Information Protection: Bridging Physical and Digital Security in Digitization

In the digitization industry, where businesses specialize in converting physical documents and materials into digital formats, protecting information requires a comprehensive security approach. This chapter explores how physical and digital security measures work together to protect sensitive information throughout the conversion process, emphasizing the crucial role you’ll play in safeguarding both original materials and their digital counterparts.

When handling client materials – from business documents and personnel files to historical records – each item requires specific security protocols and careful handling procedures. Some materials might need special handling or environmental conditions to prevent damage during the digitization process. Think of your role as a guardian of information, where each document needs particular care and documentation. Materials must be tracked from the moment they arrive until they’re returned to the client, with secure storage protocols when they’re not actively being processed.

The digital side of digitization brings its own security challenges. As you convert physical documents into digital assets, you’ll need to ensure the security of these new files. This involves maintaining strong passwords, saving files in designated secure locations, and following proper digital handling procedures. These practices work alongside physical security measures like ID badges and restricted access areas, ensuring only authorized personnel handle client materials throughout the conversion process.

Privacy laws and confidentiality agreements are fundamental to the digitization business. You’ll need to understand how regulations like PIPEDA govern the handling of personal information, and how NDAs protect client confidentiality. Security awareness isn’t about memorizing rules – it’s about developing good habits that protect client information at every stage of the digitization process. Remember, in this industry, your role in protecting information is central to maintaining client trust and your organization’s reputation.

Let’s explore how the digitization industry protects client information through comprehensive security measures, privacy compliance, and confidentiality practices.

---

Cybersecurity Fundamentals

In today’s rapidly evolving digital landscape, cybersecurity has become an essential skill, particularly for those working in digitization projects where nearly all work exists in digital form. As technology advances, so do the sophisticated methods employed by cybercriminals, making it crucial to stay informed about current threats and defense strategies.

Understanding Email-Based Threats

Email remains one of the primary vectors for cyberattacks, making it essential to understand and defend against various email-based threats. The most common of these is phishing, where attackers attempt to deceive recipients into revealing sensitive information or taking harmful actions.

When handling emails, always verify the sender’s true identity by examining the email address carefully, not just the display name. Pay attention to red flags such as poor grammar and spelling, which often indicate fraudulent attempts. Before clicking any links, hover your mouse over them to preview the actual URL destination. If an email claims to be from a legitimate company, it’s safer to visit their website directly through your browser rather than clicking email links. When in doubt, consult your IT security team.

Spam presents another persistent challenge. While most email providers offer spam filtering, you might need additional third-party protection in some cases. Never engage with spam emails by clicking, opening, or responding to them. When posting your email address online, use formats like “username (at) domain.com” to prevent spam bots from harvesting your address.

Email attachments require particular caution. Never open attachments from unknown senders, and remain skeptical even of attachments from familiar addresses, as accounts can be compromised. If an email seems suspicious, even slightly, avoid opening any attachments and alert your IT department.

Password Security and Management

Password security forms the foundation of your digital defense. Many users still make the critical mistake of incorporating personal information into their passwords or reusing passwords across multiple accounts. Both practices significantly increase vulnerability to cyberattacks.

Effective password management involves creating unique, complex passwords for every account and enabling two-factor authentication whenever possible. When choosing security questions, avoid using true personal information that others might easily discover. In the event of a data breach, change your affected passwords completely rather than making minor modifications.

Understanding and Preventing Malware

Malware encompasses various malicious software types designed to compromise digital systems. Protection requires a multi-layered approach: install reliable endpoint security software on all devices, exercise caution with external devices and downloads, and stay vigilant about clicking links or downloading files. Regular cybersecurity awareness training for yourself and others who use your systems is invaluable.

Internet Safety Practices

The internet presents numerous security challenges, particularly when using public Wi-Fi networks. Always verify network names with business owners before connecting, and treat all public Wi-Fi as potentially compromised. Use anti-malware protection and avoid accessing sensitive information over public networks.

