Skip to Main Content
Main Menu
Regulation

Canada’s Personal Information Protection and Electronic Documents Act

Canada’s PIPEDA establishes rules aimed at governing the processing of personal information in a manner that recognizes the right of privacy of individuals, whilst permitting organizations to meet their needs to process personal information.

Are you subject to the PIPEDA?

The PIPEDA applies to every organization that handles personal information:

  • Throughout the course of its commercial activities; and
  • Regarding an employee, or an applicant, in connection with the operation of a federal work, undertaking or business.

The PIPEDA does not apply to:

  • Any government institution to the extent where the Privacy Act applies;
  • Any individual who collects, uses or discloses personal information for personal or domestic purposes; and
    Any organization who collects, uses or discloses personal information for journalistic, artistic or literary purposes.

Key obligations under the PIPEDA

Personal information principles

PIPEDA establishes 10 Fair Information Principles that data processing practices should be grounded in, including: accountability; identifying purposes; consent; limiting collection; limiting use, disclosure and retention; accuracy; safeguards; openness; individual access; and challenging compliance.

Individual rights

At the request of individuals, PIPEDA requires organizations to grant them their right to access information about themselves and the right to data correction.

Form of consent

Depending on the context, PIPEDA requires organizations to seek expressed consent from individuals prior to processing sensitive personal information; implied consent is sufficient when less- or non-sensitive information is intended to be processed.

Outsourcing

Ensure contracts are in place with vendors that process personal information requiring them to provide a comparable level of protection.

Webinar

CBPR – Navigating Cross-Border Data Privacy Compliance

In this highly anticipated webinar, we explore the background the future direction and assess the potential business case for companies considering certification under the new Global CBPR System.

FAQs

  • Can personal data be processed without obtaining prior consent from individuals?

    Yes. PIPEDA provides several exceptions where consent may not be required for processing, including, but not limited to:

    • A federal work, undertaking or business must establish, manage or terminate an employment relationship with an individual, and the federal work, undertaking or business has informed the individual that their personal information may be processed for the aforementioned purposes;
    • For the performance of a business transaction with a third-party;
    • Where processing is clearly in the interest of the concerned individual, but their consent cannot be obtained in a timely manner; and
    • The personal information was made publicly available.
  • What is the age of consent to process children’s data to comply with PIPEDA?

    Organizations must obtain meaningful consent from parents and/or guardians of children under the age of 13.

  • How can I assure my personal information practices comply with the 10 Fair Information Principles?

    The Office of the Privacy Commissioner of Canada (OPC) encourages organizations to conduct self-assessments to assess the level of compliance to the 10 Principles, and improve personal information management systems and practices including evaluating the level of sensitivity of personal information.

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top