PIPEDA - What it is and How it Impacts Your Business

PIPEDA - What it is and How it Impacts Your Business

PIPEDA, also knowns as the Personal Information Protection and Electronic Documents Act, is Canada’s federal privacy law for the private sector and applies to personal information collected during commercial activities.  Commercial activities are defined as any transaction, act or conduct that is commercial in nature, such as buying, selling or leasing.

Who does pipeda apply to?

PIPEDA applies to organizations that are federally regulated and fall under the legislative authority of the Parliament of Canada, such as the telecommunications and broadcasting industry, and all local businesses in Yukon, Nunavut, and the Northwest Territories.

PIPEDA also applies to the private sector of each province unless a province has enacted its own privacy law that is substantially similar to PIPEDA. Only British Columbia, Alberta, and Quebec have privacy laws that have been deemed to be “substantially similar” to PIPEDA.

However, even if an organization is located in BC, Alberta, or Quebec, if in the course of a commercial activity personal information crosses borders, PIPEDA may apply to that information.

why do we need pipeda?

The purpose of PIPEDA is to ensure that personal information is obtained in ways that respect the fundamental right to privacy. Many organizations rely on personal information to stay in touch with their customers or clients, and to better understand how their customers are using their products and services in order to meet their needs. Ensuring that the personal information is kept private is a good practice in any case, as it demonstrates respect and consideration.

what does pipeda consider as private information?

PIPEDA aims to protect information about identifiable individuals, such as: age, income, ethnicity, opinions, evaluation, address records, credit records, medical records, and more.

what are your responsibilities under pipeda?

PIPEDA is based on 10 principles of fair information practices which are:

  • Accountablity (adopt practices for compliance and protection of data held by your organization.
  • Identifying purposes (data is not collected without identifying the purpose for its collection)
  • Consent (the individual must consent meaningfully to their data’s collection)
  • Limiting Collection (do not collect data indiscriminately)
  • Limiting use, disclosure and retention (use or disclose information only for the purpose for which it was collected)
  • Accuracy (minimize the possibility of incorrect information)
  • Safeguards (protect personal information against loss or theft)
  • Openness (inform about your policy and practices for information management)
  • Individual access (when requested, inform the individuals about the information you have collected about them and how it is being  used)
  • Provide recourse (develop complaint procedures)

what are the penalities for non-compliance?

On April 18, 2018, the final regulations relating to the mandatory reporting of privacy breaches  under PIPEDA were published.  These regulations which include fines up to $100,000 came into force on November 1, 2018.

What should my organization do if we don’t know if we’re PIPEDA compliant?

A good first step is to understand PIPEDA and how it applies to your organization. The resource links contained below are useful places to begin.

Next, review your organization’s current practices concerning the collection, use and disclosure of personal information.  Part of this is to understand where and how you retain personal information, and who outside of your organization might handle personal information on your behalf.  Another important factor to consider is if the network security measures you currently have in place are enough to thwart cyber criminals looking to launch sophisticated attacks and steal sensitive information. 

A security breach and theft of your customer’s private information could be devastating for your business.  Not only will you have to pay steep fines, but you could be faced with civil litigation.   Many business simply cannot recover from this.

TCS can help you determine if your organization is adequately protected through a complimentary network security audit.   A TCS Shield solution can prevent unwanted cyber attacks and theft of sensitive information and protect your company from the harsh penalties under PIPEDA.  

For more information on a TCS Shield solution click here

For more information on PIPEDA

Office of the Privacy Commissioner:


Privacy legislation in Canada:


The Application of the Personal Information Protection and Electronic Documents Act to Charitable and Non-Profit Organizations:


Fact Sheet – Privacy Legislation in Canada: