Private sector organizations and federal institutions collect personal information about citizens, employees, clients and prospective clients. This information can be in physical or electronic forms. Once this information has been collected, organizations and institutions need to make informed choices about how long to keep it, and when and how to dispose of it.
As organizations and institutions get on the “Big Data” bandwagon, the push to amass enormous volumes of personal information for yet undetermined purposes has never been greater. The capacity and desirability to retain massive amounts of personal information indefinitely increases the risks and consequences of a potential data breach.
Principle 5 of the Personal Information Protection and Electronic Documents Act (PIPEDA) states that “personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information.” Footnote 1 Moreover, Paragraph 4.7.5 specifies that care shall be used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information. Footnote 2
When it comes to federal institutions, Section 6 of the Privacy Act provides that “personal information that has been used by a government institution for an administrative purpose shall be retained by the institution for such period of time after it is so used as may be prescribed by regulation in order to ensure that the individual to whom it relates has a reasonable opportunity to obtain access to the information.” Moreover, an institution “shall dispose of personal information under the control of the institution in accordance with the regulations and in accordance with any directives or guidelines issued by the designated minister in relation to the disposal of that information.”
The Office of the Privacy Commissioner of Canada (OPC) has developed these guidelines to assist organizations in developing and implementing smart retention and disposal practices related to the handling of personal information.
Federal institutions are encouraged to adapt these guidelines with adjustments appropriate to their specific situation Footnote 3 .
Before collecting any personal information, an organization should pause and assess the purpose for collecting this information and whether this information is necessary for such a purpose. That purpose must be appropriate in the circumstances.
The organization should refrain from collecting more personal information than is necessary to fulfill the identified purpose. Moreover, once the purpose for which the information was being collected has been fulfilled, the personal information should be disposed of, unless otherwise required to be retained by law.
These guidelines are intended to assist organizations in the responsible retention and disposal of personal information.
A specifically identified purpose is often a clear indicator of how long this information needs to be retained. There is no “one size fits all” retention period. For some organizations, there is a legislative requirement to keep information for a certain amount of time. In other instances, there may be no legislative requirement, and an organization needs to determine the appropriate retention period.
In assessing what is the appropriate retention period and whether it is time to dispose of personal information, an organization should consider the following points:
If an organization has personal information in its control, it cannot simply throw it away in the trash. The organization must find a way to securely dispose of it.
Similarly, in instances where an organization is planning a move, or is closing its doors, personal information should be securely safeguarded or safely disposed of, in conformity with applicable retention requirements.
There are a number of commonly accepted ways for organizations to properly dispose of personal information depending on the form in which it is being stored. The goal is to irreversibly destroy the media which stores personal information so that personal information cannot be reconstructed or recovered in any way. When going through the process of disposal, an organization should also destroy all associated copies and backup files.
Information is mainly stored on two kinds of media:
There are several ways in which personal information can be securely destroyed or removed. For instance:
While the chosen disposal method depends greatly on the type of media used to store the personal information, an organization must also consider the information’s sensitivity and the context. For example, is the personal information of a particularly sensitive nature? Is there a high probability that this information is of significant value, such that attackers would go to a great deal of trouble, using specialized tools to retrieve it?
Related to sensitivity is the question of whether the media will remain within the organization’s control. If the media will be leaving the organization’s control and potentially be reused by others, then a stronger disposal method should be selected. If the media will not be reused at all, then destruction is the best option.
If the organization has to dispose of electronics, it should have a designated person responsible for arranging appropriate data destruction and instruct employees to direct all electronic material and devices to that person.
For additional information on disposal methods, we invite private sector organizations to consult NIST Guidelines for Media Sanitization, and federal public institutions should refer to Community Security Establishment’s IT Security Guidance document “Clearing and Declassifying Electronic Data Storage Devices”.
An organization should carefully assess the respective risks and benefits of destroying personal information on-site or off-site. If an organization does not have appropriate tools to safely destroy sensitive information on-site, it may consider the services of a third-party contractor. In some cases, the sheer volume of the information to be disposed of can tip the balance towards using companies specialized in data destruction.
When considering using a third party to dispose of personal information, an organization should take into account the sensitive nature of the personal information and take commensurate steps to manage the risks accordingly. Certain types of information will generally be considered sensitive because of the specific risks to individuals when said information is collected, used or disclosed. This would include information such as health and financial data, ethnic and racial origins, political opinions, genetic and biometric data, an individual’s sex life or sexual orientation, and religious/philosophical beliefs.
An organization should ensure that the third party contractor has verifiable credentials and can guarantee both a secure transfer of records from the organization’s office to their own destruction facility, and a secure destruction method that matches the media and information sensitivity.
If an organization decides to contract out, it should keep in mind that it remains responsible for the information to be disposed of. Best practices when dealing with third parties include:
Developing plain language internal policies and procedures that set out clear retention and disposal schedules – including minimum and maximum retention periods for the various types of personal information that are being held – is key. Internal policies should address the whole lifecycle of the personal information held by the organization.
In setting up policies and procedures, an organization should consider the following checklist:
For additional information and guidance related to retention and disposal practices, please see:
Relevant findings and recommendation stemming from OPC Audits, including:
Principle 5 – Limiting Use, Disclosure and Retention. Schedule 1, clause 4.5.3, Personal Information Protection and Electronic Documents Act, 2000, S.C. c. 5 [PIPEDA].
Principle 7 – Safeguards. Schedule 1. clause 4.7.5 PIPEDA, 2000, S.C. c.5
Federal institutions are required to abide by relevant Treasury Board’s policy instruments and Communications Security Establishment Canada’s standards.