The Privacy Commissioner of Canada has determined that Staples Canada failed to completely erase personal data from returned laptops that were resold. Following an analysis of laptops returned to four Staples stores in Ontario, it was discovered that 23 percent of the devices contained personal information such as names, email addresses, account details, email fragments, and partial facial images.
As a result of this finding, the Privacy Commissioner has instructed Staples to establish clear guidelines for wiping devices, enhance staff training, and engage an independent third party to perform annual spot checks on returned products within nine months. The investigation was initiated after a former Staples employee alleged that laptops were not consistently wiped clean upon return.
According to the complainant, some computers still contained the previous owner’s username and password, and in one instance, a resold laptop retained personal information from a prior user. The Privacy Commissioner noted that similar issues were identified during an audit of Staples in 2011, indicating persistent problems over a 15-year period.
