Organizations collect more and more personal data these days—from customers and employees. Usually—hopefully—the organization has a legitimate purpose to collect, use and disclose such information. However, with all of this new data in their hands, organizations may be tempted to hold onto it without an express purpose, or they may be unsure what to do with it once it has served its original purpose.
Disposal of personal information is a key aspect of privacy law, and the Office of the Privacy Commissioner of Canada has released a guidance document that outlines best practices for retaining and destroying information.
According to the office:
Principle 5 of the Personal Information Protection and Electronic Documents Act (PIPEDA) states that ‘personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information.’ Moreover, Paragraph 4.7.5 specifies that care shall be used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information.
If you haven’t already got a policy and procedures in place to dispose of data, now’s a good time to start. If you do have procedures in place, now might be a good time to review them.
Organizations should store personal information only as long as necessary to fulfil the purpose for which the information was originally collected. If you are unsure whether you should hold onto a certain set of personal information, reviewing the original purpose should help. If you no longer need the information for that purpose, it’s time to destroy it (unless a law mandates a specific retention period).
So how should you dispose of the information when it’s time?
The office notes:
The goal is to irreversibly destroy the media which stores personal information so that personal information cannot be reconstructed or recovered in any way. When going through the process of disposal, an organization should also destroy all associated copies and backup files.
In general, organizations can destroy information by:
- Completely destroying the media, whether hard or electronic copy, so that the information stored on it can never be recovered. This can be accomplished using a variety of methods including disintegration, incineration, pulverizing, shredding and melting.
- Deleting information using methods that resist simple recovery methods, such as data recovery utilities and keystroke recovery attempts. One method for clearing media is overwriting, which can be done using software and hardware products that overwrite the media with non-sensitive data.
- Degaussing, in which magnetic media are exposed to a strong magnetic field to make data unrecoverable. This can be used to protect against more robust data recovery attempts, such as a laboratory attack using specialized tools (for example, signal processing equipment). Degaussing cannot be used to purge non-magnetic media, such as CDs or DVDs.
Some organizations choose to have a third party perform the destruction of sensitive information, but:
An organization should ensure that the third party contractor has verifiable credentials and can guarantee both a secure transfer of records from the organization’s office to their own destruction facility, and a secure destruction method that matches the media and information sensitivity.
The office recommends organizations consider these questions when developing and implementing a privacy policy and procedures:
- How often do you review information holdings to determine whether the purpose of the collection has been fulfilled?
- Do you have an inventory of the personal information you retain, its purposes and how long you’ve held it?
- Do you store multiple copies of personal information? Are there backups? If so, where are the copies and backups stored?
- Is there a specific minimum retention period that is statutorily required?
- When and how should you dispose of the personal information, copies and backups?
- Who is the designated person for setting up a policy on retention and disposal?
- Do you have a governance process in place to track personal information through its life cycle?
- Is your staff aware and knowledgeable about the proper handling and disposal of personal information?
- Is there a designated secure area for destroying documents?
- Do you segregate and store personal information in a secure area with restricted access while it is awaiting disposal?
For more information, read the Privacy Commissioner’s guide, “Personal Information Retention and Disposal: Principles and Best Practices.”