24 NAIDnews Summer 2017
continued on page 26
Read NAID-Canada’s Submission on PIPEDA and Safe Information Destruction ______________________________________________________________________
Putting an end to careless data breaches
NAID-Canada believes that information is only as secure as the
weakest link in its lifecycle. In too many cases, little attention is
paid to the end of a document’s lifecycle and its safe destruction
and disposal. As evidence of that, there are almost daily reports
of personal information being found in dumpsters, recycling bins,
abandoned buildings, or stored on discarded computers and other
electronic devices. All measures taken to protect that personal
information during its useful life are negated if it is not destroyed
As evidence of this problem, in October 2010 NAID-Canada released
the results of an audit into information destruction practices in
the Greater Toronto Area (GTA). That audit found that 14% of
commercial dumpsters in the GTA contained confidential personal
information – a shockingly high number. The results for some
specific sectors were damning. Of the doctors’ offices examined,
75% had left personal information in their publicly accessible
dumpsters. For car dealerships, it was 100%.
A new NAID study on recycled electronics will be released shortly.
NAID-Canada has long been advocating for privacy legislation to
include a specific destruction requirement, along with a definition
of destruction. This is lacking in Canada, but can easily be added
through amendments to the Personal Information Protection and
Electronic Documents Act (PIPEDA). That may be the only way to
get organizations to give this often overlooked aspect of privacy
protection the attention it is due.
Required Amendments to the Personal
Information Protection and Electronic Documents
NAID-Canada recommends PIPEDA be amended to:
• Define destruction as “the physical obliteration of records in order
to render them useless or ineffective and to ensure reconstruction
of the information (or parts thereof) is not practical.”
• Add a new clause stating “an organization must destroy personal
information when it is no longer needed.”
The House of Commons Access to Information, Privacy and Ethics
Committee endorsed adding a definition of destruction in PIPEDA
when it last reviewed the legislation in 2007. Additional information
on how this could be accomplished is detailed below.
Add a definition of destruction
Presently, no definition of destruction is found anywhere in PIPEDA.
Therefore, NAID-Canada recommends adding the following to the
definitions section of the legislation:
“Destruction” means the physical obliteration of records in order to
render them useless or ineffective and to ensure reconstruction of
the information (or parts thereof) is not practical. “Destroy” means
the act of destruction.
This definition applies to both paper and electronic records.
Variations of it have been incorporated into privacy legislation in a
number of jurisdictions in Canada, the United States and around the
Amending Clause 3 of PIPEDA
Clause 3 of PIPEDA spells out the purpose of the legislation. NAID-Canada recommends amending this Clause as per the underlined
The purpose of this Part is to establish, in an era in which technology
increasingly facilitates the circulation and exchange of information, rules to
govern the collection, use, disclosure and destruction of personal information
in a manner that recognizes the right of privacy of individuals with respect
to their personal information and the need of organizations to collect, use or
disclose personal information for purposes that a reasonable person would
consider appropriate in the circumstances.
This amendment would reinforce the fact that organizations need
to include a plan for safely destroying personal information in their
Amending Clause 5 of PIPEDA
Clause 5 of PIPEDA should be amended to add a specific
destruction requirement. Clause 5 of PIPEDA would then read as
follows, with the new section underlined:
5. ( 1) Subject to sections 6 to 9, every organization shall comply
with the obligations set out in Schedule 1.
( 2) The word “should”, when used in Schedule 1, indicates a
recommendation and does not impose an obligation.
( 3) An organization may collect, use or disclose personal
information only for purposes that a reasonable person would
consider are appropriate in the circumstances.
( 4) An organization must destroy personal information when it is no