The Internet of Things (IoT) introduces additional security considerations. Many IoT devices come with default passwords that hackers can easily exploit. For example, there are websites that display live feeds from security cameras worldwide simply because their owners never changed the default credentials. To protect your IoT devices:

• Change default usernames and passwords immediately
• Disable unnecessary web features
• Keep firmware updated on all devices, including routers

When browsing the internet, look for HTTPS encryption before entering sensitive information, but remember this alone doesn’t guarantee legitimacy. Research websites thoroughly before sharing personal or financial information. Consider implementing web content filtering to increase productivity and reduce exposure to malware, especially on devices used by children.

Defending Against Personalized Threats

Modern cybercriminals often employ social engineering tactics, using personal information to make their attacks more convincing. Protect yourself by:

• Being cautious about sharing personal information
• Verifying credentials of anyone requesting sensitive data
• Contacting companies directly through official channels when in doubt

Organizations must also address insider threats through comprehensive security policies. This includes:

• Regular employee cybersecurity training
• Clear data usage policies
• Implementation of security tools for prevention and response
• Integration of physical security measures with digital protection strategies

Remember that cybersecurity is an ongoing process rather than a one-time implementation. Stay informed about emerging threats and regularly update your security practices to maintain effective protection for your digital assets.

---

Physical Security in a Digitization Business

Physical security refers to the measures taken to protect a company’s physical assets and ensure the safety of its employees. It includes security systems, access controls, and employee training. Physical security protects tangible assets through surveillance systems, access controls, and structural safeguards. These measures guard against theft, vandalism, and environmental damage through tools like security cameras, key card systems, and reinforced infrastructure. Digital security defends information assets through network monitoring, encryption, and access management. While distinct from physical security, the two domains increasingly overlap – for example, when protecting server rooms or managing access control databases. Effective security requires integrating both physical and digital protections. Organizations need coordinated strategies that account for how these systems interact and support each other.  And they need clear policies and procedures in place to ensure that everyone in the organization is aware of their responsibilities and knows how to respond to security incidents. This unified approach helps ensure comprehensive protection against modern security threats.

Case Studies of Physical Security Breaches

Here are several case studies highlighting physical security breaches in digitization businesses and their consequences.

These cases underscore the importance of integrating physical security with cybersecurity measures. Organizations must adopt a holistic approach that includes employee training, robust access controls, encryption, regular audits, and secure configurations for all connected devices.

---

Protection of Privacy – PIPEDA and Digitization Responsibilities

As a future digitization professional, you’ll be responsible for converting physical documents into digital formats while protecting people’s private information. This role goes beyond simple conversion—it requires carefully safeguarding sensitive personal information contained within documents. Understanding the Personal Information Protection and Electronic Documents Act (PIPEDA) is therefore crucial, as violations could result in fines up to $100,000 per incident and potentially impact your career.

While PIPEDA is often associated with personal information protection, many overlook its broader scope. The Act also allows for electronic alternatives when conducting business with government agencies, facilitates the use of electronic documents in judicial proceedings, and gives legal recognition to electronic versions of official Parliamentary publications. This legal recognition gives companies confidence whether digitizing documents internally or outsourcing the process.

In the following video “Understanding Canada’s Privacy Law (PIPEDA),” you’ll explore the fundamental principles governing how businesses must handle personal data in Canada. The video examines critical practices including consent requirements, data collection limitations, accuracy standards, and information protection protocols—all essential knowledge for professionals in digitization. You’ll learn about individual rights under PIPEDA, including how citizens can access, correct, and request deletion of their personal information. Understanding these privacy regulations is foundational for managing digital data in today’s interconnected business environment.

Reference: 10Fundamentals. (2023, March). Understanding Canada’s Privacy Law (PIPEDA) | 10Fundamentals Video Lesson [Video]. YouTube. https://youtube.com/watch?v=8_MaDSnBNJM (2:10min)

PIPEDA Key Responsibilities & Best Practices

Document Handling and Privacy:

Screening: Meticulously check all materials for personal information (names, addresses, financial and health data).

