• About
  • Offices
  • Careers
  • News
  • Students
  • Alumni
  • Payments
  • FR
Background Image
Bennett Jones Logo
  • People
  • Expertise
  • Knowledge
  • Search
  • FR Menu
  • Search Mobile
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
View all
Practices
Corporate Litigation Regulatory Tax View all
Industries
Capital Projects Energy Funds & Finance Mining View all
Advisory
Crisis & Risk Management ESG Strategy and Solutions Governmental Affairs & Public Policy
View Client Work
International Experience
Insights News Events
New Energy Economy Series Business Law Talks Podcast Economic Outlook
ESG & the CIO Subscribe
People
Practices
Industries
Advisory Services
Client Work
About
Offices
News
Careers
Insights
Law Students
Events
Search
Alumni
Payments
Subscribe

Stay informed on the latest business and legal insights and events.

LinkedIn LinkedIn Twitter Twitter Vimeo Vimeo
 
Blog

Regulatory Obligations Concerning the Disposal of Outdated Hard Drives and Servers

October 12, 2022

Written By Ruth Promislow

The disposal of hardware in the wrong manner can leave an organization offside its regulatory obligations under privacy legislation. Depending on the residence of the individuals or entities whose personal data is stored by organizations, improper disposal of hardware storage devices may be offside of regulatory obligations in several countries.

Morgan Stanley recently agreed to pay US$35 million to the U.S. Securities and Exchange Commission (SEC) further to an inquiry by the SEC regarding the alleged improper removal of computer devices from the Morgan Stanley offices. The SEC alleged that the company hired a moving and storage company with no expertise in data protection to decommission thousands of servers and hard drives. The SEC further alleged that the moving company sold those devices, which included the personal identifying information of millions of customers. Morgan Stanley has not admitted the allegations.

This case raises an important risk which is often overlooked. Hardware used by an organization typically contains substantial amounts of personal and confidential information. If not wiped properly, that information can be subject to unauthorized access. If an organization outsources the task of removal and destruction without taking the appropriate steps, that organization is exposed.

Typically the manner in which hardware is disposed of by an organization is left to the IT department. However, the risks inherent in this exercise call for management oversight on how this task will be carried out, including for example the vetting of third-party suppliers who may be retained to dispose of the equipment, contractual obligations and indemnity terms in the agreement with those suppliers, and limitations on the supplier's ability to outsource its obligations.

The Office of the Privacy Commissioner of Canada (OPC) recommends the following (among other things) in its guidance document entitled Personal Information Retention and Disposal: Principles and Best Practices:

  • Personal information must be securely destroyed or removed before disposing of hardware that contains such information.
  • If the organization has to dispose of electronics, it should have a designated person responsible for arranging appropriate data destruction and instruct employees to direct all electronic material and devices to that person.
  • An organization should carefully assess the respective risks and benefits of destroying personal information on-site or off-site.
  • When considering using a third party to dispose of personal information, an organization should take into account the sensitive nature of the personal information and take commensurate steps to manage the risks accordingly.
  • An organization should ensure that the third-party contractor has verifiable credentials and can guarantee both a secure transfer of records from the organization's office to their own destruction facility, and a secure destruction method that matches the media and information security.
  • If an organization decides to contract out, it should keep in mind that it remains responsible for the information to be disposed of. Best practices when dealing with third parties include:
    • privacy protection clauses in contracts to ensure that third parties to which personal information is transferred for processing (and any possible subcontractors) provide the same level of protection under the law as your organization does; and
    • monitoring and auditing clauses to ensure track record and quality control.

Privacy and confidentiality issues require careful planning and consideration at every step of the data life cycle, from collection to disposal. The consequences of failing to do can be significant.

The Bennett Jones Privacy and Data Protection group would be pleased to assist you with any questions you may have.

Download PDF

Author

  • Ruth E. Promislow Ruth E. Promislow, Partner

How Sustainable is the Government of Canada's Current Fiscal Plan?

Related Links

  • Insights
  • Media
  • Subscribe

Recent Posts

Blog

Force Majeure Clauses and COVID-19 Pandemic Impacts—An [...]

March 24, 2023
       

Blog

Canada's Underused Housing Tax: What You Need to Know Before May 1, 2023

March 23, 2023
       

Blog

Canadian Securities Regulators Announce Increased [...]

March 23, 2023
       

Blog

Unpaid Municipal Taxes Will Impact New AER Licences and Licence Transfers

March 22, 2023
       

Blog

Application of Statutory Bar to Workplace Bullying and Harassment Claims

March 20, 2023
       
Bennett Jones Centennial Footer
Bennett Jones Centennial Footer
About
  • Leadership
  • Diversity
  • Community
  • Innovation
  • Security
  • History
Offices
  • Calgary
  • Edmonton
  • Montréal
  • Ottawa
  • Toronto
  • Vancouver
  • New York
Connect
  • Insights
  • News
  • Events
  • Careers
  • Students
  • Alumni
Subscribe

Stay informed on the latest business and legal insights and events.

LinkedIn LinkedIn Twitter Twitter Vimeo Vimeo
© Bennett Jones LLP 2023. All rights reserved.
  • Privacy Policy
  • Disclaimer
  • Terms of Use
Logo Bennett Jones