Good afternoon, and thank you for the opportunity to be here today.
My name is Kristjan Backman. I chair the National Association for Information Destruction in Canada. This is a voluntary position. In my day job I run a small company called Phoenix Recycling. We're a Winnipeg-based company that does information destruction services.
NAID-Canada is a non-profit association representing companies that specialize in the secure destruction of information, with members in every province across Canada. Our mission is to raise awareness and understanding of the importance of secure information destruction, and in doing so we want to ensure that private, personal, and business information is not used for purposes other than for which it was originally intended.
NAID-Canada also plays an active role in the development and implementation of industry standards and certification. We provide a range of member services, which include advocacy, communication, education, and professional development. It's worth noting that NAID certification is often mandated contractually by clients who use information destruction services to ensure that service providers meet regulatory and security requirements.
The issue I'm here to address today is often overlooked, yet is a critical aspect of privacy protection, namely the secure destruction and disposal of records that are no longer needed. Our mantra in NAID is that information is only as secure as the weakest link in its life cycle, and far too often little attention is paid to the end of a document's life cycle. We see evidence of this on almost a daily basis in the media, with reports of information being left intact and publicly accessible in dumpsters, recycling bins, and discarded electronic devices sent for reuse and recycling.
It's difficult to measure how pervasive this problem is, but NAID-Canada and our sister associations around the world have conducted investigations into unsafe destruction practices. Our first such investigation was in Toronto, in the GTA, in 2010, when NAID hired a private investigator to go dumpster diving and look for personal information. In that survey, 14% of the commercial dumpsters that we examined had personal information intact and easily accessible to the public. That exercise has since been repeated in Australia and Spain and has sparked national conversations in those countries around the failure to securely destroy information that's no longer needed.
As the world becomes increasingly paperless, the threat of unsafe destruction of information has become more complex. All the electronic devices that we store information on, and wiping those devices of that information when disposed of, has become a major privacy issue. As evidence of that, in April our U.S. association released the results of the largest-ever study looking for the presence of personally identifiable information on electronic devices sold in the second-hand market. It found an astonishing 40% of the devices sold through publicly available channels contained personally identifiable information. These are tablets, cellphones, PDAs, and hard drives.
I know the committee is interested in youth privacy protection, and there is perhaps no demographic more impacted by a failure to securely destroy information stored on electronic devices. The implications for anyone having their entire private life exposed if personal electronic records are breached is severe, but for youth more so. We recently received a letter from the Privacy Commissioner about a recycled devices study, and we agree with his assessment in this area, where much more education is needed, particularly with youth.
With destruction more generally, we've had many cases in Canada of sensitive personal files, including those related to youth, being breached through a failure to destroy personal information. This has included medical records and client files from the Children's Aid Society. Again such breaches are potentially devastating for all ages, but more so for youth.
This is just a snapshot of the problem. Let me turn to some solutions, which are detailed in our written submission that we made to the committee.
NAID-Canada believes that PIPEDA should include specific requirements that information must be destroyed when it's no longer needed, and that destruction should be defined in the legislation. Currently destruction is only a recommendation in PIPEDA, not an obligation. We believe that making it an obligation would force organizations to treat destruction more seriously. As for a definition, NAID-Canada defines “destruction” as “the physical obliteration of records in order to render them useless or ineffective and to ensure reconstruction of the information, or parts thereof, is not practical”. This definition applies both to paper and to electronic records as we believe the specificity of the definition is required in the legislation to ensure “destruction” is not left to interpretation.
Recycling, for example, is not destruction as records may remain intact and vulnerable to a privacy breach for extended periods of time.
Putting a destruction obligation into PIPEDA and defining the term are our two primary recommendations, and I should note that they were endorsed by this committee the last time it reviewed PIPEDA. The government, instead, felt the issue could be addressed with guidelines, and those guidelines have been developed. However, we still believe destruction should have legal weight behind it.
Building on that point, I would note that other jurisdictions impose significant fines for failing to properly destroy information. For example, a Missouri medical company was fined $1.5 million for leaving medical records in a public dumpster. In Canada, we have an epidemic of cases involving medical records in dumpsters. Perhaps we wouldn't if we had proper fines like those in the United States.
NAID Canada supports fining and order-making powers for the Privacy Commissioner. Likewise, we support breach notification laws and look forward to their implementation here.
Finally, please let me close with a general comment about Canada's global standing in privacy protection. As our organization has branches around the world, we have considerable insight into that, albeit from our fairly limited perspective of information destruction. That said, Canada is falling behind. Other countries have been far more decisive in mandating safe information destruction, and the fines in the U.S. are punitive. The long delays in getting breach notification law into effect in Canada put us well behind many of our peers, though we are pleased to have seen the draft legislation to implement this law finally published earlier this month.
Also, we have noted the considerable attention paid during these hearings to the more aggressive general data protection regulation in the EU that will go into effect this year. European policy-makers have learned what all regulators eventually do—that clear, unambiguous direction and strong enforcement provisions are the only way to ensure the protection of personal information.
As we remind the committee, we service providers are subject to the same stronger penalties. Even so, we are willing to confront this increased liability because we realize it's better for everyone, and it's really the only solution.
In closing, let me state that we are sensitive to those who are concerned about compliance costs, and our members are businesses, so we get that. However, any smart business should already be securely destroying the information that's no longer needed since the financial and reputational risks of a breach are far greater than the costs of securely destroying the information.
That said, incidents related to a failure to safely destroy information keep happening, and it has been almost a decade since the last PIPEDA review. We think it's time to amend this legislation to include a secure destruction obligation and a definition of what that entails.
Thank you for your time, and I look forward to your questions.