The federal privacy watchdog discovered that Staples Canada failed to completely erase personal data from refurbished laptops before reselling them. According to the Office of the Privacy Commissioner of Canada, an examination of laptops returned to four Ontario Staples stores revealed that 23% of the devices contained personal information such as names, email addresses, account details, email fragments, and partial facial images.
Following this discovery, the privacy commissioner mandated Staples to establish clear guidelines for data erasure, enhance employee training, and engage an independent third party to perform annual checks on returned devices within nine months. The investigation was initiated after a former Staples employee claimed that laptops were not consistently wiped clean upon return.
The complainant reported instances where computers still displayed the previous owner’s login credentials, with one laptop even being resold with unerased personal data from a prior user. It was noted that similar concerns were raised during an audit of Staples in 2011, with the recent investigation revealing that some of these issues persisted over a 15-year period.