Canadian Data Safeguarding Obligations For PIPEDA Compliance


When it comes to privacy protection, Canadian organizations are bound by the Personal Information Protection and Electronic Documents Act… better known by its acronym called PIPEDA.

As part of this act, Canadian companies have certain obligations when it comes to protecting personally identifiable information against theft or destruction.

In addition to preserving the integrity of this information, these organizations must also ensure that their client data will not be disclosed, copied, accessed or modified by unauthorized individuals.

One of the biggest mistakes that companies make is to assume that their PIPEDA obligations only apply to electronic data, and not to paper documents. But the law is very clear that ALL personally identifiable information must be kept in compliance with PIPEDA rules… regardless of what format they’re stored in.

That’s why it helps to digitize as many business processes as possible, and try to maintain a paperless office. This way, data and privacy protection become much simpler.

So what can you do to secure your company against data loss and privacy breaches while remaining within the guidelines of PIPEDA legislation? Here are a few best-practices that have been suggested by the Canadian Government Office Of The Privacy Commissioner.

  • You should develop a formal internal process for the secure protection of confidential information. This process should be reviewed by your legal advisor, and you should ensure that it’s understood by everyone in your organization.
  • Appropriate physical and digital safeguards should be put in place to ensure the protection of this information.
    • Next time you go to a clinic, look to see if they have their live production server stored under the front desk where anyone can just grab it and run off. This is a disaster waiting to happen.
      At the Storagepipe datacenter access is highly restricted. But if you were ever allowed inside, you would find all of the client data stored inside of locked cabinets, and watched by video cameras and live security guards twenty-four hours per day.
    • Hacking is no longer as hard as it used to be. Today, every teenager can go online and download simple-to-use applications that are capable of breaking through any poorly-secured network.
      In order for your confidential data to be considered secure, it should ideally be stored in encrypted format, behind a firewall and network that was configured and regularly examined by a network security expert.  And most-importantly, force everyone in your company to authenticate themselves using strong passwords.
    • Most privacy leaks are the result of poor internal controls. Make sure that employees have the right security clearances, and only have access to customer data on a need-to-know basis.
    • Make sure that internal employees have the proper training for handling sensitive information, and have them sign agreements acknowledging that they understand their obligations and will follow the proper procedures.
    • Enforce your internal data safeguard and privacy procedures, and hold regular staff meetings to review and update security procedures.
    • If you’re going to share information WITH a third-party, make sure that this is strictly done within the PIPEDA guidelines, and remove or strip out any personal information that isn’t absolutely essential to the transaction. By only sharing the minimum required information, you greatly reduce the chances of accidentally falling out of compliance.

And here’s another piece of advice we’d like to add:

  • Human error – whether accidental or malicious – will always remain an area of concern when it comes to privacy protection. That’s why you should automate as much of your security as possible, and minimize the amount of human involvement in your electronic data and privacy protection.

Of course, these are only suggested general best practices. Unfortunately, there isn’t a one-size-fits-all procedure for PIPEDA compliance, and requirements differ across industries.

Also, it’s important to note that these suggestions only apply to information that’s stored in Canada. Once your customer data crosses the border into another country, you now have to re-work your entire compliance plan from scratch so that it adheres to multiple different – and often incompatible – sets of privacy regulations.

But these guidelines should serve as a good foundation when discussing the adherence to your PIPEDA compliance obligations with your legal advisor.

If you’d like more information on how to protect the integrity and privacy of your client data while adhering to your PIPEDA obligations, please visit

Leave a Reply