Personal Information Retention and Destruction Under Canadian Privacy Law
By Yong Du
How long Canadian private-sector organizations must keep personal information, when they must destroy it, and what secure destruction means under PIPEDA, Alberta PIPA, and BC PIPA.
The retention principle — what it requires
PIPEDA Principle 5 states that personal information shall be retained only as long as necessary for the fulfillment of the purposes for which it was collected. Alberta PIPA s.35 and BC PIPA s.35 impose equivalent obligations.
This principle creates two distinct obligations:
Minimum retention: You must keep personal information long enough to allow individuals to access information used to make decisions about them, and long enough to meet any applicable legal minimum retention requirement.
Maximum retention: You must destroy personal information once it is no longer needed for the purpose it was collected for — and in no case longer than any applicable maximum under other law.
These obligations are separate. Meeting one does not satisfy the other. An organization that destroys records before a legal minimum is met violates the minimum. An organization that holds records indefinitely after the purpose is served violates the maximum. A functioning retention program addresses both.
Step 1 — Map what personal information you hold and why
Before you can build a retention schedule, you need to know what personal information your organization holds, where it is, and what purpose it was collected for. This inventory is the foundation of your retention program.
For each category of personal information, document:
- What it is (customer names and contact information, employee payroll records, client financial files, etc.)
- Where it is stored (CRM, accounting system, email, physical files, cloud storage)
- Why it was collected (to deliver the service, to process payroll, to comply with a legal obligation)
- Any legal minimum retention period that applies to it
- Who is responsible for managing it
If you cannot answer these questions for a category of personal information your organization holds, that is a compliance gap — not a reason to defer the exercise.
Step 2 — Apply the retention framework
For each category of personal information, your retention period is determined by the longer of:
- The legal minimum — the minimum required by any applicable law (tax, employment, limitation period, sector-specific regulation)
- The operational necessity period — the time the information is actively needed for its original purpose
Once both of those periods have expired, destruction is required.
Legal minimums that commonly apply to Canadian SMBs
| Record type | Minimum retention | Legal basis |
|---|---|---|
| Tax records (income, GST/HST, payroll) | 6 years from end of tax year | Income Tax Act s.230; Excise Tax Act s.286 |
| Employment records (general) | 2–3 years after employment ends | Provincial employment standards — varies by province |
| Payroll records | 6 years | Income Tax Act |
| Breach of security safeguard records | 24 months from date of breach | PIPEDA Breach of Security Safeguards Regulations s.9 |
| Personal information used to make a decision about an individual | Long enough to allow the individual to access it after the decision | PIPEDA Principle 5 guidance |
| Limitation period for contract/tort claims | 2 years (Alberta, BC — from discovery) | Limitations Act (AB); Limitation Act (BC) |
| Health records (health professionals) | 10 years minimum (common practice); varies by province and sector | Provincial health legislation |
| Corporate/shareholder records | Permanently | Business Corporations Act |
Alberta employment records: Alberta Employment Standards require records to be kept for 3 years from the date the record was created or the date the employee ceased to be employed, whichever is later.
BC employment records: BC Employment Standards require records to be kept for 7 years after the record is created for active employees; after termination, records must be kept for 4 years from the date of the last entry.
Step 3 — Document your retention schedule
A retention schedule is a written document that specifies, for each category of personal information, how long it is kept and what triggers destruction. It does not need to be complex — it needs to be consistent and applied.
Minimum schedule structure:
| Category | Retention period | Trigger for destruction | Storage location | Owner |
|---|---|---|---|---|
| Customer contact information | Duration of relationship + 2 years | 2 years after last transaction | CRM | [Name/role] |
| Employee payroll records | 6 years from end of tax year | End of 6th calendar year | Accounting system | [Name/role] |
| Job application records (unsuccessful) | 1 year from application date | 1 year after rejection | HR folder | [Name/role] |
| Breach records | 24 months from discovery | 24 months from discovery date | Compliance folder | [Name/role] |
A retention schedule should be reviewed annually and updated when new categories of personal information are introduced, when a legal minimum changes, or when a business process changes.
Step 4 — Implement a destruction process
Retention schedules only work if destruction actually happens. Assign a named person responsibility for executing destruction on schedule and document each destruction event.
Digital records
What counts as secure destruction:
- Secure deletion software that overwrites data (e.g., DoD 5220.22-M standard or equivalent) — not standard file deletion or emptying the Recycle Bin
- Physical destruction of storage media (hard drives, SSDs, USB drives) — shredding, degaussing, or incineration
- Verified destruction by a certified data destruction service with documentation
What does not count:
- Moving files to Trash and emptying it — data remains on disk and is recoverable
- Deleting a record from a database without purging backup copies that contain the same record
- Deactivating an account without purging the underlying personal data
Cloud and SaaS platforms: When you close an account or terminate a subscription with a cloud vendor, confirm in writing whether the vendor deletes your data and on what timeline. Many platforms retain data for 30–90 days post-termination before deleting. Your retention obligation extends to vendor-held data.
Paper records
What counts as secure destruction:
- Cross-cut shredding (confetti-sized fragments)
- Micro-cut shredding
- Incineration
- Certified third-party document destruction with a certificate of destruction
What does not count:
- Strip-cut shredding — strips can be reassembled; not adequate for sensitive personal information
- Recycling unshredded documents
- Placing documents in general trash
Certificates of destruction
If you use a third-party service for digital or physical destruction, obtain a certificate of destruction for each destruction event. The certificate should identify: the vendor, the date of destruction, the media or document categories destroyed, and the destruction method used. Retain certificates as part of your compliance records.
