Blackbird is committed to protecting the privacy of their clients’ information. This policy is intended to serve as a guideline for any contractor work or services provided by Blackbird employees to the Government of British Columbia. Security is the responsibility of all staff who have access to, use, or manage information and technology assets of Blackbird Security and its clients. Below are the security policies and procedures that all staff expected to adhere to ensure we are keeping all client information secure. In particular, it applies to all our staff handling information managed (e.g., accessed, collected, used, shared, stored, disclosed, disposed of) by the Government of British Columbia.
- “Confidentiality Agreement”
means an agreement between the Contractor (i.e. Blackbird) and its Personnel requiring that Personnel comply with the requirements of FIPPA, and other applicable law, in a manner which is sufficient to ensure compliance by the Service Provider and its Personnel;
- “Contact information”
means information to enable an individual at a place of business to be contacted and includes the name, position name or title, business telephone number, business address, business email or business fax number of the individual;
- “Personal information”
means recorded information about an identifiable individual, other than contact information, collected or created by the Contractor as a result of the Agreement or any previous agreement between the Province and the Contractor;
means any device to manage, operate or provide the services or to connect to any Province system or network, or that is capable of storing any Protected Information, and includes any workstation or handheld device the Contractor uses in relation to the Agreement;
means the physical locations (excluding those of the Province) the Contractor uses to provide the Services, or to house Systems or records containing Protected Information;
means the Freedom of Information and Protection of Privacy Act, which provides authorization for the collection, use, disclosure, access, disposal and storage of personal information in the care of the Contractor;
- “Information security”
includes the protection of personal data, systems, documentation, computer-generated information and facilities from accidental or deliberate threats to confidentiality, integrity or availability;
- “Protected Information”
means any and all “personal information”; information and records of information the Contractor is required to treat as confidential under the Agreement; and records, the integrity or availability of which are to be preserved by the Contractor under the Agreement;
includes books, documents, maps, drawings, photographs, letters, vouchers, papers and any other thing on which Personal Information is recorded or stored by graphic, electronic, mechanical or other means which are collected or produced by the Service Provider in the course of delivering services or otherwise performing its obligations under the Agreement, but does not include computer programs or any other mechanism that produces records.
- Privacy and Information Sharing
Awareness Training for Contractors and Service Providers:
We will ensure that each employee who will provide services under an agreement with the Province that involves the collection or creation of personal information will complete Privacy and Information Sharing Training prior to that employee providing those services, unless they have previously completed the course. This training is required for all contractors and service providers for the BC government who have access to sensitive information during their work.
- Support a culture of responsible information sharing and compliance with legislation and government policy;
- Be aware of information sharing, privacy and security policy and processes;
- Understand Blackbird’s role and responsibilities as a contractor in information sharing and privacy; and
- Identify when an information incident, including a privacy breach, has occurred and know what actions to take.
- Appropriate Information Sharing:
Blackbird will apply the following six information sharing principles when handling personal or confidential information that is held by the Province. In addition to the adoption of these policies, all management staff are required to sign a Non Disclosure Agreement (NDA) to ensure protection of our clients’ and stakeholders’ confidential information.
- Right Information: meets the needs of its users and the quality of the information is appropriate for its purpose in terms of accuracy, reliability, consistency, and comprehensiveness. Only required information shall be collected.
- Right Person: information is available and accessible unless there are valid reasons for it to be withheld. The access to information is appropriate according to employee function. If a Blackbird employee encounters confidential and sensitive information (ie. from an arrest or interaction), this information is to be directly communicated with the Blackbird Manager, and the policing authorities if required. Confidential and sensitive information will not be made available to internal staff or stakeholders unless it is directly related to their work and/or safety.
- Right Purpose: government business and personal information should only be accessed for a business-related purpose; not for private or personal interests.
- Right Time: information is available in a timely way to use appropriately when needed; and to support business and program goals, needs, and decisions. Periodic reviews will be undertaken to audit who has access to what information.
- Right Way: information is handled in a way that respects and protects the privacy and confidentiality of individuals with regard to their personal information held by the government. It must also respect the confidentiality of government program information that is not about individuals but is still sensitive.
- Right Storage: all personal information and records are securely segregated from any information owned by Blackbird Security or third parties. This practice will prevent unintended mixing of data or access by unauthorized parties, and enable personal information and records under the control of a client to be identified and separated from those of Blackbird Security or third parties.
- Preventing Information Incidents:
As a contractor to the Province, Blackbird will ensure confidential and personal information is administered as authorized by FOIPPA, PIPA and other related legislation as applicable.
In particular, Blackbird will:
- Verify the use of technology such as email meets the BC Public Sector’s data residency requirements, meaning contractors may not provide personal information in emails that could be stored or accessed outside of Canada;
- Adopt the following safeguards whereby employees must lock workstations when stepping away from their computer; lock and store away any files with confidential or personal information in paper form; use and never sharing passwords to control access to information sources; and use paper shredders and secure bins to dispose of physical documents, CDs/DVDs, and other electronic media.
