Every business in Canada has a seemingly endless stream of documents to deal with. Knowing how long to keep them – and when to get rid of them – can seem daunting, but here are some basic tips.
For this blog post, we’ll focus on three types of documents: information technology (IT), privacy and intellectual property (IP). At minimum, you should retain all documents discussed in this blog post for the length of time prescribed by applicable federal and provincial laws and regulations.
Your IT records will typically include contractual agreements with third-party vendors, IT policies, incident response plans, application development and documentation, records of system tests and audits, network access records and technical support requests, among other documents.
How long you retain these records will depend on various factors and we recommend consulting with your legal counsel to determine how long you should keep each type of record.
Any records you have containing personal information may be subject to Canadian privacy laws (for example, the Personal Information Protection and Electronic Documents Act (PIPEDA)), which include provisions on how long to retain personal information and what to do in the event of a data breach.
Here are some basic guidelines on managing privacy-related records:
- Personal information should be retained only for as long as is reasonably required for business or legal purposes. Data breaches have been made worse when organizations retain personal information for longer than reasonably required.
- Breach records should be kept for two years after the date you determined a breach occurred. PIPEDA requires you to maintain records of a data breach, and you may be required to report a breach to the Privacy Commissioner of Canada if it represents a real risk of significant harm.
- Privacy policies and related documents such as breach response plans, training manuals and third-party contracts should also be retained. Your legal counsel can advise you on the recommended retention periods for each of these documents.
There are five main types of IP: copyright, trademarks, patents, industrial designs and trade secrets. IP-related documents include application and registration forms, contracts and agreements with employees and third parties, and IP policies. Any records/documents/materials containing information related to one of the types of IP (or any other applicable IP) should generally be considered as a record falling within the category of IP or IP records.
Your legal counsel can advise you on the recommended retention periods for each type of IP record your organization possesses.
Why you need a retention policy
The retention periods described above are only a guide – how long you retain documents and how you go about destroying them requires a tailored approach. You may consider implementing a litigation hold as part of your retention policy to help you manage the risk of destroying records prematurely.
The lawyers at MLT Aikins have wide-ranging experience advising clients throughout Western Canada on their document retention and destruction policies. Failure to retain records for prescribed periods – and failure to destroy documents that are no longer needed – can have serious consequences for your business. Contact us to learn how we can help.
Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.