Select Page

The PIPEDA Quick Cubicle Reference Sheet

May 26, 2021 | Technology


The Personal Information Protection and Electronic Documents Act or (PIPEDA) is the federal private-sector data privacy law in Canada that business owners need to comply with if their business collects or uses any personal information in relation to their commercial operations. Additionally, it is enforced by the Office of the Privacy Commissioner (OPC).

PIPEDA’s goal is to protect privacy rights for internet users by requiring organizations to notify users of how they handle their data practices, and to get consent for the collection, use, and disclosure of people’s personal information. Further, violations could result in fines of up to CAN$75,000 -$100,000 if the government chooses to prosecute.

Two Key Terms You Need to Remember

  1. Private sector organizations: A privately owned association, corporation, partnership, or trade union that is not government-controlled.
  2. Commercial activities: Any act of transactional selling, buying, or trading commercially.

Read on to learn more about PIPEDA — what it is, who it’s for, and how to be in compliance.

Personal Information Under PIPEDA

All personal information applies to any actual or perceptual information about a person’s identity under PIPEDA law.

Personal Information Examples Under PIPEDA Include

  • Personal identifiers like age, name, ID numbers
  • Unverifiable information like disciplinary actions, opinions, and evaluations  
  • Details such as credit records, employee files, and loan records
  • Health information
  • Network data cookies 
  • Lastly, federal government organizations listed under the Privacy Act, or business contact information used for organizational communication, are not included under PIPEDA.

Where PIPEDA Applies

The collection, use, or sharing of personal information in private-sector commercial practices in Canada, including federally-regulated organizations like:

  • Airports and airlines 
  • Banks
  • Inter-provincial and international transportation companies
  • Lastly, telecommunication companies

PIPEDA Does Not Apply To?

Charity groups, political parties, and non-profit organizations that don’t engage in commercial practices in their organizations are excluded by PIPEDA laws.

PIPEDA Compliance Requirements

In order to be in compliance with PIPEDA, there are 10 fair information principles, outlining the: 

  • Standards for the collection 
  • The use and disclosure of personal information
  • Lastly, users’ rights that your organization must adhere to.

What About Privacy Laws and Healthcare?

Because some health information laws are significantly similar, there are some Privacy Healthcare laws that do apply in some provinces. However, for B.C., Alberta, and Quebec, these healthcare laws are in addition to their own comprehensive privacy laws. 

The four provincial health information laws considered significantly similar to PIPEDA are the: 

Get to Know These 10 PIPEDA Fair Information Principles

  1. Accountability — Organizations must appoint someone to ensure that the 10 principles are complied with as they are fully responsible for the safety of the personal information that they store.
  2. Identifying Purposes — Either before or at the time that the data is collected, organizations must disclose their purpose for collecting the data.
  3. Consent — In order to collect, use, and share users’ personal information, implicit or explicit “meaningful consent” must be obtained by the organization. Indeed, organizations can utilize opt-in or opt-out measures as a way to lawfully collect personal and sensitive information.
  4. Limit Collection — Organizations are limited to only collecting the necessary information needed for processing purposes.
  5. Limiting Disclosure, Use, and Retention — Personal information must only be used by organizations for the purposes stated unless prior consent is received by affected users. 
  6. Accuracy — All personal information obtained by organizations must be accurate, complete, and up-to-date.
  7. Safeguards — Security measures must be utilized to protect personal information at all times.
  8. Openness — Organizations must always remain transparent in reference to their public handling of data practices. Further, customizing a privacy policy template will allow you to include the openness principle on your site to describe how your organization complies with and practices their data handling with the PIPEDA openness requirement.
  9. Access for Individuals — The organization should honor users’ rights in reviewing, accessing, and collecting personal information.
  10. Lastly, Challenge Compliance — People can challenge an organization’s compliance in reference to the 10 principles by addressing the person in charge of the organization’s PIPEDA compliance, more often than not, this person is normally the chief privacy officer of the organization.

PIPEDA Breaches

A data breach pertains to the loss of, unauthorized access to, or disclosure of personal information.

Organizations should report all data breaches to the Canadian Office of the Privacy Commissioner (OPC) by sending a PIPEDA breach report form whenever there’s a threat that poses a “real risk of significant harm” to people. For example, significant harm includes:

  • Physical harm
  • Damage to your Reputation
  • Decrease in finances
  • Lastly, loss of employment

In addition, organizations must keep records of all data breaches for two years along with notifying everyone affected about the breach as soon as possible. Any deferment of these procedures will result in a violation of PIPEDA.

Main Points of Complying With PIPEDA 

  • PIPEDA is Canada’s federal privacy protection law that pertains to private-sector organizations that carry out commercial activities and how they collect, use, and share personal data.
  • To be in compliance with PIPEDA, organizations must adhere to the 10 fair information principles for how data is handled
  • Create a privacy policy that addresses your organization’s obligation to ensure safe user information.
  • Lastly, notify the OPC and affected users as soon as possible if your organization incurs a data breach.

Read the PIPEDA legislation for a better understanding of PIPEDA’s compliance requirements, or head to the OPC website for resources related to PIPEDA.


BrightR Limited is your one-stop for consulting and remote workers. Alternatively, if you need advice for an employee who’s relocating to Canada, we can help you through the process and keep you in compliance. Contact us today and our team looks forward to answering your questions and helping you and your business thrive. 

Related Content