The uproar earlier this month about Canada’s domestic intelligence agency unlawfully keeping telecom metadata raises the issue of privacy officers ensuring data retention policies are well documented, says a privacy lawyer.
A Federal Court judge took the Canadian Security Intelligence Service (CSIS) to task not only for holding onto the data for years in violation of a CSIS Act requirement to only hold data “to the extent that it is strictly necessary,” but also for failing to the tell the court – which deals with the agency’s search warrants – it was doing so.
The decision prompted a rare press conference from CSIS director Michel Coulombe, who told reporters, “I’ll be honest, we went through our records and we really can’t find a good explanation of why the court was not informed.” In a later statement he said his agency, in consultation with the Justice department, believed the law allowed for the retention of non-threat related associated data linked with third party communications that were collected while under a warrant. The court disagreed.
But Coulombe agreed not telling the court of its approach to data retention was “a significant omission.”
“I found it inexplicable how the head of CSIS could not find a good explanation for why they kept that information without judicial oversight,” Imran Ahmad, a privacy lawyer with the Toronto firm Miller Thomson and a member of the advisory board of the Canadian Advanced Technologies Alliance’s cyber security council.” There’s absolutely no justification for that considering how sensitive that information was.
“If you (as a privacy officer) had a breach that it came to light that you collected information which went beyond the scope of what PIPEDA (the Personal Information Protection and Electronic Documents Act) allows you do to and you went to the COO and said ‘I have no good explanation. Sorry.’, that would not be sufficient. And obviously the organization would be exposed to fines and potentially a class action (lawsuit).”
Privacy commissioner demands documented process for private data deletion
David Fraser, a privacy lawyer with the Halifax firm McInnes Cooper isn’t surprised Coulombe couldn’t find documentation on the data retention issue. “Governments generally are really bad about keeping their records, about organizing their records, about making them searchable.”
But he does agree that under PIPEDA “any organization that hasn’t turned their mind to it and documented that … is vulnerable because if they are questioned on it by the privacy commissioner without a documented statement, then they’re essentially making it up as they go along.”
PIPEDA applies to federally-regulated organizations and businesses in provinces that have agreed to follow it. Section 5 (3) says “An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.”
Unlike the CSIS Act, which says the agency can only hold personal data “to the extent strictly necessary,” PIPEDA only encourages organizations not to hold onto data forever.
Schedule 1 of the act, which sets out data protection principles, says “The purposes for which personal information is collected shall be identified (to people) by the organization at or before the time the information is collected.” Part 4.5 of the principles also says “Personal information shall be retained only as long as necessary for the fulfillment of those purposes.” The principles further say that “Personal information that is no longer required to fulfill the identified purposes should be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information.”
There is no “one size fits all” data retention period under the legislation, notes the office of the federal privacy commissioner. “For some organizations, there is a legislative requirement to keep information for a certain amount of time.”
But in theory, if the publicly-stated reason for collecting data is broad enough the information can be kept forever.
Delete now rather than breach later
However, Fraser cautions that the longer personally-identifiable information is kept the greater the risk to the organization if there is a data breach. “So you don’t want to keep information longer than you need it. If you don’t need it anymore it’s a liability, it’s no longer an asset.
“If you destroy documents according to a retention and destruction schedule you’re not going to find yourself with problems in connection with litigation if the documents are not there,” Fraser added.
Of course personal information can be held for long periods if it is anonymized through techniques such as data masking.
The federal privacy commissioner’s website has resources on data retention and disposal.
Note also the principles of Privacy by Design, created by Canadian privacy expert Ann Cavoukian, not only says privacy should be embedded into the design and architecture of IT systems and business practices but also that personal data is securely destroyed when no longer needed.