Privacy Guide for Businesses

What Canadian
businesses need to
know to comply with
federal privacy law
For more information, contact:

Office of the Privacy Commissioner of Canada

30 Victoria Street, 8th floor
Gatineau, QC
K1A 1H3

Telephone: (819) 994-5444

Toll-free: 1-800-282-1376
TTY: (819) 994-6591

For more information visit: priv.gc.ca/business

Follow us on Twitter: @privacyprivee

While prepared with care to ensure accuracy

and completeness, this guide has no legal status.
For the official text of the law, visit our website at
priv.gc.ca/business or call the Office of the Privacy
Commissioner of Canada.

Cat. No. IP54-94/2019E

ISBN 978-0-660-32104-2

Updated September 2020

This guide deals only with Part 1 of the Act.

All references to the Act in this document refer
only to Part 1. Parts 2 to 5 of the Act concern the
use of electronic documents and signatures as legal
alternatives to original documents and signatures.
For information on these, please contact the
Department of Justice.
Table of contents
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Role of the Office of the Privacy Commissioner of Canada. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
PIPEDA in brief. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
How the act applies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
What is personal information?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
What is not covered by PIPEDA?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Your responsibilities under PIPEDA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Fair information principles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1 Be accountable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2 Identify the purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3 Obtain valid, informed consent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4 Limit collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
5 Limit use, disclosure and retention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
6 Be accurate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
7 Use appropriate safeguards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
8 Be open. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
9 Give individuals access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
10 Challenging compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Dealing with a breach. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Real risk of significant harm. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
What your breach report to the OPC should contain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
What your notification to affected individuals needs to contain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
What you need to include in your own breach records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Complaints to the Privacy Commissioner of Canada. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Complaint process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Audits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Applying for a hearing to the Federal Court. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Canada’s anti-spam legislation and PIPEDA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Advisory services for businesses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

1
 Overview

2
Canadians are increasingly concerned about their privacy.
More and more, they are choosing to do business with
organizations that are sensitive to those concerns and can
demonstrate they will handle personal information with care.

The Personal Information Protection and Electronic The OPC also seeks to ensure that organizations comply
Documents Act (PIPEDA) is Canada’s federal private- with their privacy obligations by providing them with
sector privacy law. It sets out the ground rules for how information and guidance. The Office also undertakes
businesses must handle personal information in the engagement activities, which include outreach and
course of commercial activities. advisory services.

The Office of the Privacy Commissioner of Canada PIPEDA in brief

(OPC) has prepared this guide to help organizations
understand and meet their obligations under PIPEDA. There are a number of requirements to comply with the
law. Organizations covered by PIPEDA must generally
Role of the Office of the Privacy obtain an individual’s consent when they collect, use or
Commissioner of Canada disclose that individual’s personal information. People
have the right to access their personal information
The OPC’s mission is to protect and promote held by an organization. They also have the right to
privacy rights. As an Agent of Parliament, the challenge its accuracy.
Privacy Commissioner reports directly to the
House of Commons and the Senate of Canada. This Personal information can only be used for the purposes
independence helps ensure the Commissioner is for which it was collected. If an organization is going to
impartial in exercising the role of ombudsman for use it for another purpose, it must obtain consent again.
privacy issues. Personal information must be protected by appropriate
safeguards.
The OPC oversees compliance with PIPEDA by
conducting independent and impartial investigations
and/or audits into the personal information handling
practices of businesses.

3
 Information that crosses borders

All businesses that operate in Canada and handle

personal information that crosses provincial or
national borders in the course of commercial activities
are subject to PIPEDA, regardless of the province or
territory in which they are based (including provinces
with substantially similar legislation).

How the act applies Federally regulated organizations

PIPEDA applies to private-sector organizations Federally regulated organizations that conduct business
across Canada that collect, use or disclose personal in Canada are always subject to PIPEDA. The Act also
information in the course of a commercial activity. applies to their employees’ personal information.

The law defines a commercial activity as any particular These organizations include:
transaction, act, or conduct, or any regular course of
conduct that is of a commercial character, including the ■ airports, aircraft and airlines;
selling, bartering or leasing of donor, membership or ■ banks and authorized foreign banks;
other fundraising lists. ■ inter-provincial or international transportation
companies;
Provincial privacy laws ■ telecommunications companies;
■ offshore drilling operations; and
Alberta, British Columbia and Quebec have their own
■ radio and television broadcasters.
private-sector privacy laws that have been deemed
substantially similar to PIPEDA. Organizations subject Note: Organizations in the Northwest Territories,
to a substantially similar provincial privacy law are Yukon and Nunavut are considered federally regulated,
generally exempt from PIPEDA with respect to the and are therefore also covered by PIPEDA.
collection, use or disclosure of personal information
that occurs within that province.

Ontario, New Brunswick, Nova Scotia and

Newfoundland and Labrador have also adopted
substantially similar legislation regarding the collection,
use and disclosure of personal health information.

4
What is personal information? Unless they are engaging in commercial activities that
are not central to their mandate and involve personal
Under PIPEDA, personal information includes information, PIPEDA does not generally apply to:
any factual or subjective information, recorded or
not, about an identifiable individual. This includes ■ not-for-profit and charity groups; or
information in any form, such as: ■ political parties and associations.

