Personal Information Retention and Disposal: Principles and Best Practices
Revised: August 13, 2021
Private sector organizations and federal institutions collect personal information about citizens, employees, clients and prospective clients. This information can be in physical or electronic forms. Once this information has been collected, organizations and institutions need to make informed choices about how long to keep it, and when and how to dispose of it.
As organizations and institutions get on the “Big Data” bandwagon, the push to amass enormous volumes of personal information for yet undetermined purposes has never been greater. The capacity and desirability to retain massive amounts of personal information indefinitely increases the risks and consequences of a potential data breach.
Principle 5 of the Personal Information Protection and Electronic Documents Act (PIPEDA) states that “personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information.”Footnote 1 Moreover, Paragraph 4.7.5 specifies that care shall be used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information.Footnote 2
When it comes to federal institutions, Section 6 of the Privacy Act provides that “personal information that has been used by a government institution for an administrative purpose shall be retained by the institution for such period of time after it is so used as may be prescribed by regulation in order to ensure that the individual to whom it relates has a reasonable opportunity to obtain access to the information.” Moreover, an institution “shall dispose of personal information under the control of the institution in accordance with the regulations and in accordance with any directives or guidelines issued by the designated minister in relation to the disposal of that information.”
The Office of the Privacy Commissioner of Canada (OPC) has developed these guidelines to assist organizations in developing and implementing smart retention and disposal practices related to the handling of personal information.
Federal institutions are encouraged to adapt these guidelines with adjustments appropriate to their specific situationFootnote 3.
General collection principles
Before collecting any personal information, an organization should pause and assess the purpose for collecting this information and whether this information is necessary for such a purpose. That purpose must be appropriate in the circumstances.
The organization should refrain from collecting more personal information than is necessary to fulfill the identified purpose. Moreover, once the purpose for which the information was being collected has been fulfilled, the personal information should be disposed of, unless otherwise required to be retained by law.
These guidelines are intended to assist organizations in the responsible retention and disposal of personal information.
A specifically identified purpose is often a clear indicator of how long this information needs to be retained. There is no “one size fits all” retention period. For some organizations, there is a legislative requirement to keep information for a certain amount of time. In other instances, there may be no legislative requirement, and an organization needs to determine the appropriate retention period.
In assessing what is the appropriate retention period and whether it is time to dispose of personal information, an organization should consider the following points:
- Reviewing the purpose for having collected the personal information in the first place is generally helpful in assessing how long certain personal information should be retained.
- If personal information was used to make a decision about an individual, it should be retained for the legally required period of time thereafter – or other reasonable amount of time in the absence of legislative requirements – to allow the individual to access that information in order to understand, and possibly challenge, the basis for the decision.
- If retaining personal information any longer would result in a prejudice for the concerned individual, or increase the risk and exposure of potential data breaches, the organization should consider safely disposing of it.
Securely disposing of personal information
If an organization has personal information in its control, it cannot simply throw it away in the trash. The organization must find a way to securely dispose of it.
Similarly, in instances where an organization is planning a move, or is closing its doors, personal information should be securely safeguarded or safely disposed of, in conformity with applicable retention requirements.
There are a number of commonly accepted ways for organizations to properly dispose of personal information depending on the form in which it is being stored. The goal is to irreversibly destroy the media which stores personal information so that personal information cannot be reconstructed or recovered in any way. When going through the process of disposal, an organization should also destroy all associated copies and backup files.
Types of personal information media storage
Information is mainly stored on two kinds of media:
- Hard copy: physical representations of data, such as paper printouts and printer ribbons. This includes, among other things, notes, memos, messages, correspondence, transaction records and reports.
- Electronic copy: information stored on electronic media, such as computer hard drives, copier and printer hard drives, removable solid drives including memory, disks and USB flash drives, mobile phones and magnetic tapes.
There are several ways in which personal information can be securely destroyed or removed. For instance:
- by completely destroying the media, whether hard or electronic copy. It is a way to ensure that the information stored on it can never be recovered. This can be accomplished using a variety of methods including disintegration, incineration, pulverizing, shredding and melting.
