PIPEDA Fair Information Principle 5 – Limiting Use, Disclosure, and Retention
More about Limiting Use, Disclosure, and Retention
Your responsibilities as a business
- Comply with all 10 of the principles of Schedule 1.
- Use or disclose personal information only for the purpose for which it was collected, unless the individual consents, or the use or disclosure is authorized by the Act.
- Keep personal information only as long as necessary to satisfy the purposes.
- Put guidelines and procedures in place for retaining and destroying personal information.
- Keep personal information used to make a decision about a person for a reasonable time period. This should allow the person to obtain the information after the decision and pursue redress.
- Destroy, erase or render anonymous information that is no longer required for an identified purpose or a legal requirement.
How to fulfill these responsibilities
- Document any new purpose for the use of personal information.
- Institute maximum and minimum retention periods that take into account any legal requirements or restrictions and redress mechanisms.
- Dispose of information that does not have a specific purpose or no longer fulfills its intended purpose.
- Dispose of personal information in a way that prevents a privacy breach. Shredding paper files or deleting electronic records are ideal.
- Before disposing of electronic devices such as computers, photocopiers and cellphones, ensure that all personal information is fully deleted.
- Establish policies setting out the types of information that need to be updated. An organization can reasonably expect an individual to provide updated information in certain circumstances (e.g. change of address for a magazine subscription).
- It may be easier and less complicated to destroy or erase information than to make personal information anonymous.
- Conduct regular reviews to help determine whether information is still required. Establish a retention schedule to make this easier.
- Date modified: