Protection of personal information34  An organization must protect personal information in its custody or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks.
Limit Use, Disclosure and RetentionTo comply with this principle we will :

• Use or disclose personal information only for the purpose identified before or when it was collected, unless the individual consents to the new purpose, or the use or disclosure is authorized by the legislation
• Only use or disclose personal information for purposes that a reasonable person would deem appropriate  
• Keep personal information only as long as necessary to fulfill the purpose identified before or when it was collected
• Keep personal information that is used to make a decision about an individual for at least one year after using it so the individual has a reasonable opportunity access it
• Destroy, erase or make anonymous any personal information as soon as it is no longer required for a legal or business purpose