The federal privacy watchdog discovered that Staples Canada failed to completely erase personal data from returned laptops that were subsequently resold. According to the Office of the Privacy Commissioner of Canada, an examination of laptops returned by customers to four Staples stores in Ontario revealed that 23% of the devices contained personal information such as names, email addresses, account details, email snippets, and partial facial images.
As a result of the findings, Staples has been given a nine-month deadline to establish clear guidelines for data erasure, enhance employee training, and engage an independent third party for annual random checks on returned devices. The investigation was initiated following allegations by a former sales associate that laptops were not consistently wiped after being returned.
The complainant reported instances where computers retained the previous owner’s username and password, and in one case, a resold laptop still contained personal information from a previous user. Interestingly, the privacy commissioner noted that similar issues identified during a previous audit of Staples in 2011 persisted even after 15 years.
