The federal privacy watchdog has determined that Staples Canada failed to completely erase personal data from returned laptops that were later resold. According to the Office of the Privacy Commissioner of Canada, an examination of laptops returned to four Staples stores in Ontario revealed that 23% of the devices contained personal information such as names, email addresses, account details, email snippets, and partial facial images.
As a result of this finding, Staples has been directed to establish clear guidelines for data erasure, enhance employee training, and engage an independent third party for annual checks on returned devices within a nine-month period. The investigation was initiated following claims by a former Staples sales associate that laptops were not consistently wiped clean after being returned.
The complainant alleged instances where computers retained previous owners’ usernames and passwords on display, with at least one case reported of a resold laptop containing unerased personal information from a prior user. Notably, this recent inquiry by the privacy commissioner uncovered ongoing issues that were previously identified during a 2011 audit of Staples, indicating persistent challenges over a 15-year period.