■ age, name, ID numbers, income, ethnic origin, or Municipalities, universities, schools, and hospitals are
blood type; generally covered by provincial laws. PIPEDA may
■ opinions, evaluations, comments, social status, or apply in certain situations.
disciplinary actions; and
■ employee files, credit records, loan records, medical Your responsibilities
records, existence of a dispute between a consumer under PIPEDA
and a merchant, intentions (for example, to acquire
goods or services, or change jobs). Businesses must follow the 10 fair information
principles to protect personal information, which are
What is not covered by PIPEDA? set out in Schedule 1 of PIPEDA.

There are some instances where PIPEDA does not By following these principles, you will contribute
apply. Some examples include: to building trust in your business and in the digital
economy.
■ personal information handled by federal government
organizations listed under the Privacy Act; The principles are:
■ provincial or territorial governments and their agents;
■ business contact information such as an employee’s 1. Accountability
name, title, business address, telephone number or 2. Identifying purposes
email address that is collected, used or disclosed 3. Consent
solely for the purpose of communicating with that 4. Limiting collection
person in relation to their employment or profession; 5. Limiting use, disclosure and
■ an individual’s collection, use or disclosure of retention
personal information strictly for personal purposes 6. Accuracy
(e.g. personal greeting card list); and 7. Safeguards
■ an organization’s collection, use or disclosure of 8. Openness
personal information solely for journalistic, artistic 9. Individual access
or literary purposes. 10. Challenging compliance

5
 Fair information
principles

6
PIPEDA’s 10 fair information principles form the ground rules
for the collection, use and disclosure of personal information,
as well as for providing access to personal information. They
give individuals control over how their personal information is
handled in the private sector.

In addition to these principles, PIPEDA states that any ■ conducting surveillance on an individual using their
collection, use or disclosure of personal information own device’s audio or video functions.
must only be for purposes that a reasonable person
would consider appropriate in the circumstances. This section sets out organizations’ responsibilities for
each of the 10 fair information principles. It outlines
The OPC has determined that the following purposes how to fulfill these responsibilities and offers some tips.
would generally be considered inappropriate by a
reasonable person (i.e., no-go zones): 1 Be accountable
■ collecting, using or disclosing personal information
in ways that are otherwise unlawful; Your responsibilities
■ profiling or categorizing individuals in a way
■ Comply with all 10 fair information principles.
that leads to unfair, unethical or discriminatory
■ Appoint someone to be responsible for your
treatment contrary to human rights law;
organization’s PIPEDA compliance.
■ collecting, using or disclosing personal information
■ Protect all personal information held by your
for purposes that are known or likely to cause
organization, including any personal information
significant harm to the individual;
you transfer to a third party for processing.
■ publishing personal information with the intent
■ Develop and implement personal information
of charging people for its removal;
policies and practices.
■ requiring passwords to social media accounts for
the purpose of employee screening; and

7
 » Who has access to or uses it?
» Who do we share it with?
» When is it disposed of?
■ Develop, document and implement policies and
procedures to protect personal information:
» Define the purposes of collection.
» Obtain valid and meaningful consent.
» Limit collection, use and disclosure.
How to fulfill these responsibilities » Ensure information is correct, complete and current.
» Ensure security measures are adequate to protect
Develop a privacy management program information.
■ This program should be designed, at a minimum, » Develop or update a retention and destruction
to comply with the law, including the 10 fair timetable.
information principles. » Develop and implement policies and procedures
■ It should identify your organization’s designated to respond to complaints, inquiries and requests
privacy official, and communicate that person’s name to access personal information.
or title internally and externally (e.g. on your website » Develop, document and implement breach and
or in publications). incident-management protocols.
■ Your designated privacy official should have the » Document and implement risk assessments.
support of senior management and the authority to » Develop, document and implement appropriate
intervene on privacy issues. practices to be used by third-party service-providers.
■ Conduct a privacy impact assessment and threat » Develop, document and deliver appropriate
analysis of your organization’s personal information privacy training for employees.
handling practices, including ongoing activities, new ■ Regularly review your privacy management program
initiatives, and new technologies. and address any shortcomings.
■ Start by using the following checklist: ■ Be prepared to demonstrate that you have specific
» What personal information do we collect and is policies and procedures in place to protect personal
it sensitive? (Sensitive information may require information; that you provide adequate privacy
extra protection.) training to your employees; and that you have
» Why do we collect it? appointed someone to be responsible for privacy
» How do we collect it? governance.
» What do we use it for? ■ Make your privacy policies and procedures readily
» Where do we keep it? available to customers and employees (e.g., in
» How is it secured? brochures and on websites).

8
Tips

Train all staff so they can answer the following questions:

■ How do I respond to public inquiries regarding our organization’s privacy policies?

■ What is valid and meaningful consent? When and how is it obtained?
■ How do I recognize and process requests for access to personal information?
■ To whom should I refer privacy-related complaints?
■ What are my organization’s current or new initiatives relating to the protection of personal information?

