PIPEDA Fair Information Principle 5 – Limiting Use, Disclosure, and Retention
More about Limiting Use, Disclosure, and Retention
Reviewed: May 2019
- Unless someone consents otherwise—or unless doing so is required by law—your organization may use or disclose personal information only for the identified purposes for which it was collected. Keep personal information only as long as it is needed to serve those purposes.
- Know what personal information you have, where it is, and what you are doing with it.
- Obtain fresh consent if you intend to use or disclose personal information for a new purpose.
- Collect, use or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances.
- Put guidelines and procedures in place for retaining and destroying personal information.
- Keep personal information used to make a decision about a person for a reasonable time period. This may be useful in the event an individual seeks access to the information in order to pursue redress.
- Destroy, erase or anonymize any personal information that your organization no longer needs.
How to fulfill these responsibilities
- Document any new purpose for the use of personal information.
- Limit and monitor employee access to personal information, and take appropriate action when information is accessed without authorization.
- Institute maximum and minimum retention periods that take into account any legal requirements or restrictions as well as appeal mechanisms.
- Dispose of personal information that does not have a specific purpose or no longer fulfills its intended purpose. Dispose of information in a way that prevents a privacy breach, such as by securely shredding paper files or effectively deleting electronic records. If information is to be retained purely for statistical purposes, employ effective techniques that would render it anonymous.
- Ensure all personal information is fully deleted before disposing of electronic devices such as computers, photocopiers and cellphones.
- Ensure your employees receive appropriate training on their roles and responsibilities in protecting personal information.
- Use effective processes for destroying, erasing or anonymizing personal information.
- Develop guidelines and implement procedures on the retention of personal information.
- Conduct regular reviews to determine whether information is still required.
- Establish a retention schedule to make this easier.
Report a problem or mistake on this page
- Date modified: