Archived - Privacy and Data Protection Guidelines - Retention and Disposal of Personal Information
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Legal requirements
In accordance with subsection 6(1) of the Act and subsection 4(1) of the Regulations, personal information that has been used by a government institution for an administrative purpose shall be retained by that government institution for at least two years following the last use of the information unless the subject individual consents to its earlier disposal. Where a request for access to personal information has been received, the institution shall retain that information until such time as the individual has had the opportunity to exercise all of their rights under the Privacy Act. Notwithstanding these requirements, where an emergency exists at a Canadian post abroad, the head of the post or the senior officer in charge may order the destruction of personal information in order to prevent the removal of the information from the control of the institution.
Scheduling for disposal
The National Archives Act and the policy on the Management of Government Information Holdings require that institutions schedule all of their information holdings for retention and disposal. All personal information must be scheduled for retention and disposal in conformity with the legal requirements outlined in the previous paragraph. In addition, government institutions should schedule personal information for retention and disposal in accordance with the following principles:
- where personal information was collected prior to the coming into force of the Privacy Act and is not relevant to an operating program or activity of the institution, the information shall be disposed of;
- where further retention of personal information might unfairly prejudice the interests of the individual to whom the information relates, it shall be disposed of; and
- subject to the legal requirements, when personal information is no longer required for the purpose for which it was obtained or compiled by the institution, the information shall be disposed of.
When personal information has surpassed its scheduled retention period and has been designated by the National Archivist as having archival or historical value, it shall be transferred to the control of the National Archives; otherwise it shall be destroyed in a manner consistent with its security classification.
Minimum two year retention
Disposal of personal information prior to the expiration of the two year minimum is allowed with the consent of the individual. This may occur if, for example, within the two year period it is determined that the information on hand is incorrect and the most appropriate means of correction is disposal, or if the information is no longer required. Consent of the individual to dispose of the information must be obtained in writing.
The requirement to retain information until the individual has had the opportunity to exercise all of their rights under the Act means that where a request for access to personal information has been received from the subject, information must be retained for at least two years after the last action taken under the Privacy Act. For example, the information must be retained for at least two years after the institution responded to the request. If the requestor complains to the Privacy Commissioner, the information must be retained for at least two years following the Commissioner's finding on the complaint. If the finding is reviewed by the Federal Court, then the information must be retained for at least two years after the review is completed, and so on.
Where personal information is contained in personnel records of former employees of government institutions or of former members of the Canadian Armed Forces, the information is to be retained by the institution concerned for one year after termination of employment. It is then to be transferred to the control of the National Archives for the second year of the two year minimum retention period.
In accordance with subsection 9(1) of the Privacy Act, institutions must retain a record of any use or disclosure of personal information which is not included in the description of the personal information bank contained in Info Source, and must attach a record of the use or disclosure to the personal information.
In accordance with section 7 of the Privacy Regulations, a request for disclosure of personal information pursuant to paragraph 8(2)(e) of the Privacy Act and any information disclosed in response to such a request must be retained for at least two years following the date the request was received by the institution.