A recent privacy breach case in Canada offers practical guidance for organizations anywhere to avoid the over-retention of personal data.
A May 2017 Order from the Office of the Information and Privacy Commissioner of Alberta provides new insight into the requirement under section 35 of the Personal Information Protection Act to retain personal information only as long as reasonably required. To manage risk, organizations retaining personal information should be prepared to clearly articulate the purpose of their retention and demonstrate detailed policies and procedures. A vital component of information governance is the adoption of detailed retention and destruction schedules.
The privacy breach occurred when a human resource employee's laptop containing the personal data of past and present employees was stolen. The information included names, addresses, birthdates, email, social insurance numbers, employee IDs, new hire and attendance tracking documents; employee benefits, merit increase, beneficiary, resignation and pension plan application forms; performance management reviews; retirement plan information; and internal promotion memos. The organization claimed to be unaware of any specific retention requirements for personal information and its retention policy at the time of the loss was to retain employees' personal information for a minimum of 7 years. The organization could not prove a reasonable legal or business purpose for retaining the information, and was found non-compliant at the time of the theft. However, the adjudicator approved the organization's new policies for the retention of personal information, giving guidance on how organizations can demonstrate retention compliance.
When retaining personal information, a compliant organization will have:
• a clearly articulated legal or business purpose
Because the organization was not prepared to properly explain why it retained the personal information of past employees, it could not prove that keeping the personal information was reasonable. The organization claimed to routinely retain employee information as a means to source candidates and evaluate applications of past employees. However, the organization did not provide evidence of the frequency with which it used the information for this purpose or the probability of it accessing an individual's information. Unable to balance the purpose of the retention against the privacy interest, the adjudicator could not ascertain whether the retention was reasonable.
• detailed policies and procedures
An organization should be able to demonstrate detailed policies and procedures, with concrete examples. The organization's claim that it had plemented various policies and procedures was not sufficient. The adjudicator sought proof that demonstrated that the organization gave thought to the risks of unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction of personal information. By preparing policies and procedures that address each risk, an organization can demonstrate that it is prepared to properly retain personal information.
• a retention and destruction schedule
The organization revised its retention schedule and the adjudicator found that it now met the statutory requirements. A records retentions plan should include a process for the destruction of paper and electronic records. Through its revised retention schedule, the organization showed that it carefully considered the appropriate retention period for the various categories of employee information. The organization also adopted a quarterly basis for purging records and demonstrated that it would destroy information once the retention period elapsed.