Secure Handling: Ensure sensitive documents are handled securely throughout the scanning process, with temporary files deleted appropriately.

Clean Desk Policy: Maintain a clean desk policy to prevent unauthorised access to sensitive information. Privacy screens may also be helpful.

 

Digital Security in Workflow:

Secure Logins: Always log in and out of scanning systems securely.

Organised Filing: Name and organise files meticulously to prevent unauthorised access.

Protocol Adherence: Follow established procedures for file transfer and storage. This can include implementing a tracking system for all documents.

Breach Reporting: Immediately report any potential security breaches.

 

Best Practices for Following PIPEDA in Digitization Work

Scenario 1: Bulk Document Scanning: When dealing with large volumes of personal records, obtain necessary authorisation forms, track each document’s chain of custody, utilise secure scanning protocols, and ensure both physical and digital versions are stored securely.

Scenario 2: Quality Control: During quality checks, work in private areas, lock workstations when unattended, report any mishandling of personal information, and follow procedures for error correction.

Remember…. As a digitisation professional, you’re not just converting documents – you’re protecting people’s private information. Every document you handle contains someone’s personal story that you’re responsible for protecting. You have a significant role in upholding privacy rights under PIPEDA. By adhering to your company’s outlined guidelines, you can contribute to secure and ethical handling of personal information within your organisation.

Bill C-27 is on the Horizon

Bill C-27, also known as the Digital Charter Implementation Act, proposes to significantly update and replace parts of PIPEDA. Specifically, it introduces the Consumer Privacy Protection Act (CPPA), which would replace Part 1 of PIPEDA, modernizing how personal information is protected in Canada’s private sector. The CPPA will introduce stricter rules for how organizations collect, use, and disclose personal information, while also enhancing individual rights, such as data portability and the right to request deletion of personal data. As of November, 2024, Bill C-27 has not been passed into law.

---

What is an NDA?

An NDA, or Non-Disclosure Agreement, is a crucial tool that companies use to protect their valuable assets. Commonly known as a Confidentiality Agreement, it helps safeguard commercial secrets during transactions or collaborations.  It’s a legal contract that establishes confidentiality obligations between parties. It also protects sensitive information from unauthorised disclosure and 

it’s crucial for safeguarding a company’s valuable assets and commercial secrets during various business interactions. The NDA serves to maintain secrecy around vital information. It might be used for trade secrets, business strategies, and proprietary data. In essence, it ensures that the receiving party handles the shared information responsibly. It also ensures they don’t reveal to third par

ties or use the information for unauthorised purposes.

In the following video “What Is An NDA? Non-Disclosure Agreement (NDA) Explained,” Rob Tetrault examines the fundamental role of NDAs in protecting confidential information across business and professional contexts. The presentation covers both mutual and non-mutual NDAs, exploring their effectiveness in safeguarding trade secrets while acknowledging potential challenges in relationship dynamics. Tetrault offers practical insights into NDA development, addressing cost considerations and essential components such as temporal scope and confidentiality parameters. Understanding these legal instruments is particularly relevant for digitization professionals who must navigate the protection of sensitive digital assets in contemporary business environments.

Reference: Tetrault, R. (2023). What Is An NDA? Non Disclosure Agreement (NDA) Explained [Video]. YouTube. https://youtube.com/watch?v=GrW6_yCBw6M (5:19min)

Why is a NDA Important?

