PIPEDA is the federal law in Canada that sets ground rules for how private sector organizations may collect, use or disclose information about individuals during commercial activities. All organizations conducting commercial activities in Canada must comply with this law. The Office of the Privacy Commissioner’s role is to investigate complaints, conduct audits and take legal action when the laws are breached.

PIPEDA says:

Organizations should develop guidelines and implement procedures with respect to the retention or personal information.

These guidelines should include minimum and maximum retention periods.

Personal information that has been used to make a decision about an individual shall be retained long enough to allow the individual access to the information after the decision has been made.

Personal information that is no longer required to fulfill the identified purposes should be destroyed, erased, or made anonymous.

Organizations shall develop guidelines and implement procedures to govern the destruction of personal information.

Obviously, there is a balance to be struck between respecting an individual’s right to access information about themselves and timely disposal, and every situation is different, so it would be impossible to for the law to dictate maximum or minimum retention times for personal information. This is a decision that is best made by the organizations that collect and hold the information. But clearly the legislation obliges companies to think about privacy issues and make some decisions.

When organizations collect information, they need to think beyond how they will use it. They need to ask themselves some key questions:

  • How can we limit the information we collect?
  • What should we keep?
  • How long should we keep it?
  • How can it be safely stored?
  • Are there back-ups?
  • Are they secure?
  • When should the information be destroyed?
  • How should information be deleted or destroyed?

Organizations need to have the policies, procedures and people in place to address the whole lifecycle of the personal information they hold.

Privacy cannot be an after-thought, it needs to be built into the way organizations do business.

Source: http://www.priv.gc.ca/speech/2008/sp-d_081110_ed_e.cfm