Canada Luggage Depot - Secure SDLC
Privacy Operations

22. Privacy Operations #

22.1 Purpose #

Ensure Applications support lawful, minimal, and transparent processing of personal information (PI) and enable CLD to meet obligations under PIPEDA and Quebec Law 25, including retention/deletion and data subject rights.

22.2 Data minimization and purpose limitation #

Applications must collect and process only the PI necessary for the stated business purpose. New purposes, sensitive data types, or expanded sharing require prior approval and, where applicable, a DPIA (Section 22.7).

22.3 Retention and secure deletion #

Define and implement retention periods for each PI artifact the Application stores (e.g., claim records, photos, communications). Upon retention expiry or upon approved request, the Application must support secure deletion:

  • Primary stores: hard delete or cryptographic erasure (crypto‑shred) so data is unrecoverable.

  • Derived/replicated data: purge thumbnails, caches, search indexes, analytics extracts.

  • Backups: purge on the next scheduled cycle; document when deletion will be fully realized.

    PENDING: Retention targets — claim photos: __; claim documents: __; customer communications: __. Confirm crypto‑shred requirement.

22.4 Access controls and masking #

Enforce least privilege for PI. Default to masked or redacted views for roles that do not require full PI. Support field‑level segregation when needed (e.g., phone/email visible to Support; address only to Shipping). Administrative exports must be role‑restricted and logged.

22.5 Subject‑rights enablement #

Applications must enable CLD to respond to data subject requests within required timelines:

  • Access: export an individual’s data in a structured, commonly used format, with context (systems, processing purposes).

  • Correction: update or annotate inaccuracies across systems of record.

  • Deletion: delete PI (or de‑identify) unless a documented legal/business exemption applies; log reasons for exemptions.

  • Restriction/objection (where applicable): provide a mechanism to flag and temporarily restrict processing pending review.

    Requests must be traceable from receipt to completion, with logged evidence of the actions taken and dates. Where built‑in features are not feasible, vendors must provide documented procedures and support SLAs. PENDING: Response timelines (e.g., __ days); export format(s); vendor support SLA

22.6 Audit logging for privacy events #

Log privacy‑relevant events: exports, bulk views, admin reads, data corrections, deletions, and retention changes. Events must include who/when/where/what/outcome and correlate to the request record. Redact data content in logs; retain event logs per the security logging baseline. PENDING: Log retention months confirmation

22.7 DPIA triggers and workflow #

A Data Protection Impact Assessment is required before implementation when:

  • New or significantly changed processing of PI is introduced (e.g., new data categories, new purpose).

  • Cross‑border storage or access to PI is proposed (residency exception).

  • High‑risk processing is involved (e.g., large‑scale image processing with location metadata, automated decision‑making).

    The DPIA must describe processing purposes, data flows and recipients (including subprocessors), lawful basis, minimization, retention and deletion, security controls, transfer safeguards, and residual risks. Legal/Privacy reviews and approves the DPIA before design proceeds. PENDING: DPIA template and approval workflow link

22.8 Cross‑border transfers #

PI must remain in Canada by default. Any cross‑border storage or access requires an approved residency exception (Section 9), a DPIA (22.7), and documented technical (encryption with Canadian key custody, audit logging, access controls) and contractual safeguards (data‑processing terms, audit/breach rights, deletion on exit). PENDING: Prohibited jurisdictions list; approval chain

22.9 Third‑party and subprocessor privacy #

Vendors must disclose subprocessors that will access PI and obtain CLD approval prior to use. Contracts must flow down privacy obligations (purpose limitation, minimization, retention, deletion/return, breach notification, data subject rights cooperation, audit). Vendors must provide annual privacy/security attestations (e.g., SOC 2 with Privacy) and action plans for deficiencies within 30 days.

22.10 Privacy incident handling #

Suspected or confirmed privacy incidents (improper collection, use, disclosure, retention, disposal) must be reported immediately to CLD and handled under the Incident Response Policy/Plan. Vendors must preserve evidence, assist with containment and root cause analysis, and support regulatory notifications and communications as directed. PENDING: Written notification SLA (e.g., immediate + written within __ hours)

22.11 Documentation and transparency #

Maintain current records of processing for PI the Application handles: purposes, categories, recipients (including subprocessors), retention periods, transfer locations, key controls (encryption, access, logging), and contact details for privacy inquiries. Provide an admin‑readable summary to CLD and update upon material changes. PENDING: Repository/path for records of processing

22.12 Exceptions #

Any deviation from privacy requirements (e.g., temporary retention extension, delayed deletion due to legal hold) requires a documented exception with scope, rationale, legal basis, compensating safeguards, owner, Legal/Privacy review, ISO recommendation, Executive Sponsor approval, and expiry.