When transferring personal information to third parties for processing outside Canada:

■ assess risks that could adversely impact the protection of personal information when it is transferred
to third-party service providers operating outside of Canada;
■ ensure through contractual or other means that the third party provides a level of protection of the
personal information comparable to that required in PIPEDA;
■ limit the third party’s use of the personal information to the purposes specified to fulfill the contract;
and
■ be transparent about your practices, including by advising customers their information may be sent
to another jurisdiction for processing, and that while in another jurisdiction it may be accessed by
the courts, law enforcement and national security authorities.

Related links
■ PIPEDA Fair Information Principle 1 – Accountability
■ Getting Accountability Right with a Privacy Management Program
■ Interpretation bulletin: Accountability

9
 2 Identify the purpose

Your responsibilities

■ Identify and document your purposes for collecting

personal information. This will help you determine
which specific personal information to collect to
fulfill those purposes.
■ Tell your customers why your organization needs
their personal information before or at the time of
collection. Depending on how the information is
collected, this can be done orally or in writing.
■ Obtain their consent again should you identify
a new purpose.

How to fulfill these responsibilities

■ Review your personal information holdings to

ensure they are all required for a specific purpose.
■ When requesting personal information from a
customer, explain these purposes to them, either
verbally or in writing.
■ Keep a record of all identified purposes and consents
you have obtained.
■ Ensure that the purposes are limited to what a
reasonable person would consider appropriate under
the circumstances.

10
Tips

Define your purposes for collecting personal information as clearly and narrowly as possible
so people understand how their information will be used or disclosed. Examples of specific
purposes include:

■ opening an account;
■ verifying an individual’s creditworthiness;
■ providing benefits to employees;
■ processing a magazine subscription;
■ sending out association membership information;
■ guaranteeing a travel reservation;
■ identifying customer preferences; and
■ establishing customer eligibility for special offers or discounts.

Avoid overly broad purposes.

Related link
■ PIPEDA Fair Information Principle 2 – Identifying Purposes

11
 3 Obtain valid, informed consent ■ The form of consent must take into account the
sensitivity of the personal information. The way you
seek consent will depend on the circumstances and
Your responsibilities
type of information you are collecting.
■ Individuals can withdraw consent at any time,
■ Meaningful consent is an essential element of
subject to legal or contractual restrictions and
PIPEDA. Organizations are generally required to
reasonable notice, and you must inform individuals
obtain meaningful consent for the collection, use
of the implications of withdrawal.
and disclosure of personal information.
■ To make consent meaningful, people must
How to fulfill these responsibilities
understand what they are consenting to. It is only
considered valid if it is reasonable to expect that your
■ Make privacy information readily available in
customers will understand the nature, purpose and
complete form, while giving emphasis or bringing
consequences of the collection, use or disclosure of
attention to four key elements:
their personal information.
» what personal information is being collected, with
■ Consent can only be required for collections, uses or
sufficient precision for individuals to meaningfully
disclosures that are necessary to fulfil an explicitly
understand what they are consenting to;
specified and legitimate purpose. For non-integral
» with which parties personal information is being
collections, uses and disclosures, individuals must be
shared;
given a choice.

12
 » for what purposes personal information is being position that, in all but exceptional circumstances, this
collected, used or disclosed, in sufficient detail for includes anyone under the age of 13), and ensure that
individuals to meaningfully understand what they the consent process for youth able to provide consent
are consenting to; and themselves reasonably considers their level of maturity.
» what are the risks of harm and other consequences. ■ Whether implied or express, consent does not
■ Provide information in manageable and easily waive an organization’s other responsibilities under
accessible ways. PIPEDA, such as being accountable, implementing
■ Make available to individuals a clear and easily safeguards, and having a reasonable purpose for
accessible choice for any collection, use or disclosure processing personal information.
that is not necessary to provide the product or service.
Form of consent
■ Consider the perspective of your consumers, to
ensure consent processes are user-friendly and
It is important for organizations to consider the
generally understandable.
appropriate form of consent to use (express or implied)
■ Obtain consent when making significant changes
for any collection, use or disclosure of personal
to privacy practices, including use of data for new
information for which consent is required. While
purposes or disclosures to new third parties.
consent should generally be express, it can be implied
■ Only collect, use or disclose personal information for
in strictly defined circumstances. Organizations need to
purposes that a reasonable person would consider
take into account the sensitivity of the information and
appropriate under the circumstances.
the reasonable expectations of the individual, both of
■ Allow individuals to withdraw consent (subject to
which will depend on context.
legal or contractual restrictions).
■ Determine the appropriate form of consent: obtain
Organizations must generally obtain express
express (explicit) consent for collections, uses or
consent when:
disclosures which generally: (i) involve sensitive
■ the information being collected, used or disclosed
information; (ii) are outside the reasonable
is sensitive;
expectations of the individual; and/or (iii) create a
■ the collection, use or disclosure is outside of the
meaningful residual risk of significant harm.
reasonable expectations of the individual; and/or,
■ Consent and children: obtain consent from a parent
■ the collection, use or disclosure creates a meaningful
or guardian for any individual unable to provide
residual risk of significant harm.
meaningful consent themselves (the OPC takes the

