Data Retention in Canada
7 minute read | Last updated 23-Nov-2019 | 
CBC, Privacy
Another in my series on CBC Radio’s Ottawa Morning. In this segment, host Robyn Bresnahan and I discuss the legal obligations of data holders in Canada.
Read about the situation that sparked this conversation on CBC News.
Bad Robot Transcript
[00:00:00] Robyn: Greg Patterson is a commercial landlord in Ottawa.
He used to rent office space to a tech company that did I t work for other businesses.
But a little while back, the company ran into money problems.
It defaulted on its rent and then suddenly moved out.
When Greg Patterson inspected the abandoned office, he was greeted by items he did not expect to see.
Boxes filled with employee files, social insurance numbers and banking information.
Also dozens of hard drives and servers.
Patterson says he wasn’t sure what to do with the gear, so he recently gave them to an I T specialist, and he was shocked by what that specialist discovered.
So they did a quick revision on the drives and found a staggering number of files in the 10 million range on approximately 30 hard drives, which is baffling to me.
How could anybody leave these drives behind?
I don’t understand.
There’s a significant quantity of information on those drives that would be considered personal private.
A couple of different options, including providing them their information back.
Well, it turns out the hard drives and servers contain sensitive information belonging to the companies that had outsourced their IT. To the now defunct company.
So how common is the scenario, and who’s responsible for safeguarding the digital data that we give businesses?
Mark Nunnikhoven is the vice president of Cloud Research at Trend Micro, which is an Ottawa data security firm. He’s also our technology columnist here on Ottawa Morning.
Hello
[00:01:48] Mark: Morning.
[00:01:49] Robyn: How common is a scenario? A business outsourcing its IT to another company?
[00:01:50] Mark: That’s very, very common because a lot of businesses realize that they’re not in the business of running computers.
They’re in the business of selling clothes or making widgets or whatever that cases, so it’s often seen as a cost center that can easily push off to somebody else.
So this is why you see outsourcers at all scales, whether smaller, large are very, very common.
[00:02:09] Robyn: What do you make of this case in particular?
[00:02:12] Mark: It’s an interesting one, especially because, you know, it’s the landlord who’s coming forward and trying to do what’s right.
But it does highlight a risk is that when you outsource your I t.
You’re taking the data that you’re entrusted with as a business and relying on another company’s practices.
So that’s a challenge, because it’s still your responsibility.
Even though you’re outsourcing your I t operations, you’re still on the hook for it as a business.
[00:02:38] Robyn: You know, very personal data from from employees in that kind of thing.
Ultimately, it’s your responsibility, But…but who could come back? That you know your your name is on there.
Your social insurance number.
Um, and you’re thinking, Well, hang on.
Why was this left in an abandoned place?
You could go back then and sue the company that has this information in the first place.
[00:03:13] Mark: Yeah, it’s challenging.
So, you know, the normal disclaimer comes around is that I’m not a lawyer, but the way I can walk you through it is is it’s a chain of relationship so if I entrust my information as a person to accompany.
So in this case there was political parties.
There were non profits.
So they’re gathering personal information.
Will say we were a donor to that nonprofit and we have our financial information with them.
They are responsible under Canadian legislation for the security and safety of that data from the time they have it to the time that they no longer require it.
So that’s called data retention Onda.
At the time when they no longer required anymore whether they have legal obligation to keep records for a while, they have to properly dispose of it.
So what happened in this case is that the outsourcer was managing the data.
But now there’s a new relationship created between the original company who we’ve entrusted our data too.
That company and the outsourcer, but from us is the data the the data subject.
It’s our relationship with the original collector.
[00:04:17] Robyn: So what can organizations do to ensure that cos they’re outsourcing their i t to our are treating this data responsibly?
[00:04:24] Mark: So if that’s all part of the contract negotiation.
A part of your research when you’re going to these organizations and the challenge you have is a lot of the time.
Outsourcing is seen as that cost center, so its lowest bid wins.
And that might not be the best thing and in fact, the most efficient spend for the original business who’s looking outsource.
So you want to do your due diligence.
You want a research, you want to talk to existing customers.
You want to look at the track record, and you want to see the policies and procedures they have for managing the data that you’re going to be entrusting them with.
Because as a business, you need to take that ownership of people’s data very, very seriously, not just because of the legal implications in Canada, but also there’s a very real threat of identity fraud.
So in 2018 Canadians lost $21.2 million to identity fraud, and that was almost double from the previous year.
We’re expecting to see almost the same for 2019 statistics.
It’s a real problem.
[00:05:16] Robyn: What about the public themselves?
Is there anything that they can do?
Thio protect themselves from this because a CZ you say lots people, for instance.
I like your example of donating to a charity or something like that.
I don’t want to stop donating, necessarily because they fear where their their information may end up.
Is there anything that people can do to take this into their own hands at all?
[00:05:36] Mark: I think the easiest thing to do is question the information you’re giving over.
Ah, lot of the Times organizations will ask for more information than they necessarily need S o.
The best way to protect your information is not to be giving it out.
Left, right and centre.
Now, in general, that’s pretty reasonable.
In Canada, if you look at the U.S., they’re much worse.
As far as asking for Social Security numbers left, right and center in Canada, we tend to protect our sin, which is a really hard thing to change.
So question the information you’re giving over.
Ask to see their privacy policy.
That’s a requirement under Canadian legislation to be able to talk to somebody, to see what information is stored about you and how it’s being managed on dhe, then just keeping track of that sort of, in general.
So being aware that okay, I’ve told certain people about this information and then monitoring your own accounts of looking, you know, for indicators of fraud which aren’t actually big changes to your finance.
It’s the little stuff we see.
Criminals will make minor transactions, like under $5 to see if they’ve got a valid account on dhe, then go up from there.
[00:06:34] Robyn: I’ve had that happen to me before.
Somebody in Salt Lake City buying a lot of fried chicken on my my British credit card.
Have you bean a victim of identity theft?
[00:06:42] Mark: I have. I travel quite a bit globally, and I’ve probably five or six times.
My credit card over the last five years has been compromised mainly because of where I’m at.
I don’t have the normal protections in Canada were quite advances.
First chimp in a lot of really great anti fraud, which is why I actually have a secondary credit card I use when I’m traveling.
So if that one gets burned, it’s a pain.
But it’s not the end of the world.
[00:07:05] Robyn: Interesting. Well, lots of people, I’m sure in those shoes as well. Thank you, Mark.
[00:07:08] Mark: Thank you.
[00:07:10] Robyn: That’s Mark Nunnikhoven. He’s the vice president of cloud Research at Trend Micro and Ottawa data security firm, and he’s also our technology columnist.