- by deleting information using methods that resist simple recovery methods, such as data recovery utilities and keystroke recovery attempts. One method for clearing media is overwriting, which can be done using software and hardware products that overwrite the media with non-sensitive data.
- by degaussing, in which magnetic media are exposed to a strong magnetic field to make data unrecoverable. This can be used to protect against more robust data recovery attempts, such as a laboratory attack using specialized tools (for example, signal processing equipment). Degaussing cannot be used to purge nonmagnetic media, such as CDs or DVDs.
Choosing a Disposal Method
While the chosen disposal method depends greatly on the type of media used to store the personal information, an organization must also consider the information’s sensitivity and the context. For example, is the personal information of a particularly sensitive nature? Is there a high probability that this information is of significant value, such that attackers would go to a great deal of trouble, using specialized tools to retrieve it?
Related to sensitivity is the question of whether the media will remain within the organization’s control. If the media will be leaving the organization’s control and potentially be reused by others, then a stronger disposal method should be selected. If the media will not be reused at all, then destruction is the best option.
If the organization has to dispose of electronics, it should have a designated person responsible for arranging appropriate data destruction and instruct employees to direct all electronic material and devices to that person.
For additional information on disposal methods, we invite private sector organizations to consult NIST Guidelines for Media Sanitization, and federal public institutions should refer to Community Security Establishment’s IT Security Guidance document “Clearing and Declassifying Electronic Data Storage Devices”.
Use of third parties
An organization should carefully assess the respective risks and benefits of destroying personal information on-site or off-site. If an organization does not have appropriate tools to safely destroy sensitive information on-site, it may consider the services of a third-party contractor. In some cases, the sheer volume of the information to be disposed of can tip the balance towards using companies specialized in data destruction.
When considering using a third party to dispose of personal information, an organization should take into account the sensitive nature of the personal information and take commensurate steps to manage the risks accordingly. Certain types of information will generally be considered sensitive because of the specific risks to individuals when said information is collected, used or disclosed. This would include information such as health and financial data, ethnic and racial origins, political opinions, genetic and biometric data, an individual’s sex life or sexual orientation, and religious/philosophical beliefs.
An organization should ensure that the third party contractor has verifiable credentials and can guarantee both a secure transfer of records from the organization’s office to their own destruction facility, and a secure destruction method that matches the media and information sensitivity.
If an organization decides to contract out, it should keep in mind that it remains responsible for the information to be disposed of. Best practices when dealing with third parties include:
- Privacy protection clauses in contracts to ensure that third parties to which personal information is transferred for processing (and any possible subcontractors) provide the same level of protection under the law as your organization does; and,
- Monitoring and auditing clauses to ensure track record and quality control.
Putting it all together: Developing internal policies and procedures
Developing plain language internal policies and procedures that set out clear retention and disposal schedules – including minimum and maximum retention periods for the various types of personal information that are being held – is key. Internal policies should address the whole lifecycle of the personal information held by the organization.
In setting up policies and procedures, an organization should consider the following checklist:
- Are information holdings periodically being reviewed to determine whether the purpose of the collection has been fulfilled? How often?
- Is there an inventory of what personal information is being retained, for which purpose and for how long?
- Does personal information exist in multiple copies? Are there back-ups? If so, where are the copies and back-ups stored?
- Is there a specific minimum retention period that is statutorily required?
- When should the organization dispose of the personal information?
- How should the organization dispose of personal information, copies and backups?
- What measures should be taken to ensure the equipment or devices used for storing the personal information are properly disposed of, or sanitized?
- Who is the designated person for setting up a policy on retention and disposal?
- Is there a governance process in place to track personal information through its life cycle?
- Is staff aware and knowledgeable about the proper handling and disposal of personal information?
- Is there a designated secure area for destroying documents?
- Is personal information being segregated and stored in a secure area with restricted access while awaiting disposal?
- If a third party or any subcontractors has been contracted for disposal services:
- Is there a mechanism in place to monitor the removal and/or disposal by the third party?
- Has a document disposal procedure been agreed upon with the third party?
- Is there a process in place to conduct (or have conducted) periodic audits or spot-checks?
For additional information and guidance related to retention and disposal practices, please see:
Relevant findings and recommendation stemming from OPC Audits, including:
- Date modified: