Canada's Data Retention Laws: What You Need To Know

does canada have data retention laws

Canada has a complex set of laws and guidelines surrounding data retention and disposal, particularly concerning personal information. The Privacy Act and the National Archives Act require government institutions to schedule and retain all information holdings, including personal information, for a minimum of two years. The Copyright Modernization Act, or Bill C-11, passed in 2012, has been criticised for imposing on Canadians' right to privacy. Other bills such as Bill C-12 and Bill C-56 have also faced backlash for their potential impact on data retention and internet freedom. In terms of record retention, the Canada Revenue Agency (CRA) mandates a six-year retention period for tax-related records and documents essential for audits. Additionally, some records, such as those related to property acquisitions and disposals, must be retained indefinitely.

Characteristics Values
Privacy and data protection guidelines Retention and disposal of personal information
Privacy Act Requires institutions to retain a record of any use or disclosure of personal information
National Archives Act Requires institutions to schedule information holdings for retention and disposal
Management of Government Information Holdings Requires institutions to schedule information holdings for retention and disposal
Personal Information Protection and Electronic Documents Act, 2000 Contains principles on limiting use, disclosure, and retention
Treasury Board's policy instruments Federal institutions are required to abide by these
Communications Security Establishment Canada's standards Federal institutions are required to abide by these
Tax records Must be retained for a period of six years from the end of the last tax year to which they relate
Data retention laws Politicians and corporations have sought to pass legislation that imposes on Canadians' right to privacy and controls how they use the internet
Bill C-11 Passed in 2012 and contains two controversial provisions
Bill C-12 A successor to Bill C-30, which was killed due to public backlash; has only received a first reading in parliament
Bill C-56 Aims to make Canada compliant with the Anti-Counterfeiting Trade Agreement (ACTA)
Canada-EU Trade Agreement (CETA) Could allow criminal penalties for copyright violations and the government to block access to or shut down websites

lawshun

Privacy and data protection guidelines

Canada has a number of laws and guidelines in place to protect the privacy of its citizens and their personal data. The Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA) are key pieces of legislation that outline the legal requirements, scheduling, and minimum time frames for the retention and disposal of personal information.

The Privacy Act states that government institutions must retain personal information for at least two years after it was last used for an administrative purpose, unless the individual concerned consents to its earlier disposal. Additionally, the Act requires institutions to retain a record of any use or disclosure of personal information that is not included in the description of the personal information bank contained in Info Source. This record must be attached to the personal information in question. The Act also outlines that personal information collected prior to the Act coming into force, which is not relevant to the institution's current operations, should be disposed of. Furthermore, if retaining personal information could potentially prejudice an individual or increase the risk of data breaches, institutions are required to dispose of it.

PIPEDA includes principles such as limiting the use, disclosure, and retention of personal information, as well as safeguarding it. Federal institutions are mandated to adhere to the Treasury Board's policy instruments and the Communications Security Establishment Canada's standards.

The National Archives Act and the Management of Government Information Holdings policy require institutions to schedule all their information holdings for retention and disposal in compliance with legal requirements. This includes personal information, which must be retained and disposed of according to the Privacy Act and PIPEDA.

In terms of best practices, the Office of the Privacy Commissioner of Canada offers guidance. Organizations should develop clear and plain language internal policies and procedures for data retention and disposal, including minimum and maximum retention periods for different types of personal information. These policies should address the entire lifecycle of the personal information held. When disposing of electronics, organizations should assign a designated person to arrange for appropriate data destruction and instruct employees to direct all electronic materials and devices to that person.

Additionally, organizations should periodically review the purpose for collecting personal information to assess the appropriate retention period. If personal information was used to make a decision about an individual, it should be retained for the legally required period to allow the individual to access and, if necessary, challenge the basis for the decision.

In the context of tax records, the Canada Revenue Agency (CRA) mandates that taxpayers retain all records and supporting documents required to determine tax obligations and entitlements for six years from the end of the last tax year to which they relate. This is in accordance with the Income Tax Act.

