Data Retention Requirements for Cannabis Licensed Producers in Canada
Nothing in this article is intended to be considered legal advice. All contents and opinions belong exclusively to the author and do not reflect the opinions of her employer(s).
When determining the period of time that your company is legally required to store records for, it is necessary to understand the business area under which you operate. Based on my experience, most people assume that the Personal Information Protection and Electronic Documents Act (PIPEDA) is the applicable legislation, without having under consideration that their industries may be governed by different acts and/or regulations.
Cannabis licensed producers in Canada are subject to several pieces of legislation in regards to privacy matters and record retention:
- The Cannabis Act;
- The Cannabis Regulations (SOR/2018-144);
- The relevant Health legislation: Ontario, New Brunswick, Newfoundland, and Nova Scotia have health legislation that is deemed substantially similar to PIPEDA; therefore those acts are applicable depending on the province your business operates or collects data from;
- If the company operates in British Columbia, Quebec or Alberta, or the personal information comes from those provinces, PIPEDA wouldn't generally apply because those provinces have privacy acts that are deemed substantially similar to PIPEDA
- PIPEDA: For personal information in provinces other than British Columbia, Quebec or Alberta and in relation to personal health information in provinces other than Ontario, New Brunswick, Newfoundland, and Nova Scotia, PIPEDA should be considered the baseline.
- The Income Tax Act has a six year record retention period (general rule). More about that here and here.
The Cannabis Act states that a holder of a license must retain the records mentioned below for at least 2 years. The Personal Health Information Act (Ontario) states that health records containing personal information must be retained for as long as needed to allow the individual to exercise its right to request access (admittedly, this is not very precise), and PIPEDA allows the organization, at their will, to either destroy, erase, or anonymize the information when no longer needed to fulfill the purposes of collection.
What is clear is that license producers should have their own data retention policy.
The Cannabis Act And Regulations
Section 302 of the Cannabis Act states:
A holder of a licence for sale must retain
each registration application that they receive under subsection 279(1), together with
in the case of an application that is based on a medical document, the original of the medical document or, in the case where the medical document has been returned under subsection 284(6) or 286(6) or transferred under subsection 287(1), a copy of it that includes, if applicable, the information referred to in section 288, and
in the case of an application that is based on a registration certificate, the copy of the certificate;
a copy of each registration document that they provide under paragraph 282(2)(a) and of each updated registration document that they provide under subsection 285(4);
each amendment application referred to in section 285 that they receive;
a copy of each notice that they send or provide under subsection 284(3), (5) or (7), 286(3), (5) or (7), 290(3) or 291(3);
each notice referred to in paragraph 291(1)(a) or (b) that they receive; and
each notification referred to in paragraph 284(1)(g) or 286(1)(e) that they receive.
The documents referred to in subsection (1) must be retained
in the case of documents referred to in paragraphs (1)(a), (c), (e) and (f), for at least two years after the day on which they are received; and
in the case of the copies referred to in paragraphs (1)(b) and (d), for at least two years after the day on which the registration document or notice was provided or sent.
Sections 13 and 14 of the Ontario Personal Health Information Act (PHIPA), state:
Handling of records
13 (1) A health information custodian shall ensure that the records of personal health information that it has in its custody or under its control are retained, transferred and disposed of in a secure manner and in accordance with the prescribed requirements, if any. 2004, c. 3, Sched. A, s. 13 (1).
Retention of records subject to a request (2) Despite subsection (1), a health information custodian that has custody or control of personal health information that is the subject of a request for access under section 53 shall retain the information for as long as necessary to allow the individual to exhaust any recourse under this Act that he or she may have with respect to the request. 2004, c. 3, Sched. A, s. 13 (2).”
Further to the above, sections 221 to 226 of the Cannabis Regulations Act contain a 2 year retention period from the time the documents are prepared.
According to PIPEDA's Principle #5 - Limiting Use, Disclosure, and Retention:
"Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes."
Further to the above, the Privacy Commissioner's Principles and Best Practices for Retention and Disposal of Personal Information say:
"A specifically identified purpose is often a clear indicator of how long this information needs to be retained. There is no "one size fits all" retention period. For some organizations, there is a legislative requirement to keep information for a certain amount of time. In other instances, there may be no legislative requirement, and an organization needs to determine the appropriate retention period.
In assessing what is the appropriate retention period and whether it is time to dispose of personal information, an organization should consider the following points:
- Reviewing the purpose for having collected the personal information in the first place is generally helpful in assessing how long certain personal information should be retained.
- If personal information was used to make a decision about an individual, it should be retained for the legally required period of time thereafter – or other reasonable amount of time in the absence of legislative requirements – to allow the individual to access that information in order to understand, and possibly challenge, the basis for the decision.
- If retaining personal information any longer would result in a prejudice for the concerned individual, or increase the risk and exposure of potential data breaches, the organization should consider safely disposing of it."
In conclusion, it is important that you understand what legislation is applicable to your company in order to create your data retention policy.