Language selection


PIPEDA Fair Information Principle 1 – Accountability

Reviewed: August 2020

Your responsibilities

  • Comply with all 10 fair information principles.
  • Appoint someone to be responsible for your organization’s PIPEDA compliance.
  • Protect all personal information held by your organization, including any personal information you transfer to a third party for processing.
  • Develop and implement personal information policies and practices.

How to fulfill these responsibilities

Develop a privacy management program

  • This program should be designed, at a minimum, to comply with the law, including the 10 fair information principles.
  • It should identify your organization’s designated privacy official, and communicate that person’s name or title internally and externally (e.g. on your website or in publications).
  • Your designated privacy official should have the support of senior management and the authority to intervene on privacy issues.
  • Conduct a privacy impact assessment and threat analysis of your organization’s personal information handling practices, including ongoing activities, new initiatives, and new technologies.
  • Start by using the following checklist:
    • What personal information do we collect and is it sensitive? (Sensitive information may require extra protection.)
    • Why do we collect it?
    • How do we collect it?
    • What do we use it for?
    • Where do we keep it?
    • How is it secured?
    • Who has access to or uses it?
    • Who do we share it with?
    • When is it disposed of?
  • Develop, document and implement policies and procedures to protect personal information:
    • Define the purposes of collection.
    • Obtain valid and meaningful consent.
    • Limit collection, use and disclosure.
    • Ensure information is correct, complete and current.
    • Ensure security measures are adequate to protect information.
    • Develop or update a retention and destruction timetable.
    • Develop and implement policies and procedures to respond to complaints, inquiries and requests to access personal information.
    • Develop, document and implement breach and incident-management protocols.
    • Document and implement risk assessments.
    • Develop, document and implement appropriate practices to be used by third-party service-providers.
    • Develop, document and deliver appropriate privacy training for employees.
  • Regularly review your privacy management program and address any shortcomings.
  • Be prepared to demonstrate that you have specific policies and procedures in place to protect personal information; that you provide adequate privacy training to your employees; and that you have appointed someone to be responsible for privacy governance.
  • Make your privacy policies and procedures readily available to customers and employees (e.g., in brochures and on websites).


  • Train all staff so they can answer the following questions:
    • How do I respond to public inquiries regarding our organization’s privacy policies?
    • What is valid and meaningful consent? When and how is it obtained?
    • How do I recognize and process requests for access to personal information?
    • To whom should I refer privacy-related complaints?
    • What are my organization’s current or new initiatives relating to the protection of personal information?
  • When transferring personal information to third parties:
    • obtain appropriate consent from the customer/client for the transfer;
    • ensure the third party has identified a person to handle all privacy aspects of your contract with them;
    • limit the third party’s use of any personal information you supply to the purposes specified to fulfil the contract;
    • limit any disclosure by the third party of this information to what is authorized by your organization or required by law;
    • ensure the third party refers any people looking to access their personal information to your organization;
    • ensure the third party returns or disposes of the transferred information upon completion of the contract;
    • ensure the third party uses appropriate security measures to protect the personal information; and
    • allow your organization to audit the third party’s compliance with the terms of your contract as necessary.
Report a problem or mistake on this page
Error 1: No selection was made. You must choose at least 1 answer.
Please select all that apply (required):


Date modified: