Staples Business Depot has breached Canadian privacy law by not fully wiping customer data off laptops and storage devices returned by customers before reselling them, Canada's privacy commissioner has found.
Banking information, tax records, social insurance numbers, health card and passport numbers, as well as academic transcripts were among the information found on 54 of 149 tested data storage devices destined to be resold by Staples during an audit by the office of Privacy Commissioner Jennifer Stoddart.
"The position of our office is that if Staples is unable to remove all customer data from a particular manufacturer’s device, it is unacceptable to resell that device," said a summary of the findings.
The audit was part of Stoddart's 2010 report tabled in Parliament on Tuesday in compliance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), meant to protect the private information that consumers give to companies in the course of doing business.
The privacy commissioner's office tested computers, laptops, USB hard drives and memory cards that had already undergone a "wipe and restore" process intended to delete data. The devices most likely to contain customer data were laptops, where it was found in 17 of 20 cases.
'Until our recommendation on wiping customer data is fully implemented, personal information will continue to remain at risk.' — Privacy commission report
Customer data was found on devices from 15 of 17 stores audited in seven provinces: B.C., Alberta, Manitoba, Ontario, Quebec, Nova Scotia, and Newfoundland and Labrador. Staples has 300 stores across the country.
The privacy commissioner does not have the power to impose sanctions, but it recommended that Staples review its data-wiping process and implement controls to ensure personal data is not disclosed.
"Until our recommendation on wiping customer data is fully implemented, personal information will continue to remain at risk and Staples will not meet its obligations under PIPEDA," the report said.
In a statement Tuesday, Staples said it co-operated fully with the privacy commissioner's office and responded "positively" to all the recommendations.
"Further, Staples has implemented changes that exceed current industry practice to remove personal data from returned memory devices," the company said.
Contrary to what was in the report, the company said its practices "meet the level requested by the Privacy Commissioner."
Staples added that "many of the issues covered in the audit represent industry-wide challenges" and the company supports the development of industry-wide standards for privacy protection.
Staples told the privacy commissioner's office that it was actively testing several ways of wiping data from returned storage devices.
However, it said overwriting the data — the most reliable method and the one recommended by the privacy commissioner's office — was not an option because that could damage some of the devices.
The company was also at odds with the privacy commissioner's recommendation that it only keep online print and copy orders as long as necessary for the client to check if there were issues related to print quality, in keeping with PIPEDA. Staples responded that it believes storing the submissions for one year is appropriate.
Stoddart said her findings were "particularly disappointing" given that her office had already investigated previous complaints involving returned storage devices, in 2004 and 2008, and Staples had committed to corrective action.
The report summarized a number of other investigations, including a complaint about eHarmony, a popular U.S.-based online dating website.
A Canadian customer complained that eHarmony had not complied with her request to have her account deleted.
The company told the privacy commissioner's office that was because 40 per cent of customers reactivate their accounts within a year.
However, following the investigation, it agreed to give customers a choice between deactivating and deleting their accounts.