Non-Disclosure Agreements (NDAs) play a crucial role in safeguarding businesses and their assets in various situations. Here are some reasons why NDAs are vital for both individuals and organisations:

• Protection of Intellectual Property: NDAs help protect valuable intellectual property, including trade secrets, inventions, and business strategies, ensuring they aren’t leaked or misused by competitors.
• Facilitating Trust in Collaborations: In partnerships, mergers, or acquisitions, MNDA agreements promote trust between parties. They do this by preserving confidentiality of shared information.
• Attracting Investors: NDAs enable businesses to confidently share sensitive information with potential investors, showcasing their capabilities without risking the exposure of proprietary data.
• Legal Recourse: Strong NDAs offer a legal enforcement structure. They enable businesses to pursue remedies like injunctions or damages in case of breach.
• Boosting Employee Loyalty: NDAs can emphasise the importance of protecting company information, promoting a culture of loyalty and confidentiality among employees.

Real Examples of NDA

Waymo vs. Uber

In 2017, Waymo, Google’s self-driving car division, accused Uber of stealing trade secrets related to autonomous vehicle technology. Waymo claimed that a former Google engineer who joined Uber had taken confidential information, including thousands of files, with him.

An NDA between Waymo and the engineer might have averted the problem. However, a poorly drafted NDA or its violation resulted in a lawsuit. The case was settled in 2018 when Uber agreed to pay Waymo a significant equity sum. They also ensured Waymo’s confidential data wouldn’t be used in Uber’s technology.

Microsoft vs. Google

In 2005, Microsoft sued Google after Kai-Fu Lee, a former Microsoft executive, joined Google to lead its China operations. Microsoft argued that Lee had violated his non-compete agreement and would inevitably use Microsoft’s confidential information in his new role. This case emphasises the need for well-defined NDAs and non-compete agreements, clarifying confidentiality scope and employee mobility restrictions. The case was settled out of court, with Lee agreeing to certain limitations on his work at Google.

Employer-Employee NDAs in Canada

In the following video “Everything to Know Before Signing or Creating an NDA,” eForms provides a comprehensive examination of non-disclosure agreements and their role in protecting sensitive information across professional environments. The presentation distinguishes between unilateral and mutual NDAs, highlighting their particular significance in technology sectors where intellectual property protection is paramount. The content explores essential NDA components, including enforcement periods, breach consequences, and the distinct differences from non-compete agreements. Understanding these legal frameworks is crucial for digitization professionals who must manage and protect confidential digital assets.

Reference: eForms. (2021). Everything to Know Before Signing or Creating an NDA [Video]. YouTube. https://youtube.com/watch?v=fpQKW4pQq6o (3:35min)

Every company has some confidential information that it must protect to ensure its profits. It can be anywhere from a simple marketing list or a food/product recipe to complex technological designs.  For this purpose, employee non-disclosure agreements or NDAs are frequently required by most employers. But what does Canadian law say about employee NDAs? Are they even legal in Canada? And can employees get away with it even if they signed an employee NDA?  

An employee NDA, also called a confidentiality agreement, is a legally binding agreement or contract. It prohibits a person from disclosing another person’s sensitive or confidential information to third parties. An employee NDA can be a clause in an employment contract signed by the employer and employee at the start of employment. It may also be a separate document agreed by parties during an employer-employee relationship. In either case, there’s no hard rule on the specific form that NDAs in Canada should conform with.

In the field of labour and employment, an employee NDA prevents a former or current employee from divulging the employer’s:

• commercial information
• information on intellectual properties
• trade secrets
• or other sensitive data

Employers require an employee NDA to prevent employees from disclosing their precious trade secrets and confidential information to competitors and third parties. For continued security, employee NDAs do not only cover current employees but also those who have left the company. Former employees are still under an employee NDA if it says so, or if it extends up to a certain period after the employment has ended.

Trade Secrets

Watch this video to know more about trade secrets, which are the usual subject matter of employee NDAs, and other ways to protect them. In the following video, “Understanding Trade Secrets,” Federallabs examines the protocols for protecting intellectual property when federal laboratories engage in business partnerships. The presentation explores how confidential business assets—including formulas, processes, and proprietary designs—are secured through various protective measures, including non-disclosure agreements, distinguishing them from formally registered intellectual property like patents. The content demonstrates how federal laboratories implement legal frameworks to maintain information security during collaborative ventures. This understanding of trade secret protection is particularly relevant for digitization professionals who must navigate the complexities of securing sensitive digital assets in collaborative environments.

