PIPEDA stands for “Personal Information Protection and Electronic Documents Act”, is Canada’s  privacy law and applies to personal information collected during any kind of commercial activities. PIPEDA is all about protecting users data and that’s good for everyone, some even compare it to the Patriot Act because it contains provisions that make it equivalent.

This means your business in Canada have to understand and apply this law to its data handling processes and practices

PIPEDA is written in formal language so It might be a little challenging to understand, they know that and have compiled 10  principles for Business with all you need to know, we present a summary below.

  1. Be accountable

This principle is about being responsible, appoint somebody to be the responsible person of data handling and inform your customers, you need to:

  • Comply with all 10 of the principles.
  • Appoint an individual (or individuals) to be responsible for your organization’s compliance.
  • Protect all personal information held by your organization or transferred to a third party for processing.
  • Develop and implement personal information policies and practices.


  1. Identify the purpose

You need to define why you collect information from your customers whether it’s for later communication, marketing or anything else, you need to inform them why are you using their information or why you need to store it. You need to:

  • Before or when any personal information is collected, identify why it is needed and how it will be used.
  • Document why the information is collected.
  • Inform the individual from whom the information is collected why it is needed.
  • Identify any new purpose for the information and obtain the individual’s consent before using it.

  1. Obtain informed consent

Your customers (or visitors) need to be informed about you collecting their data, and they have to agree to this practice whether its a form in your store or analytics in your web, Consent can be given either orally, in writing, or through a specific online action, such as clicking on “I agree”.

Specify what personal information you are collecting and why in a way that your customers and clients can clearly understand.

  • Inform the individual in a meaningful way of the purposes for the collection, use or disclosure of personal data.
  • Obtain the individual’s consent before or at the time of collection, as well as when a new use of their personal information is identified.

  1. Limit collection

You should not collect all the information you can from your customers just because you can and they agree, you have to specify why you need that info and be coherent in the reason, For example: if you are a catering service you don’t need to know the education level of your customers or whether they are married or single or divorced. Just ask and use the information necessary for your processes. You need to:

  • Do not collect personal information indiscriminately.
  • Do not deceive or mislead individuals about the reasons for collecting personal information.

  1. Limit use, disclosure and retention

This principle establishes that you must set a date of expiring for this information and delete it after it has expired, also, you can’t share or just show this information to any other person or entity, unless the Act allows it. You need to:

  • Use or disclose personal information only for the purpose for which it was collected, unless the individual consents, or the use or disclosure is authorized by the Act.
  • Keep personal information only as long as necessary to satisfy the purposes.
  • Put guidelines and procedures in place for retaining and destroying personal information.
  • Keep personal information used to make a decision about a person for a reasonable time period. This should allow the person to obtain the information after the decision and pursue redress.
  • Destroy, erase or render anonymous information that is no longer required for an identified purpose or a legal requirement.


  1. Be accurate

You need to update your information if needed, Remember you are using this information for the benefit of your clients, if the information is inaccurate or outdated there will be no benefits to you and to your client. You need to:

  • Minimize the possibility of using incorrect information when making a decision about the individual or when disclosing information to third parties.

  1. Use appropriate safeguards

Keep the information safe, Since this information is very important you have to save it somewhere you can control the security, use encryption services and secure passwords to protect the information from hackers and against identity theft. You need to:

  • Protect personal information against loss or theft.
  • Safeguard the information from unauthorized access, disclosure, copying, use or modification.
  • Protect personal information regardless of the format in which it is held.

Note: PIPEDA does not specify particular security safeguards that must be used. Rather, the onus is on organizations to ensure that personal information is adequately protected.

  1. Be open

Be clear about how you protect the information your clients are providing to you, make the information easy to read and include a personal contact for you clients

  • Inform customers, clients and employees that you have policies and practices for the management of personal information.
  • Make these policies and practices understandable and easily available.


  1. Give individuals access

Let your clients access to their information, you need to:

  • When requested, inform individuals if you have any personal information about them.
  • Explain how it is or has been used and provide a list of any organizations to which it has been disclosed.
  • Give individuals access to their information.
  • Correct or amend any personal information if its accuracy and completeness is challenged and found to be deficient.
  • Provide a copy of the information requested, or reasons for not providing access, subject to exceptions set out in Section 9 of the Act. (See Exceptions to the Access Principle.)
  • An organization should note any disagreement on the file and advise third parties where appropriate.

  1. Provide recourse

You need to accept complains about your use of information and follow the up, if you are guilty compensate and modify your policies accordingly. Be informed and have a registry of how the information is managed to identify where the leak was. You need to:

  • Develop simple and easily accessible complaint procedures.
  • Inform complainants of their avenues of recourse. These include your organization’s own complaint procedures, those of industry associations, regulatory bodies and the Office of the Privacy Commissioner of Canada.
  • Investigate all complaints received.
  • Take appropriate measures to correct information handling practices and policies.


As you can read, all you need to do is follow this principles and take good care of the information of your clients to comply PIPEDA.


Read more about PIPEDA at: https://www.priv.gc.ca/en/for-businesses/