Retaining only what is necessary for as long as necessary can reduce impact should a privacy breach occur
July 31, 2019
Office of the Privacy Commissioner of Canada Privacy Alerts are intended to offer lessons learned, best practices and other important privacy news, trends and information related to privacy protection in the federal public sector. We encourage you to share this information with colleagues.
Issue:
Retention is an issue that comes up repeatedly when discussing Privacy Impact Assessments with institutions. Hanging on to personal information for long periods of time increases the risk of a data breach. So, how long should you hold on to personal information?
Advice for institutions:
- Limiting collection in the first place is key. Before collecting any personal information, pause and assess the objectives of your program. Is the collection necessary to fulfill those objectives?
- Do not retain information for longer than necessary.
- In assessing appropriate retention periods, consider the following points:
- Reviewing the purpose for having collected the personal information in the first place is generally helpful in assessing how long certain personal information should be retained.
- If personal information was used to make a decision about an individual, it must be retained for at least two years after the last time it was used for an administrative purpose. That legally required period gives an individual the opportunity to access that information in order to understand, and possibly challenge, the basis for the decision.
- Retaining information for longer than it is needed increases the risk that it may be used in ways that were not anticipated by the individual and may increase the risk of harm if there were a breach. Remember, information that doesn’t exist cannot be compromised.
- At the end of the retention period, ensure secure disposal of personal information.
Sign up for future Privacy Alerts by subscribing to our RSS feed. Privacy alerts are also posted on our website.
- Date modified: