What Is PIPEDA? A Plain-English Guide for Canadian Businesses

PIPEDA does not require you to keep employee data in Canada. It does require you to prove the data is just as protected wherever it lives — which, if your HR tool runs on US servers, is a much harder bar than it sounds.

The Personal Information Protection and Electronic Documents Act is the federal privacy law that governs how private-sector organizations in Canada collect, use, and disclose personal information in the course of commercial activity. If you're running a business in Canada, PIPEDA almost certainly applies to you. Reading the actual legislation is a slog of legal language that leaves most business owners more confused than when they started. This guide translates PIPEDA into plain English, with a focus on what it means for your HR practices.

Who Does PIPEDA Apply To?

PIPEDA applies to private-sector organizations that collect, use, or disclose personal information in the course of commercial activity. In practice, this covers most businesses in Canada.

There are exceptions. PIPEDA does not apply to:

• Provincial or territorial governments
• Federal government institutions (covered by the Privacy Act instead)
• Organizations operating entirely within a province that has its own substantially similar privacy law (more on this below)
• Individuals collecting personal information for personal or domestic purposes

For most Canadian businesses with employees, customers, or vendors, PIPEDA is the baseline. Even if a provincial law applies to your intra-provincial activities, PIPEDA still governs interprovincial and international data flows.

What Counts as Personal Information?

Personal information under PIPEDA is broadly defined. It's any factual or subjective information about an identifiable individual. For HR departments, this includes:

• Social Insurance Numbers (SINs)
• Salary and compensation details
• Banking and direct deposit information
• Home addresses and phone numbers
• Health information (medical leave details, disability accommodations, benefits claims)
• Performance reviews and disciplinary records
• Background check results
• Employment history and references
• Emergency contact information
• Photos and biometric data (if you use facial recognition for time tracking, for example)

The key test: can the information be linked to a specific person? If yes, it's personal information under PIPEDA. And HR departments hold enormous amounts of it, which makes understanding your obligations essential.

The 10 Fair Information Principles

PIPEDA is built on ten principles from the Canadian Standards Association's Model Code for the Protection of Personal Information. These principles form the backbone of the law. Here's each one in plain language.

1. Accountability

Your organization is responsible for the personal information in its control. You must designate a specific person (a privacy officer or equivalent) to be accountable for your compliance. This doesn't have to be a full-time role -- in a small business, it's often the founder or the person handling HR. But someone must own it.

2. Identifying Purposes

Tell people why you're collecting their information before or at the time of collection. "We need your SIN for tax reporting" is a valid identified purpose; "we might need it someday" is not.

3. Consent

You need meaningful consent from individuals before collecting, using, or disclosing their personal information. Meaningful consent means the person actually understands what they're agreeing to. A buried clause on page 37 of an employment agreement doesn't qualify.

Consent can be express (the person actively agrees) or implied (the person provides information voluntarily for an obvious purpose). For sensitive information like health data or SINs, express consent is the standard.

4. Limiting Collection

Only collect what you actually need for the purposes you've identified. If you don't need an employee's marital status for benefits administration, don't collect it — even if a form template has a field for it.

5. Limiting Use, Disclosure, and Retention

Personal information can only be used or disclosed for the purpose it was collected for, unless you get new consent. And you can't keep it forever -- once the purpose has been fulfilled and there's no legal requirement to retain it, the information must be destroyed, erased, or made anonymous.

For HR data, this means you should have retention policies that specify how long you keep different types of employee records after someone leaves. CRA requires employers to keep payroll records for six years, which sets a floor, but you shouldn't keep performance reviews or health information indefinitely just because you forgot to delete them.

6. Accuracy

Personal information must be as accurate, complete, and up-to-date as necessary for its purpose. If you're using an employee's address to mail their T4, that address needs to be current. This is one reason employee self-service portals matter -- they let employees update their own information instead of relying on HR to catch changes.

7. Safeguards

You must protect personal information with security safeguards appropriate to the sensitivity of the data. More sensitive information requires stronger protection. This means:

• Technical safeguards: encryption, access controls, secure storage
• Organizational safeguards: need-to-know access, security policies, employee training
• Physical safeguards: locked offices, secure server rooms (if applicable)

This principle has direct implications for your HR software choices. If your employee data is stored in a system with weak access controls, no encryption at rest, or no audit logging, you're not meeting the safeguards requirement.

8. Openness

Your privacy policies and practices must be available to the public. For employers, that means a clear privacy notice telling employees what you collect, why, how you protect it, and who to contact with questions.

9. Individual Access

People have the right to see the personal information you hold about them and to challenge its accuracy. If an employee asks to see their HR file, you must provide access within a reasonable timeframe. If they say something is wrong, you must investigate and correct it if appropriate.

