PIPEDA - Personal Information Protection (Canada)
Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal private-sector privacy law governing the collection, use, and disclosure of personal information in the course of commercial activity, built on 10 fair information principles and enforced by the Office of the Privacy Commissioner of Canada.
- What Is PIPEDA?
- The 10 Fair Information Principles
- Consent in the Employment Context
- Mandatory Breach Notification Under PIPEDA
- Employee Monitoring and Surveillance
- The Future: Bill C-27 and the Consumer Privacy Protection Act
- Provincial Privacy Laws That Override PIPEDA for Employees
- PIPEDA Enforcement Statistics [2026]
- Frequently Asked Questions About PIPEDA
What Is PIPEDA?
Key Takeaways
- ✓PIPEDA (Personal Information Protection and Electronic Documents Act) is Canada's federal privacy law for the private sector, governing how organizations collect, use, and disclose personal information during commercial activities.
- ✓It's built on 10 fair information principles derived from the Canadian Standards Association (CSA) Model Code: accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, and challenging compliance.
- ✓PIPEDA applies to federally regulated employers (banks, telecoms, airlines, inter-provincial transportation) and to organizations in provinces without substantially similar provincial legislation.
- ✓British Columbia, Alberta, and Quebec have their own substantially similar private-sector privacy laws. In those provinces, the provincial law generally applies to employee personal information instead of PIPEDA.
- ✓Canada's proposed replacement legislation, the Consumer Privacy Protection Act (CPPA) under Bill C-27, would modernize PIPEDA with stronger enforcement, higher penalties, and new rules for AI and automated decision-making.
PIPEDA takes a principles-based approach. Rather than prescribing specific technical requirements (like 'use 256-bit encryption'), it requires organizations to implement 'appropriate' safeguards based on the sensitivity of the information. This flexibility is both a strength and a challenge. It adapts to different industries and data types, but it also leaves room for interpretation about what 'appropriate' means. For HR teams, the critical question is: does PIPEDA apply to your employees' personal information? The answer depends on where you operate. PIPEDA applies to employee data of federally regulated private-sector organizations (banks, telecommunications companies, airlines, inter-provincial railways, and broadcasting companies). For provincially regulated employers, PIPEDA applies to employee data only in provinces without substantially similar legislation. British Columbia (PIPA), Alberta (PIPA), and Quebec (Law 25) have their own laws that generally govern employee data in those provinces. In other provinces (Ontario, Manitoba, Saskatchewan, etc.), PIPEDA applies to employee data in the course of federally regulated commercial activities only. It's complicated, which is why many Canadian employers apply PIPEDA-level protections across all provinces as a practical baseline.
The 10 Fair Information Principles
These principles are the backbone of PIPEDA. Every compliance obligation flows from them.
| Principle | Requirement | HR Application |
|---|---|---|
| 1. Accountability | Designate a person responsible for compliance; implement policies and practices | Appoint a privacy officer or assign responsibility to HR leadership |
| 2. Identifying Purposes | Identify the purpose for collection at or before the time of collection | Tell candidates and employees why you're collecting their data during onboarding |
| 3. Consent | Obtain meaningful consent for collection, use, and disclosure | Get consent for non-essential processing; implied consent may apply for employment-related processing |
| 4. Limiting Collection | Collect only what's necessary for the identified purpose | Don't ask for social insurance numbers on job applications; collect SIN only after hiring for tax purposes |
| 5. Limiting Use, Disclosure, and Retention | Use data only for the stated purpose; retain only as long as necessary | Don't use recruitment data for marketing; destroy interview notes after retention period |
| 6. Accuracy | Keep personal information accurate, complete, and up-to-date | Regularly update employee contact information, emergency contacts, and beneficiary details |
| 7. Safeguards | Protect personal information with appropriate security measures | Encrypt HR databases, restrict access by role, secure physical files |
| 8. Openness | Make privacy policies and practices readily available | Publish employee privacy notice in handbook and on internal portal |
| 9. Individual Access | Provide individuals access to their personal information upon request | Respond to employee access requests within 30 days |
| 10. Challenging Compliance | Provide a mechanism for individuals to challenge compliance | Establish a complaint process; designate a contact person for privacy concerns |
Consent in the Employment Context
Consent under PIPEDA is more flexible than many HR professionals realize, especially in employment relationships.
Types of consent
PIPEDA recognizes express consent (written or verbal explicit agreement) and implied consent (reasonably inferred from the individual's actions or inaction). For sensitive information like medical records, financial data, or SIN numbers, express consent is required. For less sensitive employment-related processing, implied consent may be sufficient if the purpose is obvious and the employee would reasonably expect the processing. Example: an employee providing their bank account number for direct deposit implies consent for payroll processing.
When consent isn't required
PIPEDA allows collection, use, or disclosure without consent in specific situations: complying with a legal obligation (tax reporting, workplace safety reporting), investigating a breach of contract or law, acting in a medical emergency, and processing for journalistic, artistic, or literary purposes. For HR, the legal obligation exception is the most commonly used, covering CPP/EI deductions, T4 reporting, and workers' compensation claims.
