Retaining and Disposing Information
Fair information practices suggest that personal information should only be retained for as long as necessary for the fulfilment of the purposes for which it is collected, but when information is used to make a decision about someone, it should be retained long enough for the individual to be able to access it, and appeal any denial of access. When personal information is no longer needed to fulfil those identified purposes, it should be destroyed, erased or anonymized according to established guidelines.
Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA) and the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) and their respective regulations point to requirements for retention and disposal of personal information as well as general government records.
The Personal Health Information Protection Act (PHIPA) requires that health information custodians ensure records of personal health information are retained, transferred and disposed of in a secure manner, and that if any personal health information is the subject of a request for access, that it be retained for as long as necessary to allow the individual to exhaust any recourse under the Act that he or she may have with respect to the request.
The Ontario government has developed guidelines and procedures for retention and disposal through its Recorded Information Management program under the auspices of the Archives of Ontario.
Personal information earmarked for disposal must be handled securely and permanently destroyed or erased in an irreversible manner that ensures that it cannot be reconstructed in any way.
Links of Interest:
Electronic records: Maximizing Best Practices
Fact Sheet #1: Safeguarding Personal Health Information
Practices No. 26: Safe and Secure Disposal Procedures for Municipal Institutions
Fact Sheet #10: Secure Destruction of Personal Information
Archives of Ontario, Recorded Information Management