Jon writes asking whether individuals have a right to request that personal information be deleted or destroyed under PIPEDA:
Question
Hey there,
I understand that at any time I can request that a company tell me what information about me they have on file. I also understand that I can get them to correct any errors in that information, and that I can file a complaint if I feel that my personal information has been inappropriately used or sold.
But what happens if I withdraw my consent? Can I ask/demand that my personal information that has been stored be destroyed? Do they need to destroy the info once I asked for it to be destroyed?
And if the information is destroyed, how can I verify that it HAS been indeed destroyed?
Thanks for your time,
Answer
Hi Jon,
On the surface, PIPEDA does not seem to give individuals the right to request that organizations delete their personal information upon command.
This doesn’t mean that the personal information an organization collects has to linger in a database forever. If we dig deeper into the legislation we find privacy principles at play that work harmoniously to achieve a similar objective.
Let’s see what PIPEDA says about consent, data retention, and personal information after an organization has collected it.
Withdrawing Consent under PIPEDA
According to the third privacy principle of PIPEDA — Consent — an individual has the right to withdraw his or her consent at any time subject to any legal or contractual restrictions.
The individual must give the organization reasonable notice and the organization must inform the individual about the implications of withdrawing consent, if any.
That doesn’t solve our problem though. An organization is still in possession of your personal information even if you withdraw consent from it being used or disclosed. Data retention periods determine how long personal information will be kept for.
Minimum and Maximum Retention Periods
The fifth privacy principle of PIPEDA — Limiting Use, Disclosure, and Retention — states that an organization should implement minimum and maximum retention periods for personal information and should only retain personal information for as long as it is required to fulfill its intended purposes.
An organization may choose to hold all personal information it collects for a minimum of one year after its intended use and disclosure. It should be long enough to allow an individual to request his or her personal information, especially if it has been used to make a decision about that individual (e.g. a pre-employment check).
An organization may also be subject to legislative requirements with respect to retention periods.
If an organization is subject to an access request it should retain that information for as long as is necessary to allow the individual to exhaust any recourse under PIPEDA.
Once an organization has retained personal information for a maximum period, it must destroy, erase (delete), or make the information anonymous.
Destroying, Deleting, and Anonymizing Personal Information
Clause 4.5.3 of PIPEDA’s Limiting Use, Disclosure, and Retention principle states:
Personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information.
Rather than deleting or erasing full records containing personal information, many organizations find benefit in “anonymizing” personal information instead. This allows organizations to retain statistics about records while at the same time removing all traces of personal information from a record.
The problem with this technique is that it is sometimes possible to reverse-engineer “anonymous” data sets by combining that information with other publicly available information.
For example, in 2006 Netflix published 10 million movie rankings by 500,000 customers. The data set was made anonymous by removing personal information descriptors from the set. Through reverse engineering, researchers at the University of Texas were able to de-anonymize some of the data by comparing rankings and timestamps with public information available from the Internet Movie Database (IMDb) (full story).
Arstechnica has news of another story where an anonymous data set was used to unique identify patients from hospital records.
Legal Recourse under PIPEDA
PIPEDA’s Openness principle states that organizations need to be open about their policies and practices with respect to how personal information is managed.
If you want to know how long your personal information is retained for or how it is disposed of after its retention, write a letter or email to the organization. The privacy officer or personal responsible for privacy compliance should be able to explain what happens with your personal information.
If you think the organization retains your personal information for too long or does not dispose of it properly, try working it out with the organization. If that does not work or you are unsatisfied with the response, you may file a compliant with the Office of the Information and Privacy Commissioner of Canada. The routine is similar for organizations subject to privacy legislation in BC, Alberta, and Quebec.
Jon, I am unaware of any way you can guarantee that your personal information has been destroyed short of being able to inspect every database, record, and backup that an organization may have. If others have any input on this subject, I invite their comments below.
Hope this helps,
M.G.
Disclaimer
The information provided at PrivacySense is a labour of love and includes the author’s interpretation of privacy laws. Nothing is provided as legal advice — all information is provided as-is, with no warranty, neither stated, nor implied.
The laws that are applicable to you mary vary by city, province/state and country. Please seek proper legal advice before making any decisions.
