PIPEDA Privacy Alignment Assessment
Canada’s federal private-sector privacy law governs how your organization collects, uses, and discloses personal information. This page explains the law from first principles and describes how Sovereign GRC assesses compliance against it.
The Law
What PIPEDA is and why it applies to you.
The Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5) is Canada’s federal privacy law for the private sector. It came into force on January 1, 2001, was extended to cover all commercial activity by 2004, and has been amended multiple times since, most recently in 2025.
If your organization collects, uses, or discloses personal information, meaning any information about an identifiable individual, in the course of commercial activity, PIPEDA applies to you, every size, every sector, including employee data in federally regulated industries.
The law does not require a breach to trigger an obligation. The obligation exists the moment your organization collects a piece of personal information. The 10 Fair Information Principles set out in Schedule 1 define what compliant handling looks like, from the moment of collection through to deletion.
Why this matters now
On May 6, 2026, the OPC issued Finding #2026-002, a well-founded finding that large-scale AI training data collection without consent violates Canadian privacy law. It is public precedent: every organization handling personal information in Canada now has a documented benchmark for what the regulator will demand.
Scope
Who is subject to it.
Commercial Organizations
Any organization that collects, uses, or discloses personal information in the course of a commercial activity, regardless of size, sector, or province, falls under PIPEDA at the federal level.
Federal Works & Undertakings
Banks, airlines, telecommunications companies, broadcasters, and interprovincial transportation operators are covered in their entirety, including employee information, by federal jurisdiction.
Exclusions
Government institutions, personal use, and journalism/art/literature purposes are excluded. Business contact info for employment communication is also excluded. Schedule 4 organizations fall under PIPEDA for specified data categories. PIPEDA applies as a default floor unless explicitly superseded.
Provincial Overlap
Quebec (Law 25), British Columbia (PIPA), and Alberta (PIPA) have substantially similar provincial legislation. Organizations in those provinces may be exempt from PIPEDA for intra-provincial activity, but federal-regulated activities and inter-provincial or international data transfers still apply.
Core Obligations
What the law requires of your organization.
Primary compliance obligation
Every organization shall comply with the obligations set out in Schedule 1. Organizations may only collect, use, or disclose personal information for purposes a reasonable person would consider appropriate in the circumstances.
Valid consent standard
Consent is valid only if it is reasonable in the circumstances to expect that an individual to whom the organization's activities are directed would understand the nature, purpose, and consequences of the collection, use, or disclosure. Buried terms, pre-ticked boxes, and legalese that obscures purpose do not meet this standard.
Breach reporting obligation
A breach is unauthorized access or disclosure due to failed safeguards. If it poses real risk of significant harm (RROSH), notify the OPC, affected individuals, and relevant parties immediately. RROSH is assessed by data sensitivity and harm type (identity theft, financial loss, reputational damage, bodily harm).
No-consent exceptions
Sections 7–7.4 define the circumstances where collection, use, or disclosure without knowledge or consent is permitted, including law enforcement, fraud detection, emergencies, research, publicly available information, business transactions, and certain employment relationships. Any organizational reliance on these exceptions must be documented, justified, and limited strictly to the permitted circumstance.
Access and correction rights
Individuals may request access to their personal information in writing. Organizations must respond within 30 days (S.8). Where information is inaccurate or incomplete, individuals may request correction (S.9). Failures here can trigger complaints to the OPC and Federal Court proceedings under S.11–16.
Breach record retention
Every breach, regardless of whether it meets the RROSH threshold, must be recorded and retained for a minimum of 24 months. The OPC can request this record at any time.
The 10 Fair Information Principles.
Schedule 1 is the operational heart of PIPEDA. Every compliance obligation flows from one of these ten principles. Our assessment evaluates your organization against each one with evidence required at every finding.
Assessment Scope
Technical controls and organizational policies.
An assessment that covers only documentation misses the technical reality. One that covers only systems misses the governance gaps. We audit both.
