The Personal Information Protection and Electronic Documents Act ( PIPEDA ) sets the ground rules for how private-sector organizations collect, use, and disclose personal information in the course of for-profit, commercial activities across Canada. PIPEDA also applies to the personal information of employees of federally-regulated businesses.
Businesses that are subject to the Act must follow these 10 fair information principles to protect personal information, which are set out in Schedule 1 of PIPEDA .
By following these principles, you will contribute to building trust in your business and in the digital economy.
Read more about how to comply with these 10 principles in your organization.
PIPEDA applies to private-sector organizations across Canada that collect, use, or disclose personal information in the course of a commercial activity. The law defines a commercial activity as any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.
Alberta, British Columbia and Quebec have their own private-sector privacy laws that have been deemed substantially similar to PIPEDA . Organizations that are subject to a substantially similar provincial privacy law are generally exempt from PIPEDA with respect to the collection, use, or disclosure of personal information that occurs within that province.
Ontario, New Brunswick, Nova Scotia and Newfoundland and Labrador have also adopted substantially similar legislation regarding the collection, use, and disclosure of personal health information.
All businesses that operate in Canada and handle personal information that crosses provincial or national borders in the course of commercial activities are subject to PIPEDA , regardless of the province or territory in which they are based (including provinces with substantially similar legislation).
Federally regulated organizations that conduct business in Canada are always subject to PIPEDA . The Act also applies to their employees’ personal information.
These organizations include:
Note: Organizations in the Northwest Territories, Yukon, and Nunavut are considered federally regulated, and are therefore also covered by PIPEDA .
If you are not sure if your business is subject to PIPEDA , please consult find the right organization to contact about a privacy issue.
Under PIPEDA , personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:
There are some instances where PIPEDA does not apply. Some examples include:
Unless they are engaging in commercial activities that are not central to their mandate and involve personal information, PIPEDA does not generally apply to:
Municipalities, universities, schools, and hospitals are generally covered by provincial laws. PIPEDA may apply in certain situations.