Retention, transfer and disposal

You must have safeguards in place to ensure you are retaining, transferring and disposing of personal information appropriately and securely.86

Part X requires that you take reasonable steps to ensure records of personal information in your custody or control are retained, transferred and disposed of in a secure manner. In addition, you must comply with the requirements in the CYFSA and its regulations, as described below.

You must have a retention policy that sets out the types and classifications of records of personal information you hold, how long you will retain them, and how you will dispose of or transfer them. Part X does not dictate how long you must retain records, but it does require you to consider certain factors in deciding your retention periods.87 For example, you must consider whether another service provider has custody or control of the record or requires it to provide services. You must also consider whether the CYFSA or another law includes requirements for retention of the record.88

Regardless of your retention periods, if an individual requests access to a record, you must retain it for as long as it takes to fulfil the request and allow for any recourse the individual has (including complaints to the IPC and any subsequent appeals or reviews).

To securely dispose of records, you must protect against their theft, loss, and unauthorized use or disclosure.89 You must also ensure that the personal information in the record cannot be reconstructed or retrieved after disposal. For this reason, recycling records of personal information or leaving intact documents for garbage pick-up are unacceptable methods of disposal.

To securely dispose of records, you should:

  • Develop a secure destruction policy to complement your retention policy that determines what records should be destroyed, by whom, and when.
  • Ensure that any agreement you enter into with an external service provider, such as a shredding company, to dispose of records addresses the issue of secure disposal.
  • When disposing of electronic records, either physically destroy the storage media or overwrite the information stored on the media. The best method will vary depending on the type of media.90

You must also document which records you have disposed of — in a way that does not include the personal information contained in the record.

 

86. CYFSA, s. 309(1); O. Reg. 191/18. s. 10
87. These requirements are found in O. Reg. 191/18. s. 10.  In developing retention policies, service providers should familiarize themselves with the requirements of subsections 10 (5-7) of this regulation.
88. For example, O. Reg. 156/18 under the CYFSA, s. 93(2), includes retention requirements for certain records maintained by licensees who operate children’s residences.
89. O. Reg. 191/18, s. 10(3)
90. The IPC offers guidance on the topic of secure disposal of records, including electronic records, available at www.ipc.on.ca.