Reference: Federallabs. (2019). Understanding Trade Secrets [Video]. YouTube. https://youtube.com/watch?v=Wka2Bkiq3Qk (1:49min)

Laws in Canada that Govern Employee NDAs

The validity and enforceability of employee NDAs are governed by the different Canadian federal statutes. This is in addition to common law and the Québec Civil Code covering topics related to contracts and agreements.

Here are some of the laws that cover employee NDAs in Canada:

• Contract law: because an employee NDA is a contract, it must follow Canadian laws on contracts, such as the basic requirements to make it legally valid and enforceable
• IP (intellectual property) laws: each type of IP falls under a specific federal IP law (e.g. patents in Canada are under the federal Patent Act) which provides for the definition of IPs, its registration, ways it can be infringed, and penalties for its infringement. (Source: https://www.canadianlawyermag.com/practice-areas/intellectual-property/new-patent-test-will-make-process-simpler-more-friendly-to-computer-implemented-inventions-lawyers/368170)
• Criminal Code: when an employee NDA is violated or breached and it involves infringement of IP rights, the provisions of the Criminal Code will apply when filing criminal charges against the violating party

 

How long can an NDA last in Canada?

Since an employee NDA is contractual in nature, its term depends on the agreement and the consent of both parties. This means that, while the period is initially offered by the employer (as the one who usually prepares the NDA), the employee may still negotiate against it or leave the offer. Since NDAs do not last forever, the most reasonable term or period must be considered, in consideration of the factors mentioned above.

 

What happens if an employee breaks an NDA?

Just like any other contracts, an employee NDA is a legally binding document. As such, breaking an NDA would have adverse legal consequences against the employee.

First, the NDA’s terms and conditions on violations will apply. Every employee NDA would have its own terms if it’s violated, and each would differ on these terms’ gravity.

Next, and in relation to the employee NDA’s terms and conditions, is a possible lawsuit against the former employee.

This lawsuit may also include an injunction. This is to restrict the former employee from continuing the acts that are violating the NDA.

It may also include damages against the former employee. These damages may include:

• compensatory damages: the actual losses that the employer suffered because the confidential information was already divulged
• liquidated damages: a pre-determined amount specified in the NDA that the employee will pay due to a breach or failure to comply

 

Exceptions to employee NDAs

There are circumstances when an employee NDA may be “legally violated” by a former or current employee, such as the following:

• when required by law: when government or law enforcement agencies require that an employee divulge information (e.g. in a legal or court proceeding, or in response to a court order or subpoena)
• whistleblowing: criminal activities cannot be covered by an employee NDA. A former or current employee may disclose information related to criminal acts of the employer or other employees in the same company. (Source: https://www.canadianlawyermag.com/news/general/use-of-non-disclosure-agreements-to-silence-victims-and-whistleblowers-up-for-debate-at-cba-meeting/373512)
• to fulfill current employee’s duties: persons who are also bound by the same NDA, or are under different NDAs but within the same employer, may disclose information with each other especially to fulfill the current employee’s duties

In these circumstances, the NDA becomes unenforceable. This means that the current or former employee will not be penalized for “violating” the NDA.

Canada’s laws limiting NDAs

Prince Edward Island (PEI) passed a recent law that limits the use of NDAs in specific cases.  Bill No. 118 or the Non-disclosure Agreements Act, was passed by PEI on November 16, 2021, and received royal assent on November 17, 2021. It came into force on May 17, 2022. This recent law restricts the use of NDAs in a settlement agreement in cases of harassment or sexual misconduct. Here, the NDA can be part of the settlement only if the victim wants it to be included in the agreement.

