Watchdog: Staples Canada Breached Privacy Rules

June 22, 2011 by

Staples Canada Inchas breached the country’s privacy law after repeatedly failing to wipe sensitive personal information from computers returned by customers and put back on shelves for resale.

In an annual report released Tuesday, Canada’s privacy watchdog released the results of an audit it conducted on the Canadian unit of the office supply retail chain.

“Customers’ personal information left on returned electronic devices was at risk at the end of our audit,” said Valerie Lawton, a spokeswoman for the Office of the Privacy Commissioner of Canada.

Seventeen out of 20 computers and laptops tested by the commissioner contained customer data. In total, the commissioner tested 149 devices — including hard drives and memory sticks — and found customer data on 54 of them. It detected faulty procedures for protecting private data at 15 out of 17 stores checked.

Banking information, credit card statements, social insurance numbers and passport numbers were among the personal information found, exposing people to potential identity theft and fraud, it said.

“Our position is that if Staples and other retailers can’t remove all customer data from a particular type of device, they should not be reselling that device,” Lawton said.

Lawton said Staples informed the privacy commissioner on Tuesday it had created and implemented a more effective method of wiping laptops and other computers of all customer data.

“Clearly, we haven’t had the opportunity to examine their new process,” she said.

In a statement, Staples said it had responded positively to all of the privacy commissioners’ recommendations well before the release of the audit and that it has adopted new practices as technology has evolved, exceeding the industry standard.

“Many of the issues covered in the audit represent industry-wide challenges. That is why Staples Canada supports the development of industry-wide standards for information protection,” it said.

As of the end of December, when the audit was completed, Staples had not yet found a method of wiping data that satisfied the privacy commissioner.

The commissioner decided to audit Staples for compliance with privacy laws after complaints led it to investigate the company’s practices in 2004 and 2008. There were reports of another incident involving the company in March 2009. The audit did not compare Staples with competitors in the industry.

Last year the privacy commissioner investigated a total of 249 complaints related to privacy concerns in the private sector, including complaints against major online players Facebook and Google .