A Canadian Data Retention Policy is a formal document that establishes an organization's procedures for retaining, managing, and securely destroying personal information and business records in compliance with federal and provincial Canadian law. The policy specifies how long different categories of data will be kept, the legal basis for each retention period, the methods of secure destruction, and the responsibilities of personnel involved in data management.

In Canada, data retention is governed primarily by the Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5), which applies to organizations engaged in commercial activities across Canada. PIPEDA's Schedule 1 establishes ten fair information principles, of which Principle 5 (Limiting Use, Disclosure, and Retention) directly addresses data retention. This principle states that personal information shall be retained only as long as necessary for the fulfilment of the purposes for which it was collected, and that personal information no longer needed should be destroyed, erased, or made anonymous.

The Income Tax Act (R.S.C. 1985, c. 1 (5th Supp.)), section 230, requires every person carrying on a business in Canada to keep records for at least 6 years from the end of the last tax year to which they relate. The Canada Revenue Agency (CRA) enforces this requirement and may extend it in specific circumstances. The Canada Business Corporations Act (R.S.C. 1985, c. C-44) also imposes record-keeping obligations on federally incorporated companies.

At the provincial level, British Columbia (PIPA, S.B.C. 2003, c. 63), Alberta (PIPA, S.A. 2003, c. P-6.5), and Quebec (Act Respecting the Protection of Personal Information in the Private Sector) have enacted their own private-sector privacy legislation with similar retention and disposal obligations. Provincial health privacy laws, such as Ontario's PHIPA and Alberta's HIA, impose specific retention periods for personal health information.

A Data Retention Policy is needed by every Canadian organization that collects, stores, or processes personal information or business records. This includes businesses of all sizes operating in any sector across Canada.

Under PIPEDA Principle 1 (Accountability), organizations are required to designate an individual who is accountable for the organization's compliance with the privacy principles. Establishing a documented data retention policy is a fundamental component of this accountability obligation. The Office of the Privacy Commissioner of Canada (OPC) has repeatedly emphasized the importance of documented retention schedules in its guidance and investigation reports.

Organizations handling personal health information must comply with additional provincial requirements. Ontario's PHIPA requires health information custodians to retain records of personal health information for at least 10 years after the last entry. Similar requirements exist in Alberta, British Columbia, and other provinces.

The CRA requires all businesses to retain tax and financial records for at least 6 years from the end of the last tax year to which they relate. Destruction of these records before the 6-year period requires written permission from the CRA. Failure to maintain adequate records can result in penalties and adverse assessment assumptions.

A Data Retention Policy should be established when the organization commences operations and should be reviewed at least annually. It must be updated whenever there is a material change in applicable law, the organization's data processing activities, or its business operations. Quebec's Law 25 amendments, which took effect in stages from 2022 to 2024, have introduced additional retention and disposal requirements that organizations operating in Quebec must address.

A comprehensive Canadian Data Retention Policy must address several essential elements to comply with the framework of federal and provincial data retention requirements.

The legal framework section should identify all applicable federal laws (PIPEDA, Income Tax Act, Canada Labour Code, Canada Business Corporations Act) and provincial privacy, employment standards, and limitations legislation. The scope should define what data and records are covered and who is subject to the policy.

The retention schedule is the core of the policy. It must specify maximum retention periods for each category of data, including employee records, financial and accounting records, customer and consumer data, and health information where applicable. Each retention period should reference the specific legal basis, including CRA requirements, provincial limitation periods, and PIPEDA Principle 5.

Secure destruction procedures must comply with PIPEDA requirements and OPC guidance. NIST SP 800-88 guidelines provide a recognized standard for electronic media sanitization. The policy should specify methods for destroying paper records, electronic records, and storage media, and should require a destruction log.

Legal hold procedures are essential. The policy must establish a process for suspending routine destruction when litigation, government investigation, OPC complaint, or access request is anticipated or pending. PIPEDA access requests under Principle 9 require the organization to retain relevant records until the request is resolved.

Individual data rights must be addressed, including the right of access under PIPEDA Principle 9 and the right to challenge accuracy under Principle 6. The policy should describe the 30-day response timeline and the process for handling requests.

Responsibilities should be assigned to the privacy officer, department heads, and all employees. The policy review schedule, audit process, and consequences for non-compliance should be clearly stated. Breach notification obligations under the Breach of Security Safeguards Regulations (SOR/2018-64) should be referenced.