PIPEDA: Section 24 on retiring data-bearing media.
The Personal Data Protection Act 2012 obliges organisations to protect personal data with 'reasonable security'. When that data is held on retiring servers, drives, or laptops, 'reasonable security' has a specific shape. Here's what we deliver and how it maps to your evidence.
Reasonable security on disposal — what it means in practice.
Section 24 of the PIPEDA requires organisations to protect personal data in their possession or control by making reasonable security arrangements to prevent unauthorised access, modification, disposal, or similar risks. On disposal of data-bearing media, this typically means: documented destruction, chain of custody from pickup to destruction, and evidence the destruction occurred.
The OPC (Personal Data Protection Commission of Canada) does not license or certify ITAD vendors. There is no PIPEDA-certification register for ITAD providers. What auditors look for is your evidence: did you choose a reasonable disposal method, did you document it, and can you produce the proof?
What's in your PIPEDA evidence pack
- ♦ Asset list pre-pickup with serial numbers, makes, models — proves what was disposed.
- ♦ Locked-transit log with GPS track and photo-confirmed transfers — proves chain of custody.
- ♦ NIST SP 800-88 + IEEE 2883-2022 method citation per device — proves the destruction was reasonable.
- ♦ Per-device wipe-log or shred batch ID — proves the destruction occurred.
- ♦ Two-operator destruction with witness sign-off — proves the destruction was supervised.
- ♦ Per-job Certificate of Destruction with PIPEDA Schedule 1, Principle 4.7 (Safeguards) alignment statement.
- ♦ Downstream recipient log: where any residual material went — proves no escape via the recycler chain.
Cross-border data flows on disposal.
If your retiring kit will be refurbished and remarketed across the North America region, Section 26 (Transfer Limitation) and the Cross-Border Privacy Rules conversation apply. The simple rule: data must be destroyed before the kit crosses any border. We do destruction Canada-side, by default, on every job. The hardware that crosses borders has had its data destroyed; the data does not cross.
Maxicom Canada — frequently asked
Does the OPC pre-approve ITAD vendors?
No. The Office of the Privacy Commissioner of Canada does not approve, license, or certify ITAD vendors. There is no register. What we offer is PIPEDA-aligned destruction documentation designed to support your PIPEDA Schedule 1, Principle 4.7 (Safeguards) evidence. If a vendor claims a regulator endorsement, ask to see the documentation.
How long should we retain the Certificate of Destruction?
The PIPEDA itself does not set a fixed retention period for disposal-evidence; in practice, retain it for as long as the underlying data was retained, typically 5–7 years. We retain a backup copy for the same period.