In recent years, there has been a push by politicians and corporations in Canada to pass legislation that may impact Canadians' right to privacy and their internet usage. Bills such as C-11, C-12, C-56, and C-30 have been introduced, often under the guise of trade deals or national security. These bills have faced criticism for potentially imposing criminal penalties for copyright violations, enabling website censorship, and allowing border agents to seize personal electronic devices.

lawshun

Retention and disposal of personal information

In Canada, the National Archives Act and the policy on the Management of Government Information Holdings require that institutions schedule all their information holdings for retention and disposal. All personal information must be scheduled for retention and disposal in conformity with legal requirements.

The Office of the Privacy Commissioner of Canada (OPC) has developed guidelines to assist organizations in developing and implementing smart retention and disposal practices related to the handling of personal information. These guidelines are intended to assist organizations in the responsible retention and disposal of personal information.

In assessing what is the appropriate retention period and whether it is time to dispose of personal information, an organization should consider the following points: reviewing the purpose for having collected the personal information in the first place is generally helpful in assessing how long certain personal information should be retained. If personal information was used to make a decision about an individual, it should be retained for the legally required period of time thereafter – or another reasonable amount of time in the absence of legislative requirements – to allow the individual to access that information in order to understand, and possibly challenge, the basis for the decision. If retaining personal information any longer would result in a prejudice for the concerned individual or increase the risk and exposure of potential data breaches, the organization should consider safely disposing of it.

In addition, government institutions should schedule personal information for retention and disposal in accordance with the following principles: where personal information was collected prior to the coming into force of the Privacy Act and is not relevant to an operating program or activity of the institution, the information shall be disposed of; where further retention of personal information might unfairly prejudice the interests of the individual to whom the information relates, it shall be disposed of; and, subject to the legal requirements, when personal information is no longer required for the purpose for which it was obtained or compiled by the institution, the information shall be disposed of.

When disposing of electronics, an organization should have a designated person responsible for arranging appropriate data destruction and instruct employees to direct all electronic material and devices to that person.

lawshun

Controversial bills and laws

Canada has introduced several controversial bills and laws in recent years that affect Canadians' internet usage and privacy rights. These include:

Bill C-11 (Copyright Modernization Act): Passed in 2012, this act contains two controversial provisions. The first deals with \"digital locks", resembling the US Digital Millennium Copyright Act's approach to digital rights management (DRM). The second provision concerns the \"notice-and-notice\" system, which requires internet service providers (ISPs) in Canada to forward infringement notices from copyright owners to customers. ISPs must retain customer information for six months, or up to 12 months if court proceedings are launched.

Bill C-56: This bill aims to make Canada compliant with the Anti-Counterfeiting Trade Agreement (ACTA). Critics argue that ACTA was created without public input and that it conflates piracy with counterfeiting. Bill C-56 is seen as an attempt to ratify ACTA in Canada under-the-table.

Canada-EU Trade Agreement (CETA): Critics argue that this agreement, like Bill C-56, would bring Canada into compliance with ACTA. CETA has been crafted without public input and includes controversial provisions such as DRM, criminal penalties for copyright violations, and censorship of websites.

Bill C-51: Became law in January 2015, broadening the Canadian government's authority to conduct surveillance on citizens and foreigners. It allows for increased information sharing between government agencies and has been criticized for granting spying agencies powers similar to the US National Security Agency (NSA). Critics argue that it will be used to target non-terrorists, particularly protesters and activists, with little legal oversight.

Bill C-12: Critics have called this bill the successor to Bill C-30, which was abandoned due to public backlash. As of 2013, Bill C-12 has only received a first reading in parliament and has not resurfaced since 2011.

lawshun

Record retention policy best practices

While there is no one-size-fits-all approach to data retention, there are some best practices to follow when creating a data retention policy. These practices are particularly important given the large volume of data that businesses collect and the number of laws and regulations that exist to protect that data.

Firstly, do your research. Understand the regulations and legal obligations that apply to your business. Identify your business needs and how these can be met in a way that promotes efficiency. Perform a data audit and take inventory of the information you have on hand, including databases, documents, videos, images, and emails.

