The Personal Information Protection and Electronic Documents Act (PIPEDA) has governed how Canadian businesses handle personal information since 2000. Most businesses understand that PIPEDA exists. Fewer have a clear picture of what it actually requires them to do, where their current practices fall short, and what a defensible compliance posture looks like.
PIPEDA is not a prescriptive standard with a specific technical controls checklist. It is a principles-based law that requires organizations to implement safeguards and practices proportionate to the sensitivity of the personal information they hold. That flexibility is useful, but it also means compliance is not something you can buy with a single tool or achieve with a policy template.
This checklist translates PIPEDA’s ten fair information principles into practical, concrete actions your organization should have in place. For Canadian businesses of any size that collect, use, or disclose personal information in the course of commercial activity, these represent your baseline obligations under federal privacy law.
PIPEDA applies to private sector organizations that collect, use, or disclose personal information in the course of commercial activity. It applies across Canada to federally regulated sectors — financial services, telecommunications, transportation — and in provinces that do not have substantially similar provincial legislation.
PIPEDA applies regardless of the size of your organization. There is no small business exemption. If you collect personal information from customers, employees in federally regulated industries, website visitors, or any other individuals in a commercial context, PIPEDA applies to you.
Note: Bill C-27 and the proposed Consumer Privacy Protection Act (CPPA), which would have replaced PIPEDA, lapsed in January 2025 when Parliament prorogued. PIPEDA remains in force as the governing federal privacy legislation for commercial activity.
1. Accountability
Your organization must designate an individual responsible for privacy compliance — typically a Chief Privacy Officer or Privacy Officer. This person is accountable for your organization’s compliance with PIPEDA and must be identifiable to individuals who want to contact them.
2. Identifying Purposes
You must identify the purpose for collecting personal information before or at the time of collection. Purposes must be specific enough that an individual can understand what you intend to do with their information.
3. Consent
The knowledge and consent of the individual is required for the collection, use, or disclosure of personal information, except in limited circumstances defined in the legislation. Consent must be meaningful — individuals must understand what they are agreeing to.
4. Limiting Collection
Collect only the information you actually need for the identified purpose. Organizations that collect personal information on a “might be useful later” basis are not compliant with this principle. Every field of data collected requires a documented purpose.
5. Limiting Use, Disclosure, and Retention
Personal information must only be used or disclosed for the purpose it was collected, and retained only as long as necessary to fulfill that purpose. You must have a documented retention schedule and a process for the secure disposal of personal information that is no longer needed.
6. Accuracy
Personal information must be as accurate, complete, and up-to-date as necessary for the purposes for which it is used. This is particularly relevant for customer records used in decision-making — inaccurate information that affects an individual must be correctable.
7. Safeguards
This is where cybersecurity intersects most directly with PIPEDA. Your organization must protect personal information with security measures appropriate to the sensitivity of the information. The Office of the Privacy Commissioner has found in repeated investigations that access controls, encryption, and employee training are expected baseline safeguards for organizations of any size.
8. Openness
Your privacy policies must be readily available and understandable. This means a published privacy policy written in plain language, accessible on your website, and reflecting your actual data practices.
9. Individual Access
Individuals have the right to access the personal information you hold about them, understand how it is being used, and challenge its accuracy. You must have a documented process for responding to access requests, typically within 30 days.
10. Challenging Compliance
Individuals may challenge your compliance with PIPEDA. You must have a process for receiving and investigating privacy complaints, and for escalating unresolved complaints to the Office of the Privacy Commissioner.
Since November 2018, PIPEDA has required organizations to report security breaches involving personal information that create a “real risk of significant harm” to affected individuals. The mandatory breach notification requirements are among the most operationally demanding aspects of PIPEDA compliance. When a qualifying breach occurs, your obligations include:
Failing to report a notifiable breach is itself a violation, with penalties up to $100,000 per violation. For organizations without cybersecurity insurance that covers breach response costs, the financial exposure from a reportable breach — notification, legal counsel, forensic investigation — can be significant for any size of organization.
Use this checklist to assess your current compliance posture. Required items represent obligations under PIPEDA. Recommended items represent additional best practices that support a defensible compliance program.
Accountability & Governance
Consent & Collection
Safeguards
Breach Notification
Individual Rights
The checklist above identifies what you need to have in place. Closing the gaps between your current state and a defensible PIPEDA compliance posture requires both technical and operational work — and the two are interdependent.
The safeguards principle is where most gaps are found during OPC investigations. A threat risk assessment establishes what personal information you hold, what threats face it, and what controls are needed to protect it proportionately. Without this documented baseline, it is difficult to demonstrate to a regulator or court that your safeguards were appropriate to the sensitivity of the information.
Identity and access management controls are the operational mechanism for the limiting use and safeguards principles. If you cannot demonstrate who has access to personal data and under what conditions, you cannot demonstrate PIPEDA safeguards compliance.
For the breach notification requirements, your incident response plan must explicitly address the PIPEDA reporting timeline and process. A documented data breach response plan that references the OPC notification requirement and the 24-month breach record-keeping obligation is not optional — it is what a regulator will ask to see following any incident involving personal information.
What is the penalty for non-compliance with PIPEDA?
Violations of PIPEDA’s breach notification and record-keeping requirements carry maximum penalties of $100,000 per violation. The OPC can also conduct audits, publish findings, and refer matters to the Federal Court. Reputational damage from public OPC reports often exceeds the direct penalty in business impact.
Does PIPEDA apply to employee information?
PIPEDA generally does not apply to employee personal information in the context of the employment relationship for federally regulated organizations. However, it does apply to personal information collected about job applicants, and provincial privacy legislation may impose additional obligations in some provinces. Organizations in Quebec are subject to Law 25, which does apply to employee information.
Does our company need a formal privacy policy?
Yes. PIPEDA’s openness principle requires that your policies be readily available to individuals. For most organizations this means a published privacy policy on your website, written in plain language, that accurately describes what personal information you collect, why, how it is used, who it is shared with, and how individuals can exercise their rights. A generic template that does not reflect your actual data practices does not satisfy this requirement.
What qualifies as a breach under PIPEDA?
A breach of security safeguards under PIPEDA is the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a failure of your safeguards. Not every breach triggers mandatory notification — only those that create a real risk of significant harm to the individuals whose information is involved. Your organization must assess this risk for every qualifying incident and document the assessment in your breach log.
How does PIPEDA interact with Quebec’s Law 25?
Quebec’s Law 25 (an Act to Modernize Legislative Provisions as Regards the Protection of Personal Information) applies to organizations operating in Quebec and imposes requirements that go beyond PIPEDA in several areas, including mandatory privacy impact assessments for new technology projects, stricter consent requirements, and the right to data portability. Organizations operating in Quebec must comply with both laws, applying the more stringent requirement in each area. The Canadian Centre for Cyber Security provides guidance on the technical safeguards that support compliance with both federal and provincial privacy obligations.
PIPEDA compliance is not a project with an end date. It is an ongoing operational requirement that evolves as your organization’s data practices change, as threats evolve, and as regulatory guidance develops. Organizations that treat it as a one-time audit typically find themselves exposed when an incident occurs or a complaint triggers an OPC investigation.
Brigient supports Canadian organizations in building the technical safeguards that underpin PIPEDA compliance — from threat risk assessments that document your proportionality baseline to IAM controls that demonstrate who has access to personal data. Knowing how to choose the right cybersecurity partner for your compliance program is the first step. Visit brigient.com to start the conversation.
Let’s Talk About Your Project: Unleash Possibilities, Explore Solutions, and Forge a Brighter Digital Future Together.
Contact Us Today!