Technical Controls
- Encryption at rest and in transit (TLS 1.2+, AES-256)
- Access control architecture: RBAC, least-privilege, MFA
- Audit log completeness and retention configuration
- Data inventory and classification tooling
- Consent management platform configuration and records
- Vulnerability management and patch cadence
- Backup and recovery controls
- API and third-party integration data flow mapping
- Cookie and tracking technology inventory
- Cross-border transfer mechanisms and legal adequacy
Organizational Policies
- Privacy policy, notices, and consent language
- Retention and deletion schedule: documented and enforced
- Third-party processor agreements and DPA terms
- Staff privacy training records and awareness programs
- SAR procedure: intake, identity verification, statutory 30-day response clock, and log
- Whistleblower protection and anti-retaliation policy (S.27.1), employees who report or refuse to participate in PIPEDA contraventions must not face reprisal
- Breach response plan and RROSH assessment framework
- PIA process for new systems and high-risk data handling
- Governance structure: roles, accountabilities, escalation
- Change management process for data-handling changes
- Internal audit and compliance review cadence
Methodology
Phase-gated. Evidence-required.
No phase begins until the previous one is signed off. No finding goes unvalidated. Every deliverable requires dual-reviewer sign-off before issuance.
| Phase | Deliverable | Gate |
|---|---|---|
| 0: Engagement Mobilization | Signed engagement letter, NDA, applicability confirmation, conflict of interest and independence attestations, kickoff notes, Phase 0 out-brief | Signed out-brief |
| 1: Privacy Discovery | Data inventory and flow map, third-party processor register (control vs custody noted), cross-border transfer identification, policy and notice review summary, Phase 1 out-brief | Signed out-brief |
| 2: Privacy Gap Assessment | 10-Principle gap assessment, safeguards review, breach management and RROSH readiness review, risk register with dual-reviewer calibration and enforcement precedent notes, Phase 2 out-brief | Dual-reviewer sign-off |
| 3: Remediation Roadmap | Statute-tagged recommendations report, effort bands, owner assignments, executive summary (risk counts, top findings, top priorities, timeline bands), Phase 3 out-brief | Client sign-off |
| 4: Policy & Procedure Authorship | Authored policy and procedure documents, implementation log (change, owner, date, recommendation reference), deferred items register, Phase 4 out-brief | Signed out-brief |
| 5: Validation & Closeout | Controls validation checklist, implementation record cross-referenced against Phase 4 log, residual risk note, Final Engagement Report, signed by practice lead and independent reviewer | Final Report issued |
| 6: Monitor & Maintain | Privacy review calendar, incident and breach log, periodic status summary, escalation log, triggered by OPC guidance changes, new AI or biometric processing, processor changes, breach events, or legislative amendments | Annual review cycle |
Enforcement
What non-compliance costs.
S.28: Penalty Schedule
View S.28 ↗$10,000
Maximum fine on summary conviction for knowingly contravening breach reporting obligations, whistleblower protection obligations, certain access-request obligations, or obstructing the OPC during investigation (S.8(8), S.10.1, S.10.3(1), S.27.1(1)).
$100,000
Maximum fine on indictable offence. Same underlying conduct, the Crown elects the more serious procedure. Statutory fines are separate from reputational and civil exposure.
What You Receive
Audit-ready evidence. Not a slide deck.
Every engagement closes with documentation that holds up under regulatory scrutiny, not language that disappears when a regulator asks a specific question.
10-Principle Assessment Matrix
Every Schedule 1 principle evaluated with finding, severity rating, and statutory clause reference. Dual-reviewer sign-off required before issuance.
Statute-Tagged Remediation Roadmap
Every recommendation tied to the specific PIPEDA clause or section it addresses. Prioritized by regulatory exposure and effort band. Owner assignment included.
Breach Obligation Gap Report
Dedicated assessment of Division 1.1 compliance: RROSH framework adequacy, Commissioner notification procedures, and 24-month record retention posture.
Final Engagement Report
Signed by practice lead and independent reviewer. Audit-ready documentation establishing your organization's compliance posture at the date of assessment.
Policy & Procedure Documentation
Approved recommendations authored and delivered as implementation-ready policy and procedure documents, logged against their statutory obligation.
Statutory References
Next Step
Know where you stand.
Before it matters.
One scoping session. Applicable obligations confirmed, gaps identified, remediation priorities set.