Staples Business Depot stores failed to fully wipe personal data — including passport numbers and tax records — from laptop computers and hard drives they resold, says the federal privacy watchdog.
Jennifer Stoddart said Tuesday the “long-standing problem” put customers’ personal information at risk.
Details of Stoddart’s audit findings were included in her annual report to Parliament on the federal privacy law for private-sector enterprises.
The audit involved tests on data storage devices — such as computers, laptops, USB hard drives and memory cards — that had undergone a “wipe and restore” process in preparation for resale by Staples.
Of the 149 data storage devices tested, over one-third, or 54 devices, still contained customer data — in some cases, highly sensitive personal information such as social insurance numbers, health card and passport numbers, academic transcripts, banking information and tax records.
Stoddart said although Staples generally had good privacy practices, it did not meet its legal obligations.
“Our findings are particularly disappointing given we had already investigated two complaints against Staples involving returned data storage devices and the company had committed to taking corrective action,” Stoddart said in a statement.
“While Staples did improve procedures and control mechanisms after our investigations, the audit showed those procedures and controls were not consistently applied, nor were they always effective — leaving customers’ personal information at serious risk.”
The privacy commissioner recommended Staples review its procedures and processes for wiping data storage devices and implement better controls. “If Staples is unable to remove all customer data from a particular manufacturer’s device, it should not be reselling that device,” Stoddart said.
In response, Staples said it was testing means of fully removing data from returned products without damaging or destroying hard drives or operating systems.
Stoddart has asked Staples to provide an independent report by June 30 next year confirming how the company has fulfilled the audit recommendations.
In the last year Stoddart also investigated a complaint against U.S.-based eHarmony, a major Internet dating site.
She expressed concern that eHarmony was not offering users the clear option of permanently deleting their profile information from the site.
The company has agreed to offer users this option and will keep personal information held in inactive accounts for just two years.