- Ensure documents are appropriately and consistently labelled to communicate when they are confidential. This process will be standardized by indicating the confidential nature of documents on a cover page, in a footer or header, or with a “CONFIDENTIAL” watermark on each page. It is prohibited that any documents deemed as confidential be posted publicly in the office or be left unattended.
- Assess risk when employees work outside the workplace i.e., remotely from a home office, in the field, or during work travel. Employees who remove confidential and personal information from the workplace must ensure encryption of confidential information and verify the physical security of information. This includes never downloading or saving confidential information to the hard drive or printing confidential information using desktop terminal services, remote desktop connections with VPN, or through outlook web access (doing so would create copies that could be accessed by unauthorized persons). Further, employees must only remove the minimal information necessary to complete work outside the workplace. When done, digital confidential information should be copied back to the network drive and deleted from any USB.
- Dispose of transitory information or information no longer required by having employees return it to the workplace for shredding and proper storage. Paper-based confidential information needs to be disposed of using paper shredders and secure bins. Electronic media such as CDs/DVDs must also be shredded once they are no longer needed.
- Train employees on best practices for cybersecurity protection and prevention. This includes, but is not limited to, recognition of cybersecurity threats such as phishing emails and vishing calls which seek to obtain access to confidential or personal information. Moreover, Blackbird workplaces will encourage all staff to connect to secure Wi-Fi by avoiding public networks, using VPNs where possible, and reporting and never responding to any kind of suspicious behaviour.
- Handling Information Incidents:
We recognize that information incidents can be actual or suspected, accidental or deliberate. In any of these cases, Blackbird will report all information incidents following the below guidelines:
Information Incident Management Process (3RP)
- Report: Incidents will be reported immediately to the contract manager, who will then make a report of the information incident by calling 1-866-660-0811 or 250-387-7000 (option 3). This will be followed by reporting to any additional designated ministry contacts. The contract manager and the employee who becomes aware of the incident will make detailed notes to recall any particulars of the incident.
- Recover: Blackbird will proceed with recovering the information in question where possible. This will be done within the scope of influence and responsibility of Blackbird employees who must prioritize their own safety first.
- Remediate: Notification to impacted individuals may be required if they are at risk of identity theft or fraud; risk of physical harm; risk of hurt, humiliation or damage to reputation; or risk to employment or business opportunities.
- Prevent: In cases where more confidential information is handled by Blackbird employees, more prevention measures will need to be put in place. This includes identifying and managing risks for the information in our care, recognizing potential measures that will help prevent information incidents, and ensuring that our employees understand their roles and responsibilities in handling information incidents when working with Provincial bodies.
- Access to Protected Information and to Facilities, Systems and Devices
Regulating access and authentication processes is a vital part to information security. Blackbird will employ the following mechanisms to stipulate identity verification processes and password-based authentication guidelines.
Blackbird will implement a formal user registration process for all personnel. All individuals will undergo thorough identity verification procedures before assigning to them a unique identifier that would give them access to Blackbird facilities, systems or devices. Access will be managed by enforcing a limit of consecutive invalid logon attempts by a user during a predetermined time period; automatically locking the applicable account and systems after failed logon failures; limiting the number of concurrent sessions; and providing the capability of disconnecting or disabling remote access to the systems.
All systems will require complex passwords or personal identification numbers (PINs) that are encrypted (not displayed) when entered, and/or other logical or access controls, or combinations of them, to control access to protected information and to systems and devices. For all password-based authentication we will establish a minimum password complexity, including requiring passwords to be case sensitive, contain a minimum of eight characters and a combination of upper-case letters, lower-case letters, numbers, and/or special characters. Authentication passwords shall be regularly changed at a minimum semi-annual interval.
- Records Management and Storage Protocols
Blackbird Security will commit to safeguarding all records (and their copies) containing confidential information during and after all services performed as a contractor by:
- Maintaining and storing the records at an authorized site in Canada. We will ensure that there are reasonable physical and electronic security measures in place at such site to protect against any unauthorized access to, theft, loss or disclosure of the records.
- Retaining all personal information and records in control of the Province until we are provided with their written direction regarding its return or destruction. If personal information is collected and that information is used to make a decision directly affecting the individual, records will be made accessible to that individual for at least one year.
- Guaranteeing that, when required, destruction of records is always accomplished by software erasure or by physical destruction. Software erasure and physical destruction will be at a minimum to NIST 800-88 standard, as updated, amended or replaced from time to time. Physical destruction will occur by burning, cross-cut shredding, or pulping.
- Additional Resources:
- Course Manual: Privacy and Information Sharing - Awareness Training for Contractors and Services Providers
- Assessing Your Information Exposure Risks
- Preventing Information Incidents – Action Plan
- Working Outside the Workplace Policy
- Contractor's Guide to the Freedom of Information & Protection of Privacy Act