The federal privacy watchdog discovered that Staples Canada failed to completely erase personal data from returned laptops that were subsequently resold. The Office of the Privacy Commissioner of Canada reported that upon examining laptops returned by customers to four Staples stores in Ontario, 23% of the devices contained personal information such as names, email addresses, account details, email fragments, and partial facial images.
In response, the privacy commissioner has mandated Staples to establish clear guidelines for data erasure, enhance employee training, and engage an independent third party to conduct annual spot checks on returned devices within a nine-month timeframe.
This investigation was initiated after a former Staples sales associate alleged that laptops were not consistently wiped clean upon return. The complainant highlighted instances where computers retained the previous owner’s username and password visibly displayed on the device. Additionally, there was a case where a resold laptop still contained personal information from a previous user.
Notably, the privacy commissioner had previously audited Staples in 2011 due to similar concerns, and the recent investigation revealed that some of these issues persisted even after 15 years.