13
 Tips

The following tips can help make your consent process more meaningful:

■ Allow individuals to control the amount of detail they wish to receive, and when.
■ Design or adopt innovative and creative ways of obtaining consent, which are just-in-time, specific to
the context, and suitable to the type of interface.
■ Periodically remind individuals about the consent choices they have made, and those available
to them.
■ Periodically audit privacy communications to ensure they accurately reflect current personal
information management practices.
■ Stand ready to demonstrate compliance – in particular, that the consent process is understandable
from the perspective of the user.
■ In designing consent processes, consider:
» consulting with users and seeking their input;
» pilot testing or using focus groups to evaluate the understandability of documents;
» involving user interaction / user experience (UI/UX) designers;
» consulting with privacy experts and/or regulators; and
» following established best practices or standards.

Related links
■ PIPEDA Fair Information Principle 3 – Consent (includes exceptions to the consent principle)
■ Guidelines for obtaining meaningful consent
■ Ten tips for a better online privacy policy and improved privacy practice transparency

14
 4 Limit collection

Your responsibilities

■ Collect only the personal information your

organization needs to fulfill a legitimate identified
purpose.
■ Be honest about the reasons you are collecting
personal information.
■ Collect personal information by fair and lawful
means. This requirement is intended to prevent
organizations from collecting information by
misleading or deceiving about the purpose.

How to fulfill these responsibilities

■ Identify the kind of personal information you collect

in your information-handling policies and practices. Related links
■ Limit the amount and type of information you ■ PIPEDA Fair Information Principle 4 – Limiting
collect to what is needed for the identified purposes. Collection
■ Ensure your staff can explain why your organization ■ Collection of driver’s licence numbers under private
needs this information. sector privacy legislation – A guide for retailers
■ Guidelines for overt video surveillance in the
Tips private sector
■ Guidance on covert video surveillance in the
■ By reducing the amount of information private sector
gathered, you can lower the cost of col- ■ Guidelines for identification and authentication
lecting, storing, retaining and ultimately
archiving or disposing of data.
■ Collecting less information also reduces
the risk and/or impact of loss or
inappropriate access, use or disclosure.

15
 ■ Keep personal information used to make a decision
about a person for a reasonable time period. This
may be useful in the event an individual seeks access
to the information in order to pursue redress.
■ Destroy, erase or anonymize any personal
information that your organization no longer needs.

How to fulfill these responsibilities

■ Document any new purpose for the use of personal

information.
5 Limit use, disclosure and ■ Limit and monitor employee access to personal
retention information, and take appropriate action when
information is accessed without authorization.
Your responsibilities ■ Institute maximum and minimum retention periods
that take into account any legal requirements or
■ Unless someone consents otherwise—or unless restrictions as well as appeal mechanisms.
doing so is required by law—your organization may ■ Dispose of personal information that does not
use or disclose personal information only for the have a specific purpose or no longer fulfills its
identified purposes for which it was collected. Keep intended purpose. Dispose of information in a
personal information only as long as it is needed to way that prevents a privacy breach, such as by
serve those purposes. securely shredding paper files or effectively deleting
■ Know what personal information you have, where it electronic records. If information is to be retained
is, and what you are doing with it. purely for statistical purposes, employ effective
■ Obtain fresh consent if you intend to use or disclose techniques that would render it anonymous.
personal information for a new purpose. ■ Ensure all personal information is fully deleted
■ Collect, use or disclose personal information only for before disposing of electronic devices such as
purposes that a reasonable person would consider computers, photocopiers and cellphones.
appropriate in the circumstances. ■ Ensure your employees receive appropriate training
■ Put guidelines and procedures in place for retaining on their roles and responsibilities in protecting
and destroying personal information. personal information.

16
Tips

■ Use effective processes for destroying, erasing or anonymizing personal information.

■ Develop guidelines and implement procedures on the retention of personal information.
■ Conduct regular reviews to determine whether information is still required.
■ Establish a retention schedule to make this easier.

Related links
■ PIPEDA Fair Information Principle 5 – Limiting Use, Disclosure, and Retention
■ PIPEDA and the Proceeds of Crime (Money Laundering) and Terrorist Financing Act
■ Personal information retention and disposal: principles and best practices

17
 6 Be accurate How to fulfill this responsibility

■ Keep personal information as accurate, complete and

Your responsibility
up to date as necessary, taking into account its use
and the interests of the individual.
■ Minimize the possibility of using incorrect
■ Establish policies that govern what types of
information when making a decision about an
information need to be updated.
individual or when disclosing information to third
parties.

Tips

One way to determine whether information needs to be updated is to ask yourself whether using
or disclosing out-of-date or incomplete information could potentially have an adverse impact on
the individual.

Apply the following checklist for accuracy:

■ List the specific items of personal information you need to provide a service.
■ List where all related personal information can be found.
■ Record the date when the personal information was obtained or updated.
■ Record the steps taken to verify the accuracy, completeness and timeliness of the information. This
may require reviewing your records or communicating with your customer.

