Contact Us (905) 847-2583

PIPEDA Canada Compliance – What It Means For Your Document Destruction

This article highlights how information collection continues to climb as businesses seek to analyze data sources to improve customer service and efficiency, yet neglect regulatory compliance.  This leads to increased risk and damages to an organization. See here for how Blue-Pencil can help your team focus on developing guidelines, procedures, and ensuring compliance to Personal Information Protection and Electronic Documents Act(PIPEDA) with information destruction, leading your business to sustain its reputation and competitive positioning.

See here for a quick video summary from the Office of the Privacy Commissioner on protecting customer privacy.

Get started now by requesting Blue-Pencil’s Information Destruction Policy template to help you begin gearing up for PIPEDA compliance.

pipeda-compliance-info-destruction-2
Implications for PIPEDA Compliance

The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) sets out ground rules on how private organizations can collect, use,  disclose, and dispose of information as part of commercial activity. This act is applicable to all provinces and industries other than Quebec, British Columbia, Alberta, and the health-care sector in Ontario. The following excerpts from a government resource in document destruction require that organizations:

-Develop guidelines to manage the destruction of personal information
-Implement procedures to manage the destruction of personal information
-Ensure due diligence during disposal or destruction of personal information

These implications are a direct result of principle 5 of PIPEDA, which states that “personal information that is no longer required to fulfill the identified purposes should be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information.” In addition, Paragraph 4.7.5 specifies that care shall be exercised in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information.

does my organization need a sensitive information destruction policy?
Collect only Crucial Personal Information for Organizational Use

EMC2 predicts that by 2020 the quantity of digital data will nearly rival the stars in the universe. Organizations represent a significant driver in the growing data footprint as each transaction or customer contact can generate data. Organizations must determine what information is necessary for collection and justify its use. Reducing the amount of personal information from being collected up front helps reduce the magnitude of data exposure downstream. Periodic reviews of essential personal information for organization activity are recommended, as managing and storing unused information increases operating costs.

guidelines
Develop Guidelines and Procedures to Dispose of Information in a Timely Manner

Guidelines and procedures help organizations implement the right timing for information destruction in order to support organizational activity and regulatory requirements. The guidelines/procedures developed by your organization must address types of information collected and which ones must be managed via a process of due diligence. Knowing the requirements of both your organization and regulatory mandate helps  identify time frames during which information should be available for use and when it is to be disposed of. The guideline and policy must address the safeguarding of private information throughout its lifecycle as there are vulnerabilities at each stage.

NAID-small-logo

Business and institutional clients continue to make Blue-Pencil their go-to provider in information destruction. Here is what a recent customer had to say about Blue-Pencil:

Our company has utilized Blue-Pencil for the past 6 years for their secure shredding service.They are efficient, reliable and their teams from head office along with the service technicians are highly professional and a pleasure to communicate with. We would without hesitation, recommend their services: they will not disappoint.  – Carolin

See here for more reviews.

The Privacy Commissioner offers a checklist for creating such organizational guidelines some of which include the following:

-“Is there a governance process in place to track personal information through its lifecycle?”
-“Are information holdings periodically being reviewed to determine whether the purpose of the collection has been fulfilled? How often?”
-“Is there a specific minimum retention period that is statutorily required?”
-“Is staff aware and knowledgeable about the proper handling and disposal of personal information?”

For a full list of the Commissioner’s checklist see here.  Refer to the full PIPEDA for details on requirements for your specific industry.

Guidelines and Procedures Should Utilize Best Practices of Information Destruction and Varied Information Storage Media

An organization’s guidelines and procedures are most effective when it understands and applies the best practices to managing physical and electronic information. Both have their specific requirements for due diligence in complying with PIPEDA. The Privacy Commissioner offers these tips:
-“Rewriting data on electronic storage to circumvent data recovery methods”
-“Completely destroying media whether it is physical or electronic

 
pipeda canada, pipeda compliance
Ensure Due Diligence in Personal Information Destruction

Compliance to due diligence requires that an organization has done what is reasonably required to safeguard the privacy of personal information collected.  An organization may elect and train designated staff to manage personal information destruction or contract third-parties. With the added cost of certification and disposal equipment and other logistics, it is recommended that businesses and institutions engage third-party services for secure information destruction.

Organizations partnering with a third-party are to be aware that they are still responsible for ensuring proper information disposal, though this function is managed by an external party. The Privacy Commissioner offers the following for working with the right partner:
-“Ensure privacy protection clauses in contracts”
-“Monitor and audit to ensure track record and quality control.”

Logo
Must-Have Qualities That Blue-Pencil Offers in Information Destruction Service

Blue-Pencil is an experienced service provider in helping clients remain compliant and competitive. Clients receive the best in class service through these areas of focus:
pipeda-compliance-info-destruction-1High standards in information destruction services with NAID AAA and Privacy+ certification
pipeda-compliance-info-destruction-1Expert recommendations in strategic information management and practical hands-on experience
pipeda-compliance-info-destruction-1Ability to deliver compliance while managing organizational efficiency
pipeda-compliance-info-destruction-1Proven system for managing information retention schedules
pipeda-compliance-info-destruction-1Training, resources, and support for your staff to become adept at information management

Sources:
Personal Information Retention and Disposal: Principles and Best Practices
Self-Assessment Tool for Organizations
PIPEDA is available online
Top 5 Tips To Decrease The Risk Of A Confidential Information Leak