(Source: https://docs.assembly.pe.ca/download/dms?objectId=9e65eec9-3f80-479b-acf2-c5a00b121d44&fileName=bill-118.pdf )

These types of laws are also emerging in the other provinces to protect survivors of harassment and sexual misconduct. It also protects the public because they will now know that these persons or entities are perpetrators of these crimes.

NDA Summary

The digitization process and protection of sensitive information are interconnected aspects of modern information management. Physical assets undergo a careful journey from receipt and preparation through scanning and digital conversion, ultimately becoming searchable digital assets stored in Digital Asset Management Systems (DAMs). Throughout this process, Non-Disclosure Agreements (NDAs) play a crucial role in protecting sensitive information and intellectual property.

NDAs, whether unilateral or bilateral, establish legally binding confidentiality obligations between parties. These agreements are essential for safeguarding trade secrets, business strategies, and proprietary data during both the digitization process and broader business operations. In Canada, NDAs are governed by federal statutes, contract law, and intellectual property laws, requiring clear identification of parties, defined confidential information, specific obligations, and enforcement periods.

The integration of proper digitization procedures and well-structured NDAs creates a comprehensive system for managing and protecting valuable information assets in our digital age. This dual approach ensures that organizations can preserve and access their content while maintaining appropriate security and confidentiality measures, essential for success in today’s information-driven business environment.

<add sample of an NDA from folder for the Appedix of the book> Here is a link to a sample NDA from  Georgian College: https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://content.georgiancollege.ca/wp-content/uploads/Mutual-NDA1.doc&ved=2ahUKEwi74eOpl_mKAxU4JDQIHXytFMwQFnoECBYQAQ&usg=AOvVaw3PCMYQuYblxO5VfzFIypMW

Copyright as it Relates to Digital Preservation

Definition

In copyright law, copying is known as “reproduction,” and it’s one of the exclusive rights of the copyright owner. The right to publicly display a work is also an exclusive right of the copyright owner, as is the right to make an adaptation, known as a “derivative work.” Our desire to keep digital information around for the future runs smack into the exclusive rights of the copyright owner.

Adapted from: fairusealpha.justia.com

Copyright and Digital Preservation

Fortunately, while there is no general exemption for preservation activities in copyright law, there are exemptions that can help individuals and especially libraries and archives legally preserve expressive works for the future. There are some specific exemptions for certain types of actions and for certain actors. Furthermore, in the absence of a specific exemption, one can always consider fair use as a defense when making a preservation copy.

Good preservation practice has often existed in a legal gray area. Libraries usually made three copies when microfilming long before the law gave explicit permission for the practice, and many radio programs have been saved only because individuals systematically taped them from the air, without the permission of the copyright owner. Digital preservation resides in an even murkier legal gray area because of the fundamental need to copy digital information (one of the exclusive rights of the copyright owner) in order to preserve it. In addition, there is greater interest in preserving works that you may not own, particularly web pages. The lack of legal certainty, however, should not prevent individuals and libraries from undertaking the socially beneficial task of preserving digital information. The law explicitly authorizes some preservation actions (especially if the materials are not made digitally available to others), and a strong fair use defense can be built outside the library or archives.

Read the article below for a deeper understanding of digital preservation and copyright:

Digital Preservation and Copyright by Peter Hirtle

---

Chapter Conclusion

This chapter explored how physical and digital security measures work together to protect sensitive information throughout the digitization process. We learned that security isn’t compartmentalized but rather an integrated system spanning cybersecurity, physical safeguards, and legal frameworks like NDAs and PIPEDA. Key concepts like email threat prevention, access control protocols, and data privacy requirements demonstrated why a comprehensive security approach is crucial. Through real-world examples of security breaches and NDA case studies, we’ve seen how digitization professionals must balance technical security measures with legal compliance to protect both physical and digital assets. This integrated approach to information protection forms the foundation for maintaining client trust and organizational integrity in today’s digitization industry.