by mail
- Verify legitimacy; obtain written permission for release when necessary
- Highly confidential records
- Check requestor’s name against “authorized to see” list
- All other requests
- Records manager or designee must grant authorization on case-by-case basis
- Signature on log or request form
- The bigger you get and the more private information that you maintain online, the more of a target you become to hackers. Hackers may be after your private information, but they may also be after the notoriety that comes with cracking your site.
- Security breaches can be caused by problems with the technological systems that you use, but they can also be caused by negligent staff
- Firewalls
- hardware and/or software that controls information entering your computer system or network
- Intrusion detection software
- detects unauthorized intrusions into your computer systems
- Encryption
- a security method that transforms information into random streams of bits to create a secret code. There is software-based encryption such as Public Key Infrastructure (PKI) and Secure Sockets Layer (SSL). Hardware-based encryption, such as smart cards, is another type of encryption.
- PKI
- the combination of software, encryption technologies, and services that enables enterprises to protect the security of their communications and business transactions on the Internet.
- SSL
- a program layer created by Netscape for managing the security of message transmissions in a network
- Smart card
- a plastic card resembling a credit card that contains a computer chip, which enables the holder to perform various operations, including limiting access to individual computers to legitimate users
- To prevent access to data stored on hard disks must control access to equipment
- Assigned numeric code for each person, a password or combination of the two
- Key and lock for disks
- Deny access to employees who resign, then immediately change access codes
- Encrypt (scramble) sensitive and confidential files
- Mutilate or erase disks before disposal
- Turn off modems when not in use
- Turn off computers when not in use so unauthorized users cannot access files
- Use and update antivirus software
- For further information on computer security see:
- NIH Computer Security Awareness Training Course http://irtsectraining.nih.gov/
Monday, May 11, 2015
Records classification
Class | Definition | Example | Recommended Protection |
Class 1 - Vitals | Records essential to the continued life of the business. These records are irreplaceable because they give evidence of legal status, ownership, and financial status. Vital records are generally housed in active records storage. | Accounts receivable Inventory Contracts Creative materials Research records | Fire resistant vaults Dispersal Fire resistant safes/cabinets |
Class 2 -Important | Records necessary to the continued life of the business. While these records can be replaced or reproduced, this can be done only at considerable time and money. Important records can be housed in either active or inactive storage. | Accounts payable Directives Payroll records | Safes Vaults |
Class 3 - Useful | Records useful to the uninterrupted operation of the business. These records are replaceable although their loss could cause temporary inconvenience. | Bank statements Correspondence | File cabinets |
Class 4 - Nonessential | Records having no present value and should be destroyed. | Requests answered Advertisements Announcements | Use, then destroy |
Source: Gordon P. McKinnon, editor. Fire Protection Handbook, 15th ed. (Boston : National Fire Protection Association, 1981).
Monday, May 4, 2015
Recovery priority by types of records media
Recovery Priority by Type of Records Media from http://www.arma-gla.org/presentation/2001-02/armafeb20workshop2.pdf
Salvage techniques
| ||||||
Media
|
Recovery priority
|
Initial action
|
Initial purpose
|
Follow-up action
|
Follow-up purpose
|
Comments
|
Magnetic media
Magnetic tapes Disc packs Floppy diskettes and disks Flexible disks Audio and video tape cassettes CD-ROM Computer Output Laser Disk& | Immediately | Contact vendor | To obtain professional advice | May include freeze or vacuum drying, special cleaning techniques professional assistance in retrieving data | To remove all moisture and other contaminants from the media, to access data in case of damaged media | Such advice
should be sought well in advance of a disaster. Contingency plans for data and word processing groups may be advisable. Heat and water damage to media may result in subsequent damage to hardware or irretrievability of data. Proper backup and salvage procedures are essential. It is worth noting that such records are among the easiest to duplicate and share off-site. |
Photographic materials Colour film and photographs | Immediately | Once wet, keep wet | To avoid further damage and image toss | Colour dyes are inherently unstable and should be handled immediately to prevent loss of colour and other damage | ||
Within 48 hours | Obtain professional advice and/or assistance with cleaning, drying and restoring | Freeze if professional help must be delayed longer than 48 hours | To stabilize color dyes | |||
Silver or emulsion films and photographs | Immediately within 48 hours | Immerse totally in water. Formaldehyde to a 1% solution, may be added to cool, clean water. One tablespoon of salt may be added to hard water. | To avoid further damage. To avoid softening or filling of gelatin or emulsion layer. If materials are allowed to dry out, they tend to stick to adjacent surfaces, with image loss and other damage. | Seek professional advice and help with cleaning and drying. Freeze only if necessary. | To restore films to original state. Freezing may lead to image damage, but less damage is likely to be caused by freezing than by delayed treatment. | |
Diazo or vesicular (duplicate) films | Last | If time and staff are available, rinse off and lay out to dry, otherwise, leave until last. | To prevent water sooting and curting of films and fiche. | Wash with liquid detergent and rinse and lay out on absorbent paper to dry. | To remove water spots and other contaminants and to restore film. | Diazo and vesicular films are nearly impervious to water damage and should clean-up easily. Diazo films sometimes fade with age. Fading or other damage discovered after the disaster can be related to poor quality control rather than to the disaster. |
Paper Bond, rag, duplicating other | Within 48 hours (depending on temperature and humidity levels at disaster site and on extent of damage). In fires, paper is least vulnerable media. | Air dry in well ventilated area: if volume of wet records is large, consider freeze or vacuum drying. | To prevent further deterioration of paper materials and eruption of mold and fungus. | May include freeze or vacuum drying. If mold erupts, treat with fungicides. May place paper towels or newspaper print between wet pages. | To remove moisture from materials and to reduce humidity levels in damaged materials: to eradicate mold. | In high humidity levels, deterioration of wet paper records can begin within 2-3 hours. |
Coated or clay paper | Immediately | Freeze | To hold damaged materials until freeze or vacuum drying can be arranged. | Freeze or vacuum drying. | To remove all moisture from paper, without damaged or removing coated surface. | Freeze or vacuum drying is the only successful recovery technique for this medium. |