Proudly Canadian Owned & Operated
infoshred logo
Get a Free Estimate

What Is a Certificate of Destruction – and Why You Need One After Shredding

When a shredding truck pulls away, one question matters: what proof do you have that your documents were actually destroyed? For most businesses, the answer should be a certificate of destruction. This is a written record that confirms what was shredded, when it was shredded, and by whom. Without it, a privacy audit can put your business in a difficult position.
Many businesses assume the invoice is enough. It is not. A certificate of destruction is a separate document. It serves a specific legal function.
This article explains what the certificate contains, why Canadian law requires you to keep one, and how to make sure you receive one every time. Whether you run a medical clinic, a legal practice, or a small office, this documentation protects you.

What Is a Certificate of Destruction for Shredding?

A certificate of destruction is a written record provided by a shredding company after completing a job. It confirms the date of destruction, the quantity or weight of material destroyed, the method used (on-site or off-site shredding), and the name of the authorized service provider. For businesses, this document is the official audit trail that demonstrates compliance with privacy regulations such as PIPEDA and BC PIPA. A valid certificate must include a company seal or authorized signature and should be retained with your records management files.
Need a certificate of destruction with every job? See how our document shredding service works.

What a Certificate of Destruction Actually Contains

Not all shredding receipts are the same. A proper certificate of destruction is a specific document – not just a billing receipt. Knowing the difference helps you choose the right provider.
A valid certificate of destruction, as defined under NAID AAA certification standards, includes all of the following:4
  • Date and time of the destruction
  • Description of materials destroyed (type, volume, or weight)
  • Destruction method: on-site mobile shredding or off-site plant shredding
  • Name of the service provider and an authorized signature or company seal
  • A unique job or certificate reference number
Use the table below to confirm what your provider gives you:
What to Look For
Red Flag if Missing
Date and time of destruction
No timestamp means the record is incomplete
Material description (type and volume)
Vague descriptions will not satisfy a regulatory audit
Destruction method specified
Without this, the method of compliance cannot be confirmed
Authorized signature or company seal
Unsigned certificates carry no legal standing
Unique certificate reference number
No reference number makes future retrieval difficult
The certificate should be delivered by email or PDF on the day of the job. If a vendor only hands you an invoice, that is not sufficient documentation for a compliance audit.
INFOshred provides a signed certificate of destruction with every completed job. Clients receive it by email on the same business day as the service. Confirm your documentation process before you book – request a shredding quote today.

Why Canadian Businesses Are Required to Keep One

Privacy law in Canada places accountability on organizations that handle personal information. That accountability does not end when the documents leave your office. It extends to how those documents are destroyed. Under PIPEDA Principle 4.7, organizations must dispose of personal information in a manner that prevents unauthorized access or use. The Office of the Privacy Commissioner of Canada confirms that organizations remain accountable for personal information even when a third party handles its destruction.1
BC-based businesses are also subject to BC PIPA, which carries parallel requirements. The Office of the Information and Privacy Commissioner for BC expects organizations to retain records of how personal information was disposed of. A certificate of destruction is the primary evidence that satisfies this obligation.2
Under PIPEDA, BC PIPA, and applicable professional regulations, industries with heightened destruction documentation requirements include:
  • Healthcare: medical clinics, dental offices, physiotherapy practices
  • Legal services: law firms, notaries, paralegals
  • Financial services: accountants, mortgage brokers, financial advisors
  • Human resources and payroll providers
  • Real estate offices
Important: Some documents must never be destroyed without a proper record. Tax records must be retained for a minimum of six years under CRA guidelines before destruction is considered. The certificate of destruction is the proof that this retention period was respected before disposal.3

On-Site vs. Off-Site Shredding – Does It Change the Certificate?

The type of shredding service you use affects how and when you receive your certificate. Both on-site and off-site shredding can be audit-compliant. The process is different, however.
 
Details
On-Site
Destruction happens at your location. You can witness the process. Certificate issued the same business day. Best suited for high-sensitivity materials.
Off-Site
Documents are transported to a shredding plant. Chain of custody documentation is required before the certificate is issued. Certificate arrives after the plant confirms destruction. Suitable for large-volume, lower-sensitivity documents.
For businesses handling confidential client files, on-site shredding provides an added layer of assurance. You watch the destruction happen. The certificate follows on the same business day.
The Office of the Privacy Commissioner of Canada recommends that when using a third-party contractor, organizations confirm the provider has verifiable credentials and can guarantee both a secure transfer of records and a destruction method that matches the sensitivity of the material. Importantly, the organization remains responsible for the information even after handing it to a contractor.5
Chain of custody documentation is required for off-site destruction to be considered audit-defensible. This means the provider must record every handoff from your premises to the shredding plant. NAID AAA certification, governed by i-SIGMA, sets the standard for what this documentation must include.4
INFOshred operates mobile shredding units that come directly to your location. Certificates are issued on the same business day as the shred.
Want to watch your documents shredded at your location? Request a shredding quote today.

Common Mistakes Businesses Make Around Destruction Records

Many compliance gaps are not caused by bad intentions. They come from small habits that go unchecked. Here are five common mistakes around certificate of destruction records – and how to avoid each one.
  1. Treating the invoice as proof of destruction. An invoice confirms you paid for a service. It does not confirm the documents were destroyed. Always ask for a separate certificate.
  2. Using a vendor who does not include a certificate as standard. Some low-cost providers do not offer documentation. If it is not included by default, that is a clear warning sign.
  3. In-house shredding with no documentation trail. Office shredders do not produce a certificate. For regulated industries, they rarely meet the security standard required for compliance.
  4. Not knowing how long to keep the certificate. The CRA recommends retaining business records for a minimum of six years. A certificate of destruction is a business record. Keep it for at least that long.3
  5. Mixing non-sensitive material to reduce shredding volume. This can push genuinely sensitive documents into uncontrolled waste streams. Err on the side of shredding more, not less.

How to Request a Certificate of Destruction From Your Shredding Provider

Getting the right documentation starts before the shredding truck arrives. Use this checklist before you book:
  1. Ask if the certificate is included as standard. Some providers charge extra or only provide one on request. A reputable provider includes it automatically.
  2. Confirm the delivery format. Ask whether the certificate will arrive by email, PDF, or physical copy. Digital delivery is easiest for records management.
  3. Provide accurate information for the certificate. The provider needs your business name, contact person, volume or number of boxes, and the service date.
  4. Confirm NAID AAA certification. A certificate from a NAID AAA-certified provider carries more weight in a compliance audit. i-SIGMA governs this certification and publishes a directory of certified members at isigmaonline.org.4
If a vendor refuses to provide a certificate, or cannot tell you what their certificate of destruction includes, that is a clear signal to book elsewhere.
INFOshred holds NAID AAA certification and provides a certificate of destruction with every job. Learn more about our mobile paper shredding in Vancouver and what to expect on service day.

References

1. Office of the Privacy Commissioner of Canada. PIPEDA – Principle 4.7 Accountability and Safeguards. priv.gc.ca
2. Office of the Information and Privacy Commissioner for BC. BC PIPA – Disposal of Personal Information. oipc.bc.ca
3. Canada Revenue Agency. Keeping Records – Retention Period for Business Records. canada.ca/en/revenue-agency
4. i-SIGMA (formerly NAID). NAID AAA Certification Standards. isigmaonline.org
5. Office of the Privacy Commissioner of Canada. Personal Information Retention and Disposal: Principles and Best Practices. priv.gc.ca
Facebook
Twitter
Email
Print
Picture of Mike B
Mike B

Latest Article