The Personal Information Protection and Electronics Documents Act (PIPEDA) is Canada’s law governing data security and privacy, affecting any commercial organization. Certain provinces have adopted their own versions of substantially similar legislation. These laws are designed to protect consumers’ personal information from being exploited by or mishandled by private businesses. Personal information can mean names, addresses, social statistics and demographics, financial details, medical information, and more. Proper consent is required to obtain this information, and what ways the information is used and stored is strictly regulated. Companies must destroy this information once the reason(s) it was collected no longer exists; while businesses have the information on file, adequate security protocols must also be in place to prevent theft or exposure.
It’s vital for businesses to maintain openness and accountability, be transparent with their intentions, obtain clear consent, limit what and how much they collect, stick to the stated uses, be accurate, and to instate proper security safeguards and checks. Consumers have the right to check their information and challenge a business’s compliance, as do governing bodies. A reported failure in compliance results in an investigation by the Office of the Privacy Commissioner of Canada, and if a company does not record and report a breach, they can be fined up to $100,000; individuals are then open to sue if they’d like.
It’s important to have tight security and proper maintenance of these safeguards. Companies with zero ill intent can still put consumers at risk by mishandling personal information. An important part of compliance is proper shredding and data destruction because theft or improper disposing of materials can lead to identity theft and the exposure of consumer information. The experts at Absolute Destruction & Recycling Corp. know good practices for storing information and the subsequent document/electronic device destruction (including recycling):
- Don’t leave files lying around in boxes or unlocked cabinets
- Restrict employee access to sensitive information
- Conduct regular third-party security audits and hire IT professionals for set-up
- Don’t keep old devices lying around like phones, laptops, disks, drives, etc.
- Destroy redundant, out-of-date, or out-of-use records and information
- Regularly clean and maintain storage spaces
- Hire professionals to securely destroy and dispose of your materials
A mobile shredding truck can come to a business with secure, lockable consoles for shredding preparation, and offer visual verification that the job is done properly. It’s important to recycle shredded papers and crushed devices and disks because landfill and e-waste is a major environmental concern. Disreputable companies may attempt to resell old electronics for materials and not properly destroy the data contained on them. Be sure to hire a company certified by the National Association for Information Destruction which conducts regular unannounced audits.
The Office of the Privacy Commissioner of Canada has provided a toolkit to assist businesses with PIPEDA compliance which would also help with any similar provincial laws. The document notes that “[i]ndividuals will appreciate doing business with organizations that demonstrate a respect for their privacy rights, which can ultimately lead to a competitive advantage for businesses. Organizations can see this as an opportunity to review and improve their personal information handling practices.” Be sure you’re compliant, safely destroy consumers’ and employees’ personal data, and use these processes as an opportunity to enhance your reputation and relationships with your customers.