In a tale of best intentions gone wrong, the Office of the
Information and Privacy Commissioner of Alberta
("Commissioner") recently found in
College (Re), 2013 CanLII 52666 (AB OIPC) that an
educational institution that recycled its servers without ensuring
the data on them had been wiped had not met privacy requirements.
The decision identifies some key considerations for corporations
decommissioning and disposing of technology.
Bow Valley College ("BVC") had 21
servers it was decommissioning. Mindful of environmental concerns,
it contacted a third party, the Electronic Recycling Association of
Alberta ("ERA"), a not-for-profit
society, to handle the data wiping and disposal of the hardware.
BVC was also alive to privacy concerns, and prior to obtaining a
membership in the ERA, made sure it toured ERA's facilities and
was satisfied with the ERA's processes.
BVC proceeded to decommission the servers. Four months later, a
purchaser of one of the decommissioned servers booted it up and
found personal information (including SIN numbers, credit card
numbers, and salaries) of 189,900 students and 3,500 employees of
BVC spanning almost 20 years. Over the next few months, the
Commissioner received complaints from 28 individuals affected.
Meanwhile, BVC went into crisis mode and conducted its own
investigation. BVC immediately ceased using a third party for
decommissioning servers. It tracked down the remaining 20 servers
and found that eight them had personal information on them. It
reviewed all the information on the recovered servers to identify
the affected individuals and sent out letters to each of them. It
also sent emails, set up a telephone number and an email address
for information and in some cases, set up face-to-face meetings. It
advised affected individuals of their right to make a complaint to
the Commissioner and apologized. BVC estimated that its cost to
respond to this incident cost over $247,000.
There was no question that the information constituted personal
information. The Commissioner's investigation focused on
whether BVC had taken sufficient steps to protect this personal
Despite BVC's diligence in determining ERA's capacities,
reviewing its processes, inspecting the company's premises, and
entering into a written agreement with the company, the
Commissioner found that BVC had not taken sufficient steps to
protect the personal information.
The Commissioner determined that BVC did have a written
agreement with ERA, but it was a membership agreement only. It
didn't include a contract for data wiping and destruction of
technology. The ERA offered these services, but it was not part of
the membership fees – it was a separate agreement. BVC had
failed to distinguish between the two agreements, and assumed it
had contracted with the ERA for data wiping and destruction.
The Commissioner was of the view that had BVC closed the loop
– examined the invoices it received from ERA to confirm the
services it had received – it would have been aware that it
had been charged for pickup services, and not data destruction and
The Commissioner declined to order any specific remedy as in her
view, the matter had been adequately addressed by BVC's actions
subsequent to the breach. BVC agreed to conduct an independent
audit of its information security practices implemented in response
to this incident.
This case sounds a cautionary note for companies that use third
parties for data wiping and hardware disposal. When ensuring a
valid contract is in place, confirmation of services completed,
both on an administrative level (e.g. invoices reflecting data
wiping and hardware disposal) and a on a technical level (e.g.
written confirmation or certification by an IT specialist that
personal information has been deleted) may be required.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).