Related link
■ PIPEDA Fair Information Principle 6 – Accuracy

18
 7 Use appropriate safeguards

Your responsibilities

■ Protect personal information in a way that is

appropriate to how sensitive it is.
■ Protect all personal information (regardless of how
it is stored) against loss, theft, or any unauthorized
access, disclosure, copying, use or modification.

■ Consider the following factors when selecting the

Note: PIPEDA does not specify particular security
right safeguard:
safeguards that must be used. Your organization must
» the sensitivity of the information and the risk of
continually ensure it adequately protects the personal
harm to the individual. For instance, health and
information in its care as technologies evolve and as
financial information would be considered highly
new risks emerge.
sensitive;
» the amount of information;
How to fulfill these responsibilities
» the extent of distribution;
» the format of the information (e.g., electronic
■ Develop and implement a security policy to protect
or paper);
personal information.
» the type of storage; and
■ Use appropriate security safeguards to provide
» the types and levels of potential risk your
necessary protection. These can include:
organization faces.
» physical measures (e.g., locked filing cabinets,
restricting access to offices, and alarm systems); ■ R eview security safeguards regularly to ensure
» up-to-date technological tools (e.g., passwords, they are up to date, and that you have addressed
encryption, firewalls and security patches); and any known vulnerabilities through regular security
» organizational controls (e.g., security clearances, audits and/or testing.
limiting access, staff training and agreements). ■ Make your employees aware of the importance
of maintaining the security and confidentiality of
personal information, and hold regular staff training
on security safeguards.

19
 Tips

■ Make sure personal information that has no relevance to the transaction is either removed or
blocked out when providing copies of information to others.
■ Keep files that contain sensitive information in a secure area or on a secure computer system, and
limit employee access to a “need-to-know” basis.

Related links
■ PIPEDA Fair Information Principle 7 – Safeguards
■ Safeguarding personal information
■ Securing Personal Information: A Self-Assessment Tool for Organizations
■ Interpretation bulletin: Safeguards
■ 10 tips for addressing employee snooping
■ What you need to know about mandatory reporting of breaches of security safeguards
■ Preventing and responding to a privacy breach

Note: For information on breaches, see the section on this topic.

20
 8 Be open

Your organization’s detailed personal information

management practices must be clear and easy to
understand. They must be readily available.

Consumers find privacy policies are difficult to

understand, yet they feel compelled to give their
consent in order to obtain the goods and services
they want.
How to fulfill these responsibilities

Individuals should not be expected to decipher complex

■ Comply with guidelines on obtaining meaningful
legal language in order to make informed decisions on
consent.
whether or not to provide consent. (See Principle 3 on
■ Ensure your front-line staff is familiar with your
consent for details).
organization’s procedures for responding to people’s
inquiries about their personal information.
Your responsibilities
■ Provide, in easy-to-understand terms:
» the name or title and contact information of the
■ Inform your customers and employees that you
person who is accountable for your organization’s
have policies and practices for managing personal
privacy policies and practices;
information.
» the name or title and contact information of the
■ Make these policies and practices easily
person to whom access requests should be sent;
understandable and easily available.
» how an individual can gain access to their
personal information;
» how an individual can complain to your
organization;
» any documents that explain your organization’s
policies, standards or codes; and
» a description of what personal information you
disclose to other organizations, including your
subsidiaries and any third parties, and why.

21
 Tips

■ Information about these policies and practices should be made available in a variety of ways, for
example, in person, in writing, by telephone, in publications and on your organization’s website.
■ The information presented should be consistent, regardless of the format.

Related links
■ PIPEDA Fair Information Principle 8 – Openness
■ 10 tips for a better online privacy policy and improved privacy practice transparency
■ Guidelines for obtaining meaningful consent

22
 9 Give individuals access

Generally speaking, individuals have a right to access

the personal information that an organization holds
about them. They also have the right to challenge the
accuracy and completeness of the information, and
have that information amended as appropriate.

Your responsibilities

■ Respond to the request as quickly as possible, and no

■ When asked, advise people about the personal infor-
later than 30 days after receiving it.
mation about them your organization holds.
■ The normal 30-day response time limit for access
■ Explain where the information was obtained.
requests may be extended for a maximum of
■ Explain how that information is or has been used
30 additional days, if:
and to whom it has been disclosed.
» responding to the request within the original
■ Give people access to their information at minimal
30 days would unreasonably interfere with the
or no cost, or explain your reasons for not providing
activities of your organization;
access. Providing access can take different forms. For
» your organization needs additional time to
example, you may provide a written or electronic
conduct consultations; or
copy of the information, or allow the individual to
» your organization needs additional time to
view the information or listen to a recording of the
convert personal information to an alternate
information.
format.
■ Correct or amend personal information in cases
where accuracy and completeness is deficient. ■ If your organization extends this response time, it
■ Note any disputes on the file and advise third parties must notify the person making the request within
where appropriate. 30 days of receiving the request, and advise them
of their right to complain to the OPC.
How to fulfill these responsibilities ■ Provide access at minimal or no cost to the
individual, and notify the requestor of the
■ H
 elp people prepare their request for access to per- approximate cost before processing the request.
sonal information. (For example, your organization Confirm that the individual still wants to proceed
may ask the requestor to supply enough information with the request.
to enable you to locate personal information and ■ Make sure the requested information is understand-
determine how it has been used or disclosed.) able. Explain acronyms, abbreviations and codes.

23
 ■ If you make amendments, send the revised
information to any third parties that have access
to the information in cases where doing so is
appropriate.
■ If you refuse to grant access to personal information,
explain in writing the reasons and inform the
requestor of any recourse available to them. Recourse
includes the option to complain to the OPC.
■ If your organization holds no personal information
on the requestor, tell them so.

Tips

■ Keep a record of where personal information can be found.

■ Conduct a thorough search for personal information. This includes both physical and electronic
searches.
■ Never disclose personal information unless you are certain of the identity of the requestor and that
person’s right of access.
■ Record the date you received the request for the information.
■ Ensure your staff members know how to handle an access request.
■ The legal standard to be met for withholding information as “confidential commercial information” is
high. Be ready to justify such a claim before refusing access.

Related links
■ PIPEDA Fair Information Principle 9 – Individual Access
■ Responding to access to information requests under PIPEDA

24
 10 Challenging compliance How to fulfill these responsibilities

■ Record the date on which you receive a complaint,

An individual must be able to challenge your organization’s
and its nature.
compliance with the fair information principles. They
■ Acknowledge receipt of the complaint promptly, and
should address their challenge to the person in your organi-
seek clarification if needed.
zation who is accountable for compliance with PIPEDA.
■ Assign the matter to a person with the skills
necessary to review it fairly and impartially. Provide
Your responsibilities
that person with access to all relevant records,
employees or others who handled the personal
■ Provide recourse by developing simple complaint
information or access request.
handling and investigation procedures.
■ Notify individuals of the outcome of complaint
■ Tell complainants about their avenues of recourse.
reviews clearly and promptly, and inform them of
These include your organization’s own complaint
any steps taken.
procedures, along with those related to industry
■ Correct any inaccurate personal information or
associations, regulatory bodies and the OPC.
modify policies and procedures based on the
■ Investigate all complaints you receive.
outcome of the complaint. Ensure employees are
■ Improve any information-handling practices and
aware of any changes to policies and procedures.
policies that are found to be problematic.

Tips

■ Handling a complaint fairly may help to preserve or restore your customer’s confidence and trust in
your organization.
■ Ensure staff members are aware of the policies and procedures for complaints, and know who is
responsible for handling complaints.
■ Record all your decisions to ensure consistency.

Related links
■ PIPEDA Fair Information Principle 10 – Challenging Compliance
■ Getting Accountability Right with a Privacy Management Program
■ Ten tips for avoiding complaints to the OPC

25
 Dealing with a breach

26
A breach of security safeguards occurs when there is a
loss, unauthorized access to, use or disclosure of personal
information. PIPEDA includes mandatory breach reporting
requirements.

Organizations must: What your breach report to the OPC

should contain
■ r eport to the OPC any breaches of security
safeguards that pose a real risk of significant harm;
A report of a breach of security safeguards to the OPC
■ notify affected individuals and relevant third parties of
must be in writing and must include:
any breaches with a real risk of significant harm; and
■ keep records of all breaches, regardless of whether a
■ a description of the circumstances of the breach and,
breach presents a real risk of significant harm.
if known, the cause;
■ when the breach occurred;
Real risk of significant harm ■ as much as possible, a description of the personal
information that is the subject of the breach;
Real risk of significant harm must be determined ■ the number or approximate number of individuals
through an assessment of the sensitivity of the personal affected by the breach;
information involved, as well as the probability the ■ what steps the organization has taken to reduce the
personal information could be misused. risk of harm to affected individuals.
■ what steps the organization has taken or will take to
Significant harm includes: notify affected individuals; and
■ name and coordinates of a contact person.
■ bodily harm;
■ humiliation, damage to reputation or relationships;
What your notification to affected
■ loss of employment, business or professional
opportunities; individuals needs to contain
■ financial loss, identity theft, negative effects on the
credit record; or ■ much of the same information a breach report to the
■ damage to or loss of property. OPC must contain; and
■ the steps affected individuals can take to reduce the
risk of harm, for example, changing their passwords
or monitoring accounts.

27
 What you need to include in your own
breach records

The OPC can request to have access to or a copy of

an organization’s breach records. These records must
contain sufficient detail to allow the OPC to determine
whether an organization has properly assessed the risk
of harm and has met its obligations for reporting and
notification of a particular breach.

Records do not need to include personal information

unless that information is needed to explain the nature
and sensitivity of the breach, or the probability of the
personal information being misused.

You are required by the Breach of Security Safeguard

Regulations to keep all breach records for two years.
You may have other legal requirements to keep
them longer.

Related link
■ What you need to know about mandatory reporting
of breaches of security safeguards

28
Complaints to the Privacy
Commissioner of Canada

29
 An individual may file a complaint under PIPEDA if they feel
an organization has violated the law.

The Privacy Commissioner can also initiate a complaint ■ retaliate against an employee who has complained to
if the Commissioner is satisfied that there are the OPC; or
reasonable grounds to investigate a matter. ■ obstruct an investigation or audit by the
Commissioner or his or her delegate.
Complaint process
Early resolution
The Commissioner seeks to take a cooperative and
conciliatory approach to investigations whenever possible. Complaints that may be resolved informally are
The OPC encourages parties to resolve complaints handled via an early resolution process. These
amongst themselves, and may use alternate dispute complaints include matters where:
resolution methods such as mediation and conciliation to
settle matters at any stage of the investigation process. ■ it seems possible to easily address the allegations on
an informal basis; or
The OPC will review complaints and approach them in ■ the parties are willing to resolve the matter
one of three ways: informally.

■ by attempting to resolve them on an informal basis Using this process, the OPC helps to identify a solution
(known as early resolution); that satisfies all parties without a formal investigation.
■ by declining to investigate; or No reports of findings are issued in matters that are
■ by deciding to investigate. resolved informally.

Key steps for each of these processes are listed below Decline to investigate
and are also explained in the PIPEDA complaints and
enforcement chart on our website. The OPC may decline to accept a complaint for
investigation if it believes that:
Note that it is an offence under PIPEDA to:
■ the complainant should first exhaust other available
■ destroy personal information that an individual has grievance or review procedures;
requested; ■ the complaint could be better dealt with through a
different procedure provided for under federal or

30
 provincial law (for example, a rental dispute may be
better addressed through a landlord-tenant tribunal);
or
■ the complaint was not filed within a reasonable
time period.

When the OPC declines a complaint, it informs all

parties of its decision and provides reasons. A com-
plainant may ask that the decision be reconsidered. 4. The investigator obtains information directly
from individuals familiar with the matter under
If the OPC is satisfied that the complainant has investigation.
established compelling reasons to investigate, the
■ The investigator may ask the organization to
matter will be referred for investigation.
provide information or documents that are rele-
vant to the investigation.
Investigations
■ If conducting a site visit, the investigator may
examine or obtain copies of or extracts of docu-
The following process outlines the steps the OPC gener-
ments, including those stored electronically, that
ally takes when investigating privacy complaints against
are found in the premises.
organizations.

5. Prior to finalizing the investigation, the results

1. When the OPC accepts a complaint for
may be disclosed to the parties involved. This may
investigation, it assigns an investigator to the file.
be done to obtain additional representations, if
the parties see fit to provide them, or to give the
2. Once an investigation begins, the OPC provides
respondent the opportunity to resolve the matter
written notice to the organization explaining the
before the complaint is finalized.
substance of the complaint.

3. The investigator contacts the organization’s

designated representative to:
■ explain how the investigation will proceed;
■ identify any records that must be reviewed and
any staff members who may be interviewed; and
■ indicate whether on-site visits will be needed.

31
 8. The Commissioner may enter into a compliance
agreement with an organization if it is believed,
on reasonable grounds, that an organization has
committed, is about to commit or is likely to
commit a contravention of PIPEDA or if it has
failed to follow a recommendation related to the
10 fair information principles. Under a compliance
agreement, an organization agrees to take certain
actions to bring itself into compliance. This
would preclude the Privacy Commissioner from
commencing or continuing a court application
Note: The OPC has the power to summon witnesses, under PIPEDA in respect of any matter covered by
administer oaths and compel people and organizations the agreement. However, if an organization fails to
to produce evidence, as well as conduct site visits. live up to its commitments, the OPC could, after
notifying the organization, either apply to the court
6. Based on the results of the investigation, the
for an order requiring the organization to comply
Commissioner or his or her delegate will issue a
with the terms of the agreement, or commence
report to the parties. The report includes:
or reinstate court proceedings under PIPEDA
■ the results of the investigation; as appropriate.
■ any settlement reached by the parties;
■ any recommendations, such as suggested Findings and dispositions
changes in information management practices;
■ the steps the organization has taken or will take A complaint is normally disposed of in one of
to address these recommendations; and several ways.
■ notice of recourse to the Federal Court.
1. No jurisdiction
7. The Commissioner or his or her delegate can Based on the information gathered, the OPC determines
request that an organization provide, within PIPEDA does not apply to the organization or activity
a specified time, notice of any action taken that was the subject of the complaint. The OPC does
or proposed to be taken to implement report not issue a report.
recommendations, or explain why no action
has or will be taken.

32
2. Declined to investigate 4. Withdrawn
The OPC may decline to accept a complaint for investi- The complainant withdraws the complaint voluntarily
gation if it believes that: or cannot be reached. The OPC does not issue a report.