Step 5 — Handle legal holds
A legal hold is a suspension of your normal retention schedule for records relevant to actual or reasonably anticipated litigation, a regulatory investigation, or a formal legal proceeding. When a legal hold applies, you must preserve the relevant records even if your retention schedule would otherwise require destruction.
Legal holds are typically initiated by legal counsel. Once counsel notifies you that a hold applies, preserve the identified records until counsel confirms the hold is lifted.
Do not destroy records after you have reason to believe litigation is likely or after you receive a legal demand. Destruction after a hold attaches may constitute spoliation of evidence and creates significant legal risk beyond the privacy compliance issue.
Special cases
Anonymization as an alternative to destruction. If personal information has ongoing analytical value but the individual's identity is no longer needed, anonymization — removing all direct and indirect identifiers such that re-identification is not reasonably possible — is an alternative to destruction. Anonymized information is no longer personal information under PIPEDA or the provincial PIPs and is no longer subject to the retention and destruction obligations. However, true anonymization is technically demanding; pseudonymization (replacing names with codes while keeping a key) is not anonymization and does not remove the obligation.
Archiving. Archiving personal information does not satisfy the destruction obligation. Archived records remain personal information subject to retention and access obligations. Archiving is a storage decision, not a compliance decision. If information is archived for longer than its retention period permits, it is being retained in violation of PIPEDA.
Data collected for multiple purposes. If personal information was collected for more than one purpose and one purpose has ended while another continues, you may retain the information for the continuing purpose — but not beyond that. Document the remaining active purpose and the new expected destruction date.
Common mistakes
No retention schedule at all. The most common gap in SMB privacy programs. Without a schedule, personal information accumulates indefinitely by default. The OPC expects to see a documented retention policy as part of a functioning privacy program.
Keeping information "just in case." Speculative future need is not a purpose under PIPEDA. If you cannot articulate what specific, current use you have for personal information you are holding, you likely should not be holding it.
Deleting database records without purging backups. A record deleted from a production database often still exists in backup copies. If your backup retention exceeds your data retention period for a category of personal information, your backups are retaining the data beyond its permitted period. Align backup retention periods with your data retention schedule, or implement a process to purge specific records from backups when required.
Failing to obtain certificates of destruction. If a third-party destruction service mishandles records, you need to demonstrate due diligence — that you engaged a reputable service and received confirmation of destruction. Certificates of destruction are that evidence.
Not reviewing the retention schedule after a system change. When you migrate to a new CRM, change payroll providers, or onboard a new SaaS platform, your existing retention schedule may not account for where data now lives. Review your schedule whenever your data landscape changes.
Related guides
- PIPEDA Compliance Requirements for Canadian Organizations
- PIPEDA Compliance Checklist — Principle 5 covers retention
- Alberta PIPA Compliance Requirements
- BC PIPA Compliance Requirements
- Physical Records Breach: What Canadian Organizations Must Do — what happens when physical records are improperly destroyed or go missing
This guide covers retention and destruction obligations under PIPEDA, Alberta PIPA, and BC PIPA for private-sector organizations. Sector-specific legislation — the Health Information Act (AB), PHIPA (ON), the Income Tax Act, Employment Standards legislation — may impose additional minimum retention requirements. Quebec's Act respecting the protection of personal information in the private sector (Law 25) is not covered here.
Frequently asked questions
How long do I have to keep personal information under Canadian privacy law?
There is no single universal retention period. PIPEDA Principle 5 requires that personal information be kept only as long as necessary for the purpose for which it was collected. Other laws — the Income Tax Act, employment standards legislation, limitation periods — impose their own minimum retention periods that override PIPEDA's 'no longer than necessary' principle when they apply. You must hold personal information at least as long as any applicable legal minimum, and no longer than is necessary for your stated purpose, unless a legal hold or other obligation requires extended retention.
What does 'necessary for the purpose' mean in practice?
It means the personal information is still actively needed to deliver the service it was collected for, to fulfill a legal obligation, or to allow an individual to exercise their right of access to a decision made about them. Once a customer relationship ends, an employment relationship terminates, or a transaction is complete, the personal information collected for that purpose no longer has an active use — and the retention clock starts running toward destruction. 'We might need it someday' is not a purpose under PIPEDA.
Can I keep personal information indefinitely just in case?
No. Indefinite retention of personal information that is no longer needed for its original purpose is a PIPEDA violation. The OPC has found against organizations that retained personal information for years beyond the end of the relationship with no documented purpose. You must have a documented retention schedule and apply it consistently. If you identify a new legitimate purpose for information originally collected for a different purpose, the new purpose must be documented and consent re-obtained if required.
What does secure destruction mean?
Secure destruction means making personal information permanently unrecoverable. For digital records, this means secure deletion that overwrites data (not just moving files to the Recycle Bin), degaussing, or physical destruction of storage media. For paper records, this means cross-cut or micro-cut shredding or incineration — not strip-cut shredding, which can be reassembled, and not regular recycling. If you use a third-party destruction service, obtain a certificate of destruction. Secure deletion software, not standard file deletion, is required for digital media.
This guide is educational and does not constitute legal advice. It is grounded in the text of PIPEDA, Alberta PIPA, and BC PIPA and published guidance from the OPC, OIPC Alberta, and OIPC BC. If your situation involves regulatory investigation, litigation risk, or circumstances not addressed here, engage a qualified privacy lawyer.