Employee consent challenges
The Office of the Privacy Commissioner (OPC) has acknowledged that consent in the employment context is inherently unequal. Employees may feel compelled to consent because of the power imbalance. This is why the OPC emphasizes that consent must be meaningful: the employee must understand what they're consenting to, why, and what happens if they don't consent. Blanket consent clauses in employment contracts that say 'you consent to all processing of your personal information' don't meet PIPEDA's standard.
Mandatory Breach Notification Under PIPEDA
Since November 2018, PIPEDA requires organizations to report data breaches that create a 'real risk of significant harm' (RROSH) to affected individuals.
What triggers notification
A breach is notifiable if it creates a real risk of significant harm. Significant harm includes bodily harm, humiliation, damage to reputation, loss of employment, financial loss, identity theft, negative effects on credit record, and damage to relationships. The OPC considers the sensitivity of the personal information involved and the probability that the information will be misused. A breach involving employee SIN numbers, health records, or salary data would almost certainly meet the RROSH threshold.
Notification requirements
Report to the OPC as soon as feasible. Notify affected individuals as soon as feasible. The notification must describe the breach circumstances, the personal information involved, steps the organization has taken to reduce harm, steps the individual can take to reduce risk, and contact information for someone who can answer questions. Organizations must also keep records of every breach (whether notifiable or not) for at least two years. The OPC can request access to these records during audits.
Penalties for non-compliance
Knowingly failing to report a breach to the OPC, notify affected individuals, or maintain breach records is an offense punishable by a fine of up to CAD 100,000 per violation. The OPC can also pursue compliance agreements and make findings that may result in Federal Court orders. Under the proposed CPPA, penalties would increase dramatically to the greater of CAD 10 million or 3% of global gross revenue.
Employee Monitoring and Surveillance
Employee monitoring is a growing concern under PIPEDA, especially with the increase in remote work and the availability of monitoring technology.
OPC guidance on workplace monitoring
The OPC has stated that employers can monitor employees but must balance their legitimate business interests against employees' reasonable privacy expectations. Before implementing monitoring, employers should: identify the specific business purpose, assess whether monitoring is the least intrusive means to achieve that purpose, inform employees about what's being monitored and why, and limit access to monitoring data to those with a legitimate need. Video surveillance, email monitoring, GPS tracking, and keystroke logging all raise PIPEDA issues.
Remote work monitoring
With remote work becoming standard, many employers have deployed monitoring software on company devices. The OPC has cautioned that continuous screenshot monitoring, webcam surveillance, and keystroke logging are highly intrusive. Employers should use the least intrusive method possible, clearly disclose the monitoring in the employee privacy notice, and limit monitoring to working hours on company devices. Monitoring personal devices used for work raises additional concerns and generally requires explicit consent.
The Future: Bill C-27 and the Consumer Privacy Protection Act
Canada's privacy law is set for a major overhaul. Bill C-27 proposes replacing PIPEDA with the Consumer Privacy Protection Act (CPPA).
Key changes proposed
The CPPA would introduce significantly higher penalties (up to CAD 10 million or 3% of global gross revenue for general violations, and CAD 25 million or 5% of global gross revenue for the most serious violations). It creates a new Privacy Tribunal with order-making power. It adds provisions for automated decision-making systems (including the right to an explanation of automated decisions). It introduces a 'legitimate interest' basis for processing, similar to GDPR. And it establishes a private right of action for individuals.
Timeline and status
Bill C-27 was introduced in June 2022. It has been progressing through parliamentary committees. The timeline for final passage is uncertain given political dynamics. Until the CPPA is enacted, PIPEDA remains the governing law. HR teams should monitor the bill's progress and start planning for the higher compliance standards it will require, especially around automated decision-making if you use AI tools in hiring or performance management.
Provincial Privacy Laws That Override PIPEDA for Employees
Three provinces have privacy laws that the federal government has recognized as substantially similar to PIPEDA, which means they take precedence for intra-provincial commercial activities.
| Province | Law | Key Difference from PIPEDA | Employee Data Coverage |
|---|---|---|---|
| British Columbia | PIPA (Personal Information Protection Act) | Includes employee data explicitly in scope; allows collection without consent for reasonable employment purposes | Full coverage of employee data for provincially regulated employers |
| Alberta | PIPA (Personal Information Protection Act) | Similar to BC PIPA; allows collection, use, and disclosure of employee data without consent if reasonable for employment purposes | Full coverage of employee data for provincially regulated employers |
| Quebec | Law 25 (Act Respecting the Protection of Personal Information in the Private Sector) | Strictest Canadian privacy law; requires privacy impact assessments for projects involving personal information; mandatory DPO designation | Full coverage; requires consent or demonstration of serious and legitimate reason for processing employee data |
PIPEDA Enforcement Statistics [2026]
Data on the OPC's enforcement activity and breach trends in Canada.
Frequently Asked Questions
Does PIPEDA apply to my company's employee data?
What personal information can I collect during hiring?
How long should we keep employee records after termination?
Can I transfer employee data outside Canada?
Is consent needed for reference checks?
What happens when the CPPA replaces PIPEDA?
Written by Adithyan RK