What Does PIPEDA Actually Say About Data Destruction?
PIPEDA's requirements around data destruction come from Principle 5: Limiting Use, Disclosure, and Retention.
"Personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous."
--PIPEDA Schedule 1, clause 4.5.3
Clause 4.7.5 under Principle 7 (Safeguards) adds that organizations must protect personal information against loss or theft and "safeguard the information regardless of the format in which it is held."
In plain language, this means two things. First, you cannot hold onto personal information indefinitely — once you no longer need it for the purpose you collected it, you must get rid of it. Second, when you do get rid of it, you must do so in a way that prevents anyone from recovering it.
The Office of the Privacy Commissioner of Canada (OPC) has published detailed guidance on what "appropriate" disposal looks like. Their position is clear: the method you choose must match the sensitivity of the information. A factory reset on a laptop or dragging files to the recycle bin does not meet this standard for sensitive personal information.
What Counts as Personal Information?
Under PIPEDA, personal information is any information about an identifiable individual. This is deliberately broad and includes names and contact information, social insurance numbers, financial records and credit information, employment records and salary data, health information, customer purchase histories, and biometric data. If any of this resides on a hard drive, SSD, USB stick, or any other storage media, PIPEDA obligations apply when you dispose of that media.
What Can Go Wrong — Real-World Consequences
The risks of improper disposal are not theoretical. Canadian organizations have faced real consequences for failing to properly destroy personal information.
-
- Financial penalties: PIPEDA violations can result in fines of up to $100,000 per offence for organizations that knowingly breach the law. Provincial laws carry additional penalties — PHIPA in Ontario allows fines up to $500,000, and Quebec's Law 25 can impose penalties up to $25 million.
- Privacy Commissioner investigations: The OPC can launch investigations based on individual complaints. If someone discovers their personal data on a drive that should have been destroyed, your organization faces a formal investigation that may result in public findings and recommendations.
- Mandatory breach reporting: Under PIPEDA's mandatory breach notification provisions, if improperly disposed data results in a breach that poses a "real risk of significant harm," you are required to report it to the OPC and notify affected individuals. This creates exactly the kind of public attention no organization wants.
- Reputational damage: Beyond fines, a data breach caused by improper disposal can generate media coverage, erode client trust, and damage your organization's reputation in ways that far exceed any financial penalty.
The Three Methods That Meet PIPEDA Standards
The OPC guidance on disposal identifies several methods that, when properly executed, meet the standard of "appropriate" destruction for electronic media.
-
-
Software-Based Overwriting
(Sanitization)Overwriting uses software to write patterns of data across every sector of a hard drive, rendering the original data unrecoverable. The CSEC ITSG-06 protocol — Canada's standard for data overwriting — specifies a three-pass process with verification. This method is appropriate for HDDs you plan to reuse, but is unreliable for SSDs due to wear-leveling technology. U-Reach sanitizer-duplicators perform hardware-based secure erase that is faster and more reliable than software-based tools.
-
Degaussing
Degaussing applies a powerful magnetic field that erases all data on magnetic media. It is highly effective for hard disk drives and magnetic tapes. However, degaussing renders the drive permanently unusable, and it has absolutely no effect on SSDs or flash-based storage. If your organization stores data on SSDs, degaussing is not a viable option for those media types.
-
Physical Destruction
Shredding or crushing media into particles ensures that data cannot be reconstructed. This is the only reliable method for SSDs and flash storage. For highly sensitive data, physical destruction may be required even after sanitization or degaussing. The Canadian government's ITSP.40.006 standard recommends physical destruction for media that stored classified information.
-
Software-Based Overwriting
Building a PIPEDA-Compliant Disposal Process
Compliance is not just about having the right equipment — it requires a documented process that you can demonstrate to auditors.
Create a Retention Schedule
Determine how long you need to keep each type of personal information, considering both your business needs and any legal requirements (tax records, employment records, healthcare records). Once the retention period expires, the data must be destroyed.
Assign Responsibility
Designate a specific person or team responsible for data destruction. PIPEDA Principle 1 (Accountability) requires every organization to designate someone accountable for privacy compliance. This person should oversee the destruction process and sign off on documentation.
Choose Your Equipment
Invest in equipment that matches your media types and volume. A U-Reach sanitizer-duplicator can handle both sanitization for reuse and verification that drives have been properly erased. For end-of-life media, physical destruction equipment ensures permanent data elimination. Having equipment in-house reduces the risk associated with sending sensitive media to a third-party facility.
Document Every Destruction Event
Generate a Certificate of Destruction for every batch of media you process. Record the date, media type and serial numbers, destruction method, operator name, and verification results. U-Reach duplicators with iSecureLog capability output detailed logs that can serve as the foundation for your compliance documentation.
Third-Party Contractors
If you use a third-party destruction service, PIPEDA makes clear that you remain responsible for the information until it is destroyed. The OPC recommends contractual privacy protection clauses, monitoring and auditing clauses, and verification of the contractor's credentials. Many Canadian organizations find that bringing destruction in-house with their own equipment reduces risk and provides better control over the process.
What About the Proposed CPPA?
Bill C-27 proposes the Consumer Privacy Protection Act (CPPA) as a replacement for PIPEDA. If enacted, the CPPA would strengthen disposal requirements significantly. The proposed law defines disposal as "the permanent and irreversible deletion of personal information" and would introduce penalties of up to $10 million or 3% of gross global revenue for non-compliance. Organizations that build strong disposal processes now will be well-positioned for the transition.
Take Action Now
Proper data destruction is not optional under Canadian law — it is a legal obligation. U-Reach Canada provides sanitization and destruction equipment that helps Canadian organizations meet PIPEDA, PHIPA, and ITSG-06 requirements. All pricing is in Canadian dollars, with Canadian warranty and support.
Browse our HDD/SSD Duplicators & Sanitizers, NVMe Duplicators & Sanitizers, or USB Duplicators & Sanitizers to find the right solution. For help building a compliant disposal process, call our Canadian team at 877-987-3224 or email sales@ureach-canada.com.