What PIPEDA Requires
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal privacy law for private-sector organizations. It governs how businesses collect, use and disclose personal information in the course of commercial activity. If your organization operates across provincial or national borders and handles personal information, PIPEDA applies to you.
Organizations in British Columbia, Alberta and Quebec are subject to provincial privacy legislation for intra-provincial commercial activity. However, PIPEDA still applies to interprovincial and international transfers. Most organizations operating nationally must comply with PIPEDA regardless of their home province.
The Office of the Privacy Commissioner of Canada (OPC) oversees PIPEDA enforcement. The OPC investigates complaints, conducts audits and publishes guidance on compliance. Understanding what PIPEDA requires is the first step. Demonstrating compliance through documented security practices is what protects your organization when the OPC comes asking.
Breach Notification Requirements
PIPEDA's mandatory breach notification provisions require three actions when a breach of security safeguards occurs and poses a real risk of significant harm:
- Report to the OPC
- Organizations must report the breach to the Office of the Privacy Commissioner without delay after determining that a breach has occurred. There is no fixed-day deadline. "Without delay" means as soon as feasible after your assessment determines a real risk of significant harm exists. Delays for investigation are permissible. Delays for convenience are not.
- Notify affected individuals
- Notification must be provided directly to affected individuals without delay. The notification must describe the breach, the personal information involved, steps the organization has taken and steps individuals can take to reduce risk. Notification must be conspicuous and direct.
- Maintain breach records
- Organizations must maintain records of every breach of security safeguards for 24 months, regardless of whether the breach triggered notification obligations. The OPC can request these records at any time. Failing to maintain them is a separate compliance failure.
Penalties
PIPEDA violations can result in fines of up to $100,000 CAD per violation for offences such as failing to report a breach, failing to notify affected individuals or failing to maintain breach records. Beyond fines, the OPC can publish findings that name non-compliant organizations. The reputational damage from a published finding often exceeds the financial penalty. Organizations subject to PIPEDA should also monitor the federal government's ongoing privacy law reform efforts, as proposed legislation may increase penalties significantly.
The 10 Fair Information Principles
PIPEDA is built on 10 fair information principles derived from the Canadian Standards Association Model Code. Every organization handling personal information must adhere to these principles:
| # | Principle | What It Means |
|---|---|---|
| 1 | Accountability | Designate a person responsible for compliance |
| 2 | Identifying Purposes | State why personal information is collected |
| 3 | Consent | Obtain meaningful consent for collection and use |
| 4 | Limiting Collection | Collect only what is necessary for identified purposes |
| 5 | Limiting Use, Disclosure and Retention | Use information only for stated purposes and retain only as long as necessary |
| 6 | Accuracy | Keep personal information accurate and up to date |
| 7 | Safeguards | Protect information with appropriate security measures |
| 8 | Openness | Make privacy policies readily available |
| 9 | Individual Access | Allow individuals to access and correct their information |
| 10 | Challenging Compliance | Provide a process for individuals to challenge compliance |
How a Security Audit Proves Due Diligence
Principle 7 (Safeguards) requires organizations to protect personal information with security measures appropriate to the sensitivity of the information. The OPC evaluates whether safeguards are "appropriate" based on the nature of the data, the volume of information and the threat landscape at the time of a breach.
A documented security audit demonstrates that your organization proactively assessed its security posture. A penetration test report shows that you identified vulnerabilities before a breach occurred. Remediation records show that you acted on findings. This documentation creates a defensible position when the OPC investigates.
Without documented security assessments, your organization cannot demonstrate that safeguards were appropriate. The OPC will assess what a reasonable organization would have done given the sensitivity of the data and the known threat landscape. Organizations that test regularly can point to evidence of ongoing diligence. Organizations that do not test have nothing to point to.
Principle 1 (Accountability) strengthens this position further. By designating a responsible person, maintaining breach records and conducting regular security assessments, you demonstrate organizational accountability that goes beyond checkbox compliance.
What You Should Do Now
Review your breach notification procedures. Ensure you can detect breaches, assess risk of significant harm, notify the OPC without delay and notify affected individuals. Verify that you are maintaining 24-month breach records.
Then audit your safeguards. A penetration test or security risk assessment provides the documentation you need to demonstrate Principle 7 compliance. If you have not tested in the past 12 months, you have a gap in your due diligence record that the OPC will notice.