Investigation Report P2006-IR-01

January 25, 2006

The Commissioner authorized an investigation into a complaint that a Staples Business Depot store in Calgary sold a computer that contained a previous customer’s personal information. That previous customer alleged that the organization disclosed her information without her knowledge and consent and failed to safeguard her information, contravening the Personal Information Protection Act (“PIPA”).

The complaint involved the protection of personal information on a computer hard drive. Resumes, tax return information, social insurance numbers and family photographs were discovered on a computer purchased by another customer. The investigator found that Staples personnel did not attempt to remove or purge personal information of the initial customer before it was re-sold.  Although Staples usually reformats hard drives of computers that are returned or defective, they had no written policies, procedures or employee training on what actions must be taken to protect personal information before computers are resold.

In this case, Staples contravened PIPA by failing to safeguard personal information. As a result of the investigation, Staples was required to:

  • Ensure  that  full  wiping  of  hard  drives  is  completed  on  all  returned computers
  • Track components by serial number to corroborate computer hard drives with erasure procedures
  • Provide  a  credit  watch  service  for  the  complainant  and  her  family members
  • Develop policies, procedures and training for all store personnel

Staples agreed to implement the investigator’s recommendations in all of its retail stores across Canada.