The Commissioner authorized an investigation into a complaint that a Staples Business Depot store in Calgary sold a computer that contained a previous customer’s personal information. That previous customer alleged that the organization disclosed her information without her knowledge and consent and failed to safeguard her information, contravening the Personal Information Protection Act (“PIPA”).
The complaint involved the protection of personal information on a computer hard drive. Resumes, tax return information, social insurance numbers and family photographs were discovered on a computer purchased by another customer. The investigator found that Staples personnel did not attempt to remove or purge personal information of the initial customer before it was re-sold. Although Staples usually reformats hard drives of computers that are returned or defective, they had no written policies, procedures or employee training on what actions must be taken to protect personal information before computers are resold.
In this case, Staples contravened PIPA by failing to safeguard personal information. As a result of the investigation, Staples was required to:
- Ensure that full wiping of hard drives is completed on all returned computers
- Track components by serial number to corroborate computer hard drives with erasure procedures
- Provide a credit watch service for the complainant and her family members
- Develop policies, procedures and training for all store personnel
Staples agreed to implement the investigator’s recommendations in all of its retail stores across Canada.