Simplify Privacy and Data Protection for PIPEDA Compliance

Govern your compliance with Canada’s Personal Information Protection & Electronic Documents Act


DRIVE security & privacy by design
Achieve compliance by default

Everything you need for PIPEDA compliance

  • PIPEDA Plan

    PIPEDA Plan

    Step-by-step implementation plan outlines how to align with all 10 PIPEDA principles

  • Customized Policies

    Customized Policies

    Our automated policy builder ensures your policies meet PIPEDA requirements

  • Policy Management

    Policy Management

    Reduce admin time with automated employee reminders and tracking

  • Security Awareness Training

    Security Awareness Training

    In-platform Carbide Academy videos on security and privacy best practices with a template library for common requirements

  • Evidence Collection

    Evidence Collection

    100+ technical integrations connecting to your tech stack to automatically capture your compliance with PIPEDA

  • Audit Support

    Audit Support

    Save time by giving auditors a read-only view of your PIPEDA reporting dashboard

  • Robust Ecosystem

    Robust Ecosystem

    Carbide’s security and privacy services and network of audit partners help you meet requirements faster

  • Multi-Compliance by Design

    Multi-Compliance by Design

    Comply with multiple frameworks & regulations with our unified platform

  • Cloud Monitoring

    Cloud Monitoring

    Easily collect data with automated security monitoring, security assessments, and remediation tools to make actionable insights on your cloud environment

Frequently Asked Questions

What is PIPEDA?

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law outlining data privacy and regulations organizations are required to follow. PIPEDA governs how private sector organizations collect, use, and disclose personal information in the course of commercial business.

What can personal information be used for?

PIPEDA states that any collection, use or disclosure of personal information must only be for purposes that a reasonable person would consider appropriate in the circumstances.

Who needs to comply with PIPEDA?

According to Office of the Privacy Commissioner of Canada’s Privacy Guide for Businesses “All businesses that operate in Canada and handle personal information that crosses provincial or national borders in the course of commercial activities are subject to PIPEDA, regardless of the province or territory in which they are based (including provinces with substantially similar legislation).” The privacy guide continues to state, “PIPEDA applies to private-sector organizations across Canada that collect, use or disclose personal information in the course of a commercial activity.”

How is PIPEDA enforced?

The Office of the Privacy Commissioner of Canada (OPC) oversees compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA), which sets out the privacy obligations organizations must adhere to when handling personal information.

Complaints under PIPEDA can be initiated by an individual or the Commissioner. When an individual files a complaint under PIPEDA, the OPC first determines whether the matter is covered by the Act. Once a complaint is accepted, the OPC begins an investigation. When appropriate for the privacy issue in question, efforts are made to resolve complaints in the early stages of the investigation process (i.e. early resolution).

What is PIPEDA trying to achieve?

PIPEDA’s 10 fair information principles form the ground rules for the collection, use and disclosure of personal information, as well as for providing access to personal information. They give individuals control over how their personal information is handled in the private sector.

What can't personal information be used for?

The OPC has determined that the following purposes would generally be considered inappropriate by a reasonable person (i.e., no-go zones):

Collecting, using or disclosing personal information in ways that are otherwise unlawful
Profiling or categorizing individuals in a way that leads to unfair, unethical or discriminatory treatment contrary to human rights law
Collecting, using or disclosing personal information for purposes that are known or likely to cause significant harm to the individual
Publishing personal information with the intent of charging people for its removal
requiring passwords to social media accounts for the purpose of employee screening
Conducting surveillance on an individual using their own device’s audio or video functions.

What are the 10 fair information principles?

Principle 1 – Accountability details the responsibility for personal information under its control and the organization must appoint someone to be accountable

Principle 2 – Identifying Purposes explains the purposes for which the personal information is being collected must be identified by the organization before or at the time of collection

Principle 3 – Consent of the individual are required for the collection, use, or disclosure of personal information

Principle 4 – Limiting Collection of personal information must be limited to that which is needed for the purposes identified by the organization

Principle 5 – Limiting Use, Disclosure, and Retention unless the individual consents otherwise or it is required by law, personal information can only be used, disclosed, or retained for the purposes for which it was collected

Principle 6 – Accuracy explains personal information must be as accurate, complete, and up-to-date as possible

Principle 7 – Safeguards of personal information must be protected by appropriate security relative to the sensitivity of the information

Principle 8 – Openness explains an organization must provide public detailed information about its policies and practices relating to the management of personal information

Principle 9 – Individual Access upon request, an individual must be informed of the existence, use, disclosure, and ability to amend their personal information and be given access to that information.

Principle 10 – Challenging Compliance an individual shall be able to challenge an organization’s compliance with the above principles. Their challenge should be addressed to the person accountable for the organization’s compliance with PIPEDA, usually their Chief Privacy Officer

What is the penalty for non-compliance?

PIPEDA may be easy to follow, but the fines for noncompliance are very steep and can cost up to $100,000 for each violation.

See How Carbide Can Help You

Schedule a consultation with one of our Solutions Advisors to learn how Carbide can accelerate your data protection program.

By submitting this request you consent to receive emails from Carbide. You can opt-out from receiving emails at any time.
This field is for validation purposes and should be left unchanged.