Secondly, invest in an archiving solution. Archiving platforms can automate the data retention process and help you organize data according to your business requirements. Consistently back up your data to protect yourself from a compliance standpoint and to reduce the risk of data loss.

Thirdly, be mindful of how long you retain data. While it may seem cautious to retain data indefinitely, this leaves your business vulnerable in the event of a data breach. Only keep data as long as it's useful and be aware of the specific requirements for different types of data. For example, business federal tax returns should be kept for three to seven years, whereas permits, licenses, and insurance policy documents can be disposed of once they are replaced by newer versions.

Finally, have a clear process for data disposal. Outline instructions for safe disposal and archiving and ensure employees understand how to dispose of documents properly. If disposing of electronics, have a designated person responsible for arranging appropriate data destruction.

lawshun

Retention and disposal practices

In Canada, the National Archives Act and the Management of Government Information Holdings policy require institutions to schedule their information holdings for retention and disposal. The Office of the Privacy Commissioner of Canada (OPC) has developed guidelines to assist organizations in developing and implementing smart retention and disposal practices related to the handling of personal information.

Before collecting any personal information, an organization should pause and assess the purpose for collecting this information and whether this information is necessary for such a purpose. That purpose must be appropriate in the circumstances. The organization should refrain from collecting more personal information than is necessary to fulfill the identified purpose.

In assessing what is the appropriate retention period and whether it is time to dispose of personal information, an organization should consider the following points: reviewing the purpose for having collected the personal information in the first place is generally helpful in assessing how long certain personal information should be retained. If personal information was used to make a decision about an individual, it should be retained for the legally required period of time thereafter – or another reasonable amount of time in the absence of legislative requirements – to allow the individual to access that information in order to understand and possibly challenge the basis for the decision. If retaining personal information any longer would result in a prejudice for the concerned individual or increase the risk and exposure of potential data breaches, the organization should consider safely disposing of it.

In addition, government institutions should schedule personal information for retention and disposal in accordance with the following principles: where personal information was collected prior to the coming into force of the Privacy Act and is not relevant to an operating program or activity of the institution, the information shall be disposed of; where further retention of personal information might unfairly prejudice the interests of the individual to whom the information relates, it shall be disposed of; and subject to the legal requirements, when personal information is no longer required for the purpose for which it was obtained or compiled by the institution, the information shall be disposed of. When personal information has surpassed its scheduled retention period and has been designated by the National Archivist as having archival or historical value, it shall be transferred to the control of the National Archives; otherwise, it shall be destroyed in a manner consistent with the Privacy Act.

If the organization has to dispose of electronics, it should have a designated person responsible for arranging appropriate data destruction and instruct employees to direct all electronic material and devices to that person. For additional information on disposal methods, private sector organizations can consult NIST Guidelines for Media Sanitization, and federal public institutions should refer to Community Security Establishment’s IT Security Guidance document “Clearing and Declassifying Electronic Data Storage Devices”. An organization should carefully assess the respective risks and benefits of destroying personal information on-site or off-site. If an organization does not have the appropriate tools to safely destroy sensitive information on-site, it may consider the services of a third-party contractor. In some cases, the sheer volume of the information to be disposed of can tip the balance towards using companies specialized in data destruction.

Frequently asked questions

Yes, Canada has data retention laws. The National Archives Act and the policy on the Management of Government Information Holdings require that institutions schedule all their information holdings for retention and disposal.

The retention period for personal information in Canada is dependent on the context. For example, personal information used to make a decision about an individual should be retained for a legally required period of time to allow the individual to access that information. In the case of government institutions, personal information must be retained for at least two years following its last use unless the individual consents to its earlier disposal.

Some of the laws and bills in Canada that have impacted or sought to impact data retention include Bill C-11 (Copyright Modernization Act), Bill C-12, Bill C-30, and Bill C-56 (which aims to make Canada compliant with the Anti-Counterfeiting Trade Agreement).

Written by
Reviewed by

Explore related products

Teaching for Retention

$34.39 $42.99

Share this post
Print
Did this article help you?

Leave a comment