PIPEDA in brief

Revised: May 2019

There are a number of requirements to comply with the law. Organizations covered by PIPEDA must generally obtain an individual's consent when they collect, use or disclose that individual's personal information. People have the right to access their personal information held by an organization. They also have the right to challenge its accuracy.

Personal information can only be used for the purposes for which it was collected. If an organization is going to use it for another purpose, they must obtain consent again. Personal information must be protected by appropriate safeguards.

On this page

• How the Act applies
  • Provincial privacy laws
  • Information that crosses borders
  • Federally regulated organizations
• What is personal information?
• What is not covered by PIPEDA?
• Your responsibilities under PIPEDA

How the Act applies

PIPEDA applies to private-sector organizations across Canada that collect, use or disclose personal information in the course of a commercial activity.

The law defines a commercial activity as any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.

Provincial privacy laws

Alberta, British Columbia and Quebec have their own private-sector privacy laws that have been deemed substantially similar to PIPEDA. Organizations subject to a substantially similar provincial privacy law are generally exempt from PIPEDA with respect to the collection, use or disclosure of personal information that occurs within that province.

Ontario, New Brunswick, Nova Scotia and Newfoundland and Labrador have also adopted substantially similar legislation regarding the collection, use and disclosure of personal health information.

Information that crosses borders

All businesses that operate in Canada and handle personal information that crosses provincial or national borders in the course of commercial activities are subject to PIPEDA, regardless of the province or territory in which they are based (including provinces with substantially similar legislation).

Federally regulated organizations

Federally regulated organizations that conduct business in Canada are always subject to PIPEDA. The Act also applies to their employees’ personal information.

These organizations include:

• airports, aircraft and airlines;
• banks and authorized foreign banks;
• inter-provincial or international transportation companies;
• telecommunications companies;
• offshore drilling operations; and
• radio and television broadcasters.

NOTE: Organizations in the Northwest Territories, Yukon and Nunavut are considered federally regulated, and are therefore also covered by PIPEDA.

If you are not sure if your business is subject to PIPEDA, please consult “Find the right organization to contact about a privacy issue” on our website.

What is personal information?

Under PIPEDA, personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:

• age, name, ID numbers, income, ethnic origin, or blood type;
• opinions, evaluations, comments, social status, or disciplinary actions; and
• employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).

What is not covered by PIPEDA?

There are some instances where PIPEDA does not apply. Some examples include:

• Personal information handled by federal government organizations listed under the Privacy Act
• Provincial or territorial governments and their agents
• Business contact information such as an employee’s name, title, business address, telephone number or email addresses that is collected, used or disclosed solely for the purpose of communicating with that person in relation to their employment or profession
• An individual's collection, use or disclosure of personal information strictly for personal purposes (e.g. personal greeting card list)
• An organization's collection, use or disclosure of personal information solely for journalistic, artistic or literary purposes

Unless they are engaging in commercial activities that are not central to their mandate and involve personal information, PIPEDA does not generally apply to:

• not-for-profit and charity groups; or
• political parties and associations.

Municipalities, universities, schools, and hospitals are generally covered by provincial laws. PIPEDA may apply in certain situations.

Your responsibilities under PIPEDA

Businesses must follow the 10 fair information principles to protect personal information, which are set out in Schedule 1 of PIPEDA.

By following these principles, you will contribute to building trust in your business and in the digital economy.

The principles are:

1. Accountability
2. Identifying Purposes
3. Consent
4. Limiting Collection
5. Limiting Use, Disclosure, and Retention
6. Accuracy
7. Safeguards
8. Openness
9. Individual Access
10. Challenging Compliance