■ the complainant should first exhaust other available 5. Early resolved and settled
grievance or review procedures; Complaints that may be resolved informally are handled
■ the complaint could be better dealt with through via an early resolution process. These complaints include
a different procedure provided for under federal matters where:
or provincial law; or
■ the complaint was not filed within a reasonable ■ it seems possible to easily address the allegations on
time period. an informal basis; or
■ the parties are willing to resolve the matter
3. Discontinued informally.
The investigation is discontinued before the allegations
are fully investigated. An investigation may be discon- Using this process, the OPC helps to identify a solution
tinued at the OPC’s discretion if: that satisfies all parties without a formal investigation.
No reports of findings are issued in matters that are
■ there is insufficient evidence to pursue the resolved informally.
investigation;
■ the complaint is trivial, frivolous or vexatious or is 6. Not well founded
made in bad faith; The OPC has determined that the organization did not
■ the organization has provided a fair and reasonable contravene PIPEDA.
response to the complaint;
■ the matter is already the object of an ongoing 7. Well founded and conditionally resolved
investigation; The OPC has determined that an organization
■ the matter has already been the subject of a report by contravened PIPEDA. The organization commits
the commissioner; or to implementing the recommendations made by the
■ the complaint was already declined. OPC and demonstrating their implementation within
a specified timeframe.

33
 8. Well founded and resolved Audits
The OPC has determined that an organization
contravened a provision of PIPEDA. The organization PIPEDA gives the OPC the authority to audit an
demonstrates it has taken satisfactory corrective action organization’s privacy practices when the OPC has
to remedy the situation, either proactively or in response reasonable grounds to believe the organization is not
to recommendations made by the OPC, by the time the fulfilling its obligations under Part 1 of the Act, or is
finding was issued. not respecting the recommendations of Schedule 1.

9. Well founded and not resolved What can lead to an audit?

The OPC has determined that an organization
contravened a provision of PIPEDA but was unable Information that can give rise to audit can come from a
to resolve outstanding issues. variety of sources, including:

Compliance agreements ■ a group or series of complaints about a particular

organization’s practices;
Another possible outcome following a complaint is that ■ information obtained during an investigation;
the Privacy Commissioner or his or her delegate may ■ information provided by an individual under the
enter into a compliance agreement with an organization whistleblower provision; or
aimed at ensuring it complies with PIPEDA. ■ an issue receiving public attention.

In a compliance agreement, an organization agrees to

take certain actions to comply with PIPEDA.

If an organization fails to live up to its commitments in

the agreement, the OPC can either apply to the Court
for an order requiring the organization to comply with
the terms of the agreement, apply for a hearing or
reinstitute proceedings, as appropriate.

34
Applying for a hearing
to the Federal Court

35
 A complainant may apply to the Federal Court for a hearing
in certain cases, even if he or she has been notified that an
investigation has been discontinued.

The OPC may also apply for a hearing on its own behalf
or for a complainant in certain cases.

Any application for a hearing must be made within

a year of the OPC’s report of findings being released
or the OPC’s notification that a complaint has been
discontinued, though the court may allow a longer
period.

Applications to the Court can only be made regarding

the matter that the individual complained about or a
matter referred to in the OPC’s report, and must refer
to one of the specific provisions identified in section 14
of the Act.

The Federal Court may order an organization to correct

practices that do not comply with the Act. It may also
order an organization to publish a notice indicating
any action taken or proposed to correct these practices.
The Court can also award damages to a complainant,
including damages for humiliation.

Related link
■ How to apply for a Federal Court hearing under
PIPEDA

36
Canada’s anti-spam
legislation and PIPEDA

37
 Canada’s anti-spam legislation (CASL) protects consumers
and businesses from the misuse of digital technology, including
spam and other electronic threats. It also aims to help
businesses stay competitive in a global, digital marketplace.

CASL reinforces best practices in email marketing The restrictions related to address harvesting are
and seeks to combat spam and related issues, such as relevant to organizations of all shapes and sizes in
identity theft, phishing and the spread of malicious all sectors.
software, such as viruses, worms and trojans (malware).
An organization has a responsibility to ensure all
When CASL came into force in 2014, it amended individuals receiving its electronic messages have
PIPEDA to include new restrictions on electronic provided appropriate consent for the collection and use
address harvesting and collecting personal information of their address for marketing and other purposes.
using spyware.
To ensure your organization complies with CASL and
The OPC shares the responsibility for enforcing to find out how to protect it from cyber threats, visit
CASL with two other agencies – the Canadian Radio- fightspam.gc.ca or consult our website at priv.gc.ca
television and Telecommunications Commission and (search “spam”).
the Competition Bureau.

38
Advisory services
for businesses

39
 Part of the OPC’s role is to help organizations understand
their privacy obligations and comply with the law. Our business
advisory services can advise you on the privacy impacts of new
programs or initiatives.

We can also review how you currently manage privacy The OPC’s advisory services for businesses are
to identify good practices as well as potential risks, voluntary and free of charge. All businesses in Canada
and give you practical and actionable guidance to help subject to PIPEDA can request advice. Advisory
ensure your practices comply with PIPEDA. services are provided based on resource capacity and
availability. We prioritize projects with higher privacy
risks or broader impacts on Canadians.

40
For more information, contact:
Office of the Privacy Commissioner of Canada
30 Victoria Street, 8th floor
Gatineau, QC K1A 1H3
Telephone: (819) 994-5444
Toll-free: 1-800-282-1376
TTY: (819) 994-6591
For more information visit: priv.gc.ca/business
Follow us on Twitter: @privacyprivee