Language selection


PIPEDA Fair Information Principle 5 – Limiting Use, Disclosure, and Retention

Reviewed: August 2020

Your responsibilities

  • Unless someone consents otherwise—or unless doing so is required by law—your organization may use or disclose personal information only for the identified purposes for which it was collected. Keep personal information only as long as it is needed to serve those purposes.
  • Know what personal information you have, where it is, and what you are doing with it.
  • Obtain fresh consent if you intend to use or disclose personal information for a new purpose.
  • Collect, use or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances.
  • Put guidelines and procedures in place for retaining and destroying personal information.

How to fulfill these responsibilities

  • Document any new purpose for the use of personal information.
  • Limit and monitor employee access to personal information, and take appropriate action when information is accessed without authorization.
  • Institute maximum and minimum retention periods that take into account any legal requirements or restrictions as well as appeal mechanisms.
  • Dispose of personal information that does not have a specific purpose or no longer fulfills its intended purpose. Dispose of information in a way that prevents a privacy breach, such as by securely shredding paper files or effectively deleting electronic records. If information is to be retained purely for statistical purposes, employ effective techniques that would render it anonymous.
  • Ensure all personal information is fully deleted before disposing of electronic devices such as computers, photocopiers and cellphones.
  • Ensure your employees receive appropriate training on their roles and responsibilities in protecting personal information.


Date modified: