PIPEDA, the Personal Information Protection and Electronic Documents Act, is Canada's federal private-sector privacy law. It applies to most commercial organisations that collect, use, or disclose personal information across provincial borders or in federally regulated industries. BC businesses operating primarily within BC are primarily subject to BC PIPA (see our separate PIPA checklist), but federal compliance still matters for interprovincial transactions, federal regulated sectors, and employee data. Here's what you need to have documented.
Does PIPEDA Apply to You?
PIPEDA applies if you:
- Collect personal information in the course of commercial activity
- Operate in a federally regulated industry (banking, telecom, air transport, interprovincial trucking)
- Conduct interprovincial or international transactions involving personal information
BC businesses: BC's PIPA has been deemed "substantially similar" to PIPEDA. BC private-sector organisations generally satisfy their PIPEDA obligations through PIPA compliance, but PIPEDA still applies to federally regulated activities.
If you're unsure which law applies to your business, the Office of the Privacy Commissioner of Canada's website has a jurisdiction tool. For most BC SMBs: PIPA for provincial commercial activity, PIPEDA for any federal or interprovincial dimension.
The Ten Fair Information Principles, Simplified
PIPEDA is built around ten principles. Most businesses fail on three: safeguards, retention, and individual access. Here's a quick checklist for all ten:
| Principle | What it requires | Your status |
|---|---|---|
| Accountability | Named privacy officer | ☐ Done |
| Identifying purposes | Purpose documented before collection | ☐ Done |
| Consent | Meaningful consent obtained and documented | ☐ Done |
| Limiting collection | Collect only what's needed | ☐ Done |
| Limiting use, disclosure, retention | Use only for stated purpose; don't keep longer than needed | ☐ Done |
| Accuracy | Keep data current and accurate | ☐ Done |
| Safeguards | Security controls appropriate to sensitivity | ☐ Done |
| Openness | Privacy policy published and accessible | ☐ Done |
| Individual access | Process for access requests | ☐ Done |
| Challenging compliance | Contact for privacy complaints | ☐ Done |
Step 1: Name a Privacy Officer
Designate a named individual responsible for PIPEDA compliance. They don't need to be a lawyer or a privacy specialist. They need to be reachable, to know they have the role, and to have access to the documentation. For most SMBs, this is the owner or operations manager with a written internal designation.
Step 2: Document Your Data Inventory
PIPEDA requires that you know what personal information you hold and why. Build a data inventory spreadsheet with:
- What categories of personal data you collect (names, emails, addresses, payment info, health info)
- Where each category is stored (CRM, email archive, cloud storage, paper files)
- Why you collected it (stated purpose)
- Who has access
- Who you share it with (third-party processors, service providers)
- How long you keep it
This document is your foundation. The OPC may ask to see it. You'll use it for breach response, access requests, and vendor assessments.
Step 3: Build a Retention Schedule and Actually Follow It
PIPEDA requires that personal information be kept only as long as necessary for the identified purpose. Common retention windows:
- Client contact information: retained for duration of relationship + 7 years (CRA requirement for associated financial records)
- Job applicant resumes: 6 months after hire decision (no ongoing purpose after that)
- Vendor contact information: retained for contract period + reasonable follow-up period
- Security camera footage: 30 days unless needed for an incident
Write the schedule down. Then actually delete data on schedule. "Delete" means actually removing it, not archiving it in a folder named "old data."
Step 4: Build an Access Request Process
Under PIPEDA, individuals can request access to their personal information within 30 days of the request. You need:
- A documented process for receiving requests (email address? form?)
- A procedure for locating all records associated with the individual
- A template response
- A log of requests received and responses sent
Most BC SMBs do not have this documented. Build it before you receive a request, the time pressure of a live request is not the time to build a process.
Step 5: Breach Notification Under PIPEDA
PIPEDA requires notification to the OPC and to affected individuals if a breach poses a "real risk of significant harm" (RROSH). Factors affecting RROSH: sensitivity of the data, number of affected individuals, probability that misuse will occur.
Required documentation:
- Maintain a breach record log (mandatory, regardless of whether notification is required)
- OPC notification: as soon as feasible after determining a notifiable breach has occurred
- Individual notification: directly, in plain language
Template contacts:
- OPC breach report: priv.gc.ca/en/report-a-concern
- OPC general line: 1-800-282-1376
Step 6: Annual Privacy Review
PIPEDA compliance is not a one-time exercise. Schedule an annual review covering:
- Data inventory: any new data categories added in the past year?
- Vendor list: any new SaaS tools that process personal information?
- Retention schedule: purge overdue records
- Access request log: any requests received? Handled correctly?
- Breach log: any incidents? Documented?
- Privacy policy: still accurate?
The annual review takes two to three hours if the underlying documentation is maintained. It takes much longer if nothing has been kept current.
Talk to a Prince George-based IT team about IT controls for PIPEDA compliance, call 672-983-1174 or book a free assessment at northstarit.ca.
Want this in your inbox?
We send a short monthly note with one cybersecurity or IT topic that BC business owners should know about. No sales pitch.
Get the monthly note Read more InsightsServices mentioned in this post.
Frequently asked questions
Does PIPEDA apply to businesses in British Columbia or Alberta?
While BC and Alberta have their own private sector privacy laws (PIPA), PIPEDA still applies to federally regulated industries and for-profit activities involving the cross-border transfer of personal information. North Star helps businesses navigate both provincial and federal requirements to ensure total compliance. We recommend regular audits to confirm that your technical safeguards meet the highest standard applicable to your specific operational region.
What are the penalties for non-compliance with PIPEDA?
Organizations failing to comply with PIPEDA face significant risks, including investigations by the Privacy Commissioner and potential fines. More importantly, data breaches resulting from non-compliance can lead to costly lawsuits and permanent loss of client trust. Our PIPEDA compliance checklist Canada focuses on proactive defence through encryption, multi-factor authentication, and robust access controls to prevent these liabilities before they occur.
How often should we update our PIPEDA compliance checklist?
We advise reviewing your privacy policies and technical controls at least annually or whenever you implement new software. With the evolving threat landscape in 2026, a quarterly review is often better for firms handling high volumes of personal data. North Star provides ongoing monitoring and security awareness training to ensure your staff and systems remain aligned with the latest Canadian privacy expectations.