Last updated on January 30, 2016
The fifth principle of the 10 Privacy Principles of PIPEDA is Limiting Use, Disclosure, and Retention.
Limiting Use, Disclosure, and Retention
The principle of Limiting Use, Disclosure,person and Retention states that an organization shall limit the ways it uses, discloses and retains personal information.
This means that an organization should not use or disclose personal information for purposes other than those which it has identified purposes for and received consent for. The organization should only retain personal information for as long as is necessary to fulfill its purposes.
There are some exceptions to this principle. For example, an organization may have legal obligations to comply with, such as providing personal information to authorities for investigating fraud. Refer to PIPEDA for specific exceptions.
New Purposes for Personal Information
If an organization wants to use personal information for a purpose that it did not originally collect it for, it must obtain consent from those affected individuals. In addition, the organization should document the new use of personal information in order to be complaint with the principles of Openness and Individual Access.
Develop Guidelines and Implement Procedures
An organization must develop guidelines and implement procedures for the retention of personal information and should only retain personal information for as long as it is required to fulfill its intended purposes. The organization should also allow a reasonable amount of time for an individual to request his/her personal information before it is destroyed, erased, or made anonymous.
Minimum and Maximum Retention Periods
An organization should implement a minimum and maximum retention period for personal information.
A recommended minimum retention period for an organization is at least one year. It should allow the organization sufficient time to use the personal information, satisfy any legal or contractual requirements, and allow time for the individual to exercise his or her rights to request personal information under PIPEDA.
If an organization requires ongoing use of personal information, it should increase the minimum retention period.
The maximum retention period will need to be determined by the organization. Some organizations such as Facebook have been frowned upon for having no definable maximum retention period.
Destroying Personal Information
After the maximum retention period, an organization should destroy, erase, or otherwise make anonymous the personal information it has collected. The organization’s privacy officer should develop guidelines and implement procedures to support the procedure.
Personal Information is a Liability
While many organizations see personal information as an asset, it is rather a large, unnecessary liability that grows the longer it is held.
No system is completely secure; the more personal information an organization collects, the more it has to lose. Nothing can destroy a company’s image and business quicker than suffering a privacy breach and losing customers’ and clients’ sensitive personal information.
Organizations that collect personal information from their customers and clients often see data mining as a valuable tool to discover relationships and patterns in data that may give their business a competitive edge.
In order to be compliant with the principle of Limiting Use, Disclosure, and Retention, an organization should make information anonymous before accumulating and using it for statistical analysis.
This way, organizations can reap the benefits of using their data to find important patterns while satisfying their requirements under privacy legislation.