It is an unfortunate truism that we can often learn from the
misfortunes of others, and this is certainly true with respect to
Beyond the need for increasingly robust security safeguards,
recent media coverage of a number of high-profile privacy breaches
offer another ready lesson for corporations that collect and store
personal information: information that is not retained cannot be
the subject of a data breach.
In one recent breach, the victim of a possible data theft noted
that records provided to a vendor were apparently not destroyed,
although the outsourcing organization believed that they had
been. It was these records that were the subject of data theft
by an unknown hacker. In another recent breach case,
information was stolen from an internal database of customer
information that was no longer being used.
Any data breach is a matter of great concern, but situations
like these are particularly tragic as they are entirely
When outsourcing work that involves providing personal
information to a third party, most companies now include
requirements in the outsourcing contract that the third party
return or destroy the data in question once the work is completed
– but how many companies follow up at the conclusion of a
contract to ensure that this actually occurs? A range of
options are open to outsourcers to help ensure that vendors follow
through on these commitments, ranging from requests for
confirmation of destruction to audits of the vendor facilities.
However, retention of personal information that is no longer
required is not limited to third party vendors: many corporations
maintain stale and unused internal databases of personal
information. Sometimes this data is deliberately retained
"just in case" it may later prove useful for marketing
purposes; sometimes it is retained simply because no one bothered
to erase or destroy it. Moreover, since it is not being used,
such databases may not receive the same ongoing security scrutiny
of more active files. Retention of such data creates an
entirely avoidable data breach risk.
This is not to say that no data can be retained; to the
contrary, there are many legitimate reasons to retain personal
information, such as to avoid repudiation of purchases or service
orders, to provide convenience to repeat customers and to meet
legal requirements, such as statutorily-mandated retention of data
or compliance with limitation periods. The trick is to keep
only the data for which an organization has a real business or
All businesses that collect and retain such information should
develop – and implement - a comprehensive data retention
policy, setting out clearly justifiable retention periods for
various data elements and mandating destruction after the expiry of
these periods. Indeed, Canadian privacy laws require it.
Companies face enough challenges today in safeguarding personal
information; it only make sense to minimize potential exposure to
data breaches, or other misuse of personal information, by limiting
retention of data.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).