Language selection


PIPEDA Fair Information Principle 7 – Safeguards

Reviewed: August 2020
Revised: August 13, 2021

Your responsibilities

Protect personal information in a way that is appropriate to how sensitive it is.

Protect all personal information (regardless of how it is stored) against loss, theft, or any unauthorized access, disclosure, copying, use or modification.

NOTE: PIPEDA does not specify particular security safeguards that must be used. Your organization must continually ensure it adequately protects the personal information in its care as technologies evolve and as new risks emerge.

How to fulfill these responsibilities

  • Develop and implement a security policy to protect personal information.
  • Use appropriate security safeguards to provide necessary protection. These can include:
    • physical measures (e.g., locked filing cabinets, restricting access to offices, and alarm systems);
    • up-to-date technological tools (e.g., passwords, encryption, firewalls and security patches); and
    • organizational controls (e.g., security clearances, limiting access, staff training and agreements).
  • Consider the following factors when selecting the right safeguard:
    • the sensitivity of the information and the risk of harm to the individual. For instance, health and financial information would generally be considered sensitive, along with information such as ethnic and racial origins, political opinions, genetic and biometric data, an individual’s sex life or sexual orientation, and religious/philosophical beliefs;
    • the amount of information;
    • the extent of distribution;
    • the format of the information (e.g., electronic or paper);
    • the type of storage; and
    • the types and levels of potential risk your organization faces.
  • Review security safeguards regularly to ensure they are up to date, and that you have addressed any known vulnerabilities through regular security audits and/or testing.
  • Make your employees aware of the importance of maintaining the security and confidentiality of personal information, and hold regular staff training on security safeguards.


  • Make sure personal information that has no relevance to the transaction is either removed or blocked out when providing copies of information to others.
  • Keep files that contain sensitive information in a secure area or on a secure computer system, and limit employee access to a “need-to-know” basis.
Date modified: