PIPEDA gives individuals numerous privacy rights, including the ability to request their personal information from organizations, have them correct any errors, and also file a complaint if they feel their personal information has been inappropriately used or sold.
But can an individual request that personal information be deleted under PIPEDA?
And if so, how can that individual verify that personal information has indeed been destroyed?
On the surface, PIPEDA does not seem to give individuals the right to request that organizations delete their personal information upon command.
This doesn’t mean that the personal information an organization collects has to linger in a database forever. If we dig deeper into the legislation we find privacy principles at play that work harmoniously to achieve a similar objective.
Let’s see what PIPEDA says about consent, data retention, and personal information after an organization has collected it.
Withdrawing Consent under PIPEDA
According to the third privacy principle of PIPEDA — Consent — an individual has the right to withdraw his or her consent at any time subject to any legal or contractual restrictions.
The individual must give the organization reasonable notice and the organization must inform the individual about the implications of withdrawing consent, if any.
That doesn’t solve our problem though. An organization is still in possession of your personal information even if you withdraw consent from it being used or disclosed. Data retention periods determine how long personal information will be kept for.
Minimum and Maximum Retention Periods
The fifth privacy principle of PIPEDA — Limiting Use, Disclosure, and Retention — states that an organization should implement minimum and maximum retention periods for personal information and should only retain personal information for as long as it is required to fulfill its intended purposes.
An organization may choose to hold all personal information it collects for a minimum of one year after its intended use and disclosure. It should be long enough to allow an individual to request his or her personal information, especially if it has been used to make a decision about that individual (e.g. a pre-employment check).
An organization may also be subject to legislative requirements with respect to retention periods.
If an organization is subject to an access request it should retain that information for as long as is necessary to allow the individual to exhaust any recourse under PIPEDA.
Once an organization has retained personal information for a maximum period, it must destroy, erase (delete), or make the information anonymous.
Destroying, Deleting, and Anonymizing Personal Information
Clause 4.5.3 of PIPEDA’s Limiting Use, Disclosure, and Retention principle states:
Personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information.
Rather than deleting or erasing full records containing personal information, many organizations find benefit in “anonymizing” personal information instead. This allows organizations to retain statistics about records while at the same time removing all traces of personal information from a record.
The problem with this technique is that it is sometimes possible to reverse-engineer “anonymous” data sets by combining that information with other publicly available information.
For example, in 2006 Netflix published 10 million movie rankings by 500,000 customers. The data set was made anonymous by removing personal information descriptors from the set. Through reverse engineering, researchers at the University of Texas were able to de-anonymize some of the data by comparing rankings and timestamps with public information available from the Internet Movie Database (IMDb) (full story).
Legal Recourse under PIPEDA
PIPEDA’s Openness principle states that organizations need to be open about their policies and practices with respect to how personal information is managed.
If you want to know how long your personal information is retained for or how it is disposed of after its retention, write a letter or email to the organization. The privacy officer or personal responsible for privacy compliance should be able to explain what happens with your personal information.
If you think the organization retains your personal information for too long or does not dispose of it properly, try working it out with the organization. If that does not work or you are unsatisfied with the response, you may file a compliant with the Office of the Information and Privacy Commissioner of Canada. The routine is similar for organizations subject to privacy legislation in BC, Alberta, and Quebec.