Questions & Answers

Do files that contain personal information need to be shredded or can an organization simply throw them away?

Under PIPA, organizations must use reasonable safeguards to protect personal information. This includes safeguards to ensure that records containing personal information are disposed of properly to prevent unauthorized parties from gaining access to the information. Shredding records containing personal information rather than placing them in a garbage can or recycling bin is considered the most effective method of destruction once the retention period is expired. Companies choosing to risk unauthorized access to customers’ personal information may find themselves in noncompliance with the Personal Information Protection Act.

Back