Most businesses, regardless of size, collect sensitive information from both clients and employees. We may not be aware, but all of us possess vital records/personal information, some more so than others.
Such vital records/documents could be permanent (e.g., birth records), archival (e.g., tax records), and incidental or temporary (e.g., bank statements) in nature. If confidential data does get lost or disclosed, the consequences can be embarrassment or reputational damage at best, serious legal liability at worst. Non-compliance to federal and provincial regulations may expose you or your company to hefty fines.
PULP SHRED provides assured destruction of your confidential documents in compliance with the relevant federal and provincial data privacy and information security regulations. As a NAID member organization, PULP SHRED adheres to the stringent security practices and procedures established by the National Association for Information Destruction.
Federal Legislative Acts
Personal Information and Electronic Act (PIPEDA)
The Act addresses the issue of electronic storage of information in Canada. Businesses in Canada must comply with the Personal Information and Electronic Act (PIPEDA) and all applicable provincial privacy laws. PIPEDA requires that confidential documents containing private information be disposed of in a manner that prevents the disclosure of personal information.
Provincial Legislative Acts – Alberta
Freedom of Information and Protection of Privacy Act (FOIP)
The FOIP Act provides governing principles about protecting the privacy of personal information held by public bodies. The FOIP Act has two major parts:
- Part 1, which deals with access to records held by public bodies as defined under the Act.
- Part 2, which deals with rules concerning protection of the privacy of personal information about individuals that is held by public bodies.
Personal Information Protection Act (PIPA)
The FOIP Act does not apply to private businesses, non-profit organizations or professional regulatory organizations operating in Alberta. In these cases, Alberta’s Personal Information Protection Act (PIPA) may apply.
Health Information Act (HIA)
The details concerning a person’s health status have long been considered the most sensitive type of information. The HIA sets out rules governing the collection, use and disclosure of health information. these rules apply to all custodians, including health services providers who have been designated as custodians in the regulations.
General Data Protection Regulation (GDPR)
Europe’s new data protection law came into effect on May 25, 2018. The GDPR has important global implications that affect many Canadian firms. Any Canadian business that collects personal information about residents of the European Union – whether they are tourists, students, or online customers – risks maximum fines of $30 million or more if they violate the EU privacy law. The GDPR may become the model for forthcoming PIPEDA amendments.
If you operate a business in Canada, including a home business, you’re required by the Canada Revenue Agency (CRA) to retain financial documents for specific periods of time. For GST/HST, income taxes, source deductions (EI, CPP), business income and expenses, property and motor vehicle use, you must keep all records and supporting documents (including electronic records) a minimum of 6 years from the end of the last tax year they relate to.
Employee Pay Records
There is no harmonized triggering event across Canada. For Alberta, the triggering event is when the record was made. Alberta requires employers to retain employment record for at least 3 years from the data each record is made. The triggering event to start the retention period running depends on the province. The employment record includes leaves and vacations.
The Alberta College of Physicians and Surgeons Retention Schedule states that chart destruction may occur 10 years for adults and 20 years for minors, after the end of the year in which the last visit was recorded.
The Condominium Property Act does not specify how long boards need to keep the condominium corporation’s documents and records.
This information includes trade secrets, acquisition plans, financial data, and supplier and customer information. Additionally, executive-level correspondence, contracts, and other HR data like employee medical records and performance appraisals.
Even if you have a high risk-tolerance threshold, protecting the information on your discarded paper documents should be a top priority. Always shred the following documents when they become obsolete:
- Personal information
- Business & Personal Financial Records
- Government/Municipal records
- Land titles
- Medical Records
- Utility Bills
- Credit Card Receipts
- Bank Statements
- Pay Stubs
- Tax, Mortgage and Insurance Documents