Our concern here is with Section 4. 5. 3 of Schedule 1 of PIPEPA that
Personal information that is no longer required to fulfill the
identified purposes should be destroyed, erased or made
anonymous. Organizations shall develop guidelines and implement
procedures to govern the destruction of personal information.
There are two problems with the above. First is the use of the word
“should” in Section 4. 5. 3. As stated in Clause 5.( 2) above, the use
of “should” indicates a recommendation and does not impose an
obligation. NAID-Canada believes that safe destruction of personal
information must be an obligation. It is not something to be left to
organizations to decide on their own.
Second, the use of the terms “destroyed, erased or made
anonymous” is too vague. We have discussed this matter in the past
with Innovation, Science and Economic Development and they have
agreed that Section 4. 5. 3 is open to interpretation.
Therefore, amending Clause 5 as per the recommendation above
would make it clear that organizations must destroy personal
information when it is no longer needed. They would then have
to do so in a manner that meets the criteria spelled out in the
proposed definition of destruction.
Restoring Public Confidence
NAID-Canada believes clearly defining destruction is imperative for
more than just human rights reasons. It is also a practical necessity.
Violating the rights of others by casually discarding their personal
information provides much of the feedstock for what has become a
global epidemic of identity theft and fraud.
For example, a U.S. study found that the vast majority of identity
theft results from low tech access to personal information, such
as dumpster diving or binning. Indeed, law enforcement officials
in the U.S. have exposed elaborate rings of organized criminals,
capitalizing on this ready source of personal information. These
rings were found to have divisions of labour, where lower ranks
start by harvesting the information from dumpsters, which is then
handed over to others of higher rank who have been trained to best
That has led to a new generation of legislation in the U.S.,
exemplified by the Fair and Accurate Credit Transactions Act
(FACTA) and a host of state laws, which are designed not only to
protect privacy rights, but also to stem the tide of identity theft and
fraud. As a result, there is a marked difference in the regulatory
language regarding information disposal and the penalties for non-compliance.
Where in the past a regulatory reference to information disposal
would require limiting unauthorized access, improved regulations
now require that steps be taken to destroy personal information
prior to its disposal. Further to the point, the newer generation of
legislation requires that such security measures be documented in
the organization’s policies.
Recommendation: Require organizations to have a destruction
Building on this point, a January 2016 report of the Information
and Privacy Commissioner of Alberta into allegations of improper
shredding of documents within the Ministry of Environment
and Sustainable Resource Development led to a number of
recommendations around information retention and destruction.
NAID-Canada wishes to highlight one in particular, namely that the
Government “make all operational records schedules available for
public review online, which would promote clarity, consistency and
full accountability about decision-making for assigning retention
policy to government records.”
There are potential parallels here for the private sector. For
example, if the recommendation above were adopted, it would then
be logical to require organizations to publicly post their destruction
policy. That would provide an added impetus for organizations
to comply while also empowering consumers to identify those
businesses that offer the best privacy protection.
Recommendation: Require organizations to publicly post their
information destruction policy.
Enforcement and Compliance
Privacy legislation is only as effective as the degree to which
organizations comply with it. Closely linked to that is the need to
ensure that employees understand and abide by the law. NAID-Canada has found that just having a policy does not necessarily
translate into compliance if an organization’s employees are not
aware of it and/or do not adhere to it.
The keys to the latter are awareness, proper and ongoing training
and, where necessary, penalties for violations of the law. Many
jurisdictions around the world are moving in this direction,
recognizing that certain privacy violations warrant a punitive
For example, a medical group in Massachusetts was fined
US$140,000 for disposing of 67,000 patient records in a dump
without any redacting or shredding. 1 In another case the U.S.
Department of Health and Human Services reached an $800,000
settlement with an Ohio company that left 5,000-8,000 patient
records in the driveway of a physician. 2 Also in the U.S., the Federal