Canadian PIPEDA

Canada

4 domains

32 controls

Personal Information Protection and Electronic Documents Act. Federal Canadian private-sector privacy law.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (4)

Breach Reporting

5 controls

Controls in the Breach Reporting domain of Canadian PIPEDA — 5 controls
Code	Title	Description
s.10.1(1)	Breach Notification to Commissioner	An organization shall report to the Privacy Commissioner any breach of security safeguards involving personal informatio...
s.10.1(3)	Breach Notification to Individuals	An organization shall notify an individual of any breach of security safeguards involving the individuals personal infor...
s.10.1(6)	Real Risk of Significant Harm Factors	The factors relevant to determining real risk of significant harm include the sensitivity of the personal information in...
s.10.2	Notification to Third Parties	An organization that notifies an individual of a breach shall also notify any other organization, government institution...
s.10.3	Record Keeping of Breaches	Every organization shall keep and maintain a record of every breach of security safeguards involving personal informatio...

Enforcement

2 controls

Controls in the Enforcement domain of Canadian PIPEDA — 2 controls
Code	Title	Description
s.11	Consent, Justification and Objection	Processing must be supported by consent, contractual necessity, legal obligation, protection of a legitimate interest, p...
s.17	Documentation	The responsible party must maintain documentation of all processing operations under its responsibility as required by t...

Fair Information Principle

21 controls

Controls in the Fair Information Principle domain of Canadian PIPEDA — 21 controls
Code	Title	Description
Principle 4.1	Accountability	An organization is responsible for personal information under its control and must designate an individual or individual...
Principle 4.1.3	Accountability for Third Party Transfers	An organization is responsible for personal information transferred to a third party for processing and shall use contra...
Principle 4.1.4	Privacy Management Program	Organizations shall implement policies and practices including procedures to protect personal information, complaint pro...
Principle 4.10	Challenging Compliance	An individual shall be able to address a challenge concerning compliance with the above principles to the designated ind...
Principle 4.2	Identifying Purposes	The purposes for which personal information is collected shall be identified by the organization at or before the time t...
Principle 4.2.4	New Purpose Requires New Consent	When personal information that has been collected is to be used for a purpose not previously identified, the new purpose...
Principle 4.3	Consent	The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information,...
Principle 4.3.4	Form of Consent	The form of consent sought by the organization may vary depending on the circumstances and the type of information, with...
Principle 4.3.8	Consent Withdrawal	An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice, and...
Principle 4.4	Limiting Collection	The collection of personal information shall be limited to that which is necessary for the purposes identified by the or...
Principle 4.5	Limiting Use, Disclosure, and Retention	Personal information shall not be used or disclosed for purposes other than those for which it was collected except with...
Principle 4.5.3	Secure Destruction	Personal information that is no longer required to fulfill the identified purposes should be destroyed, erased, or made...
Principle 4.6	Accuracy	Personal information shall be as accurate, complete, and up to date as is necessary for the purposes for which it is to...
Principle 4.7	Safeguards	Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
Principle 4.7.3	Categories of Safeguards	The methods of protection should include physical measures, organizational measures, and technological measures appropri...
Principle 4.7.4	Employee Awareness	Organizations shall make their employees aware of the importance of maintaining the confidentiality of personal informat...
Principle 4.8	Openness	An organization shall make readily available to individuals specific information about its policies and practices relati...
Principle 4.8.2	Required Openness Information	Information made available shall include the name or title and contact of the accountable person, means of access, descr...
Principle 4.9	Individual Access	Upon request, an individual shall be informed of the existence, use, and disclosure of their personal information and gi...
Principle 4.9.4	Response Timelines	An organization shall respond to an individuals access request within a reasonable time and at minimal or no cost to the...
Principle 4.9.5	Correction and Notation	When an individual demonstrates inaccuracy or incompleteness, the organization shall amend the information as required,...

Other

4 controls

Controls in the Other domain of Canadian PIPEDA — 4 controls
Code	Title	Description
s.5(3)	Appropriate Purposes	An organization may collect, use, or disclose personal information only for purposes that a reasonable person would cons...
s.6.1	Valid Consent	Consent is only valid if it is reasonable to expect that an individual to whom the organizations activities are directed...
s.7	Certain Legitimate Uses	Processing without consent permitted for specified legitimate uses including voluntary provision for stated purpose, Sta...
s.7.3	Disclosure for Business Transaction	Organizations may disclose personal information without consent for purposes of a prospective or completed business tran...

Frequently Asked Questions

What is Canadian PIPEDA?

Canadian PIPEDA is a compliance framework from Canada with 4 domains and 32 controls. Personal Information Protection and Electronic Documents Act. Federal Canadian private-sector privacy law. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does Canadian PIPEDA have?

Canadian PIPEDA has 32 controls organised across 4 domains. The largest domains are Fair Information Principle (21 controls), Breach Reporting (5 controls), Other (4 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does Canadian PIPEDA map to?

Canadian PIPEDA does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.

How do I get started with Canadian PIPEDA compliance?

Start your Canadian PIPEDA compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about Canadian PIPEDA requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 32 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 769 frameworks.

Get Started Free →

Free forever — no credit card required