The Privacy Commissioner of Canada today has tabled her annual report to Parliament on the Personal Information Protection and Electronic Documents Act ("PIPEDA"), Canada'a private sector privacy law.
A large portion of the report is a description of an audit her office carried out of Staples following two complaints that the company had resold electronics without ensuring that personal data from the previous owner had been securely removed. Generally, she found they followed her guidance but she identified some remaining shortcomings.
The main lesson is that the Commissioner is getting more proactive and businesses need to be more vigilant. This is, to my recollection, the first time that her office has audited a business and it sounds like it was an extensive investigation. This, coupled with her request from Google that an independent, third party audit be undertaken suggests a stronger position than she has taken before. To top this off, she continues the discussion about whether she should be given order-making powers and the power to levy penalties. I think we're seeing a significant change from the Office of the Privacy Commissioner. The full report is here: Annual Report to Parliament 2010 - Report on the Personal Information Protection and Electronic Documents Act.