An employee asks to see their performance file. PIPEDA s.8(3) gives you 30 days to respond. You may redact personal information about third parties (e.g., comments from peer reviewers identifiable by context). The information must be provided in a generally understandable form. Refusing without statutory grounds — or stalling past 30 days without an extension request — exposes you to a complaint.

In practice, this is also where your HR software matters. If pulling a complete record of one employee's data requires digging through spreadsheets, emails, and paper files, you'll struggle to meet that 30-day window.

10. Challenging Compliance

Individuals must be able to challenge your compliance with these principles. You need a process for handling complaints, and you must investigate them. If someone raises a concern about how you're handling their data, you can't just ignore it.

How PIPEDA Affects Your HR Department

HR departments are on the front line of PIPEDA compliance because they handle large volumes of sensitive personal information. Here's how the principles translate to daily HR operations.

What You Can Collect

You can collect personal information that's directly related to the employment relationship and necessary for specific purposes:

• Contact information for communication and emergency situations
• SINs for tax reporting (required by CRA)
• Banking details for payroll deposits
• Health information relevant to benefits administration, accommodations, or leave management
• Performance data for evaluation and development purposes
• Background check results where relevant to the position

You cannot collect information that isn't necessary for the employment relationship. For example, collecting information about an employee's religion, political beliefs, or personal relationships is not justified unless directly relevant to a specific, identified purpose.

How Long You Can Keep It

PIPEDA doesn't specify exact retention periods -- it says you must keep information only as long as necessary to fulfill the purpose for which it was collected, or as required by law. In practice, for HR:

• Payroll records: CRA requires six years from the end of the relevant tax year
• T4 slips and records of employment: six years
• Employee records (general): keep for the duration of employment plus a reasonable period after (two to three years is common practice, depending on limitation periods for employment claims)
• Unsuccessful job applications: destroy within a reasonable period (six months to one year)

What You Must Disclose

If an employee requests access to their personal information, you must provide it within a reasonable time (generally 30 days). This includes performance reviews, disciplinary records, and any notes in their file. There are limited exceptions -- for example, information that would reveal personal information about another individual.

Provincial Privacy Laws

PIPEDA is the federal baseline, but three provinces have their own private-sector privacy laws that the federal government has recognized as "substantially similar." In those provinces, the provincial law applies to intra-provincial activity instead of PIPEDA.

Quebec: Law 25

Quebec has the most stringent privacy framework in Canada. Law 25 (which modernized Quebec's existing privacy law) introduced requirements that go beyond PIPEDA:

• Privacy impact assessments are mandatory for certain projects involving personal information
• Breach notification is required to the Commission d'accès à l'information and affected individuals
• The right to data portability allows individuals to request their data in a structured format
• A designated privacy officer is required, and their contact information must be published

Quebec's Law 25 establishes two penalty tracks: administrative monetary penalties up to $10 million or 2% of worldwide turnover (whichever is higher), imposed by the Commission d'accès à l'information; and penal sanctions up to $25 million or 4% of worldwide turnover (whichever is higher), reachable through prosecution under section 91.

If you have employees in Quebec, you need to comply with Law 25 for those employees' data, even if your company is based elsewhere in Canada.

Alberta: PIPA

Alberta's Personal Information Protection Act governs private-sector privacy in the province. It covers employee information specifically and has provisions for collection, use, and disclosure without consent in certain employment contexts. However, the thresholds and requirements differ from PIPEDA in important details.

British Columbia: PIPA

BC's Personal Information Protection Act (same name as Alberta's, different law) similarly governs private-sector privacy within British Columbia. Like Alberta's PIPA, it addresses employee information directly and has its own nuances around consent requirements.

Practical Compliance Steps for Small Businesses

You don't need a legal team to get PIPEDA compliance right. Here are concrete steps that small businesses can take now.

Choose Compliant Tools

Your HR software is where most employee personal information lives. If that software doesn't support PIPEDA compliance, you're building on a weak foundation. Evaluate your tools against these criteria:

• Data residency: Where is the data physically stored? Canadian servers keep your data under Canadian jurisdiction. For more on this, read our guide on Canadian data residency requirements.
• Access controls: Can you restrict who sees what based on role? Can employees access their own data?
• Audit logging: Does the system track who accessed or modified records?
• Data export: Can you produce a complete record of an individual's data for access requests?
• Encryption: Is data encrypted both in transit and at rest?

Don't Overlook Data You Share with Vendors

PIPEDA doesn't just cover data you hold -- it covers data you transfer to third parties. If you use a US-based HR platform, benefits provider, or background check service, you need to ensure that the third party provides a comparable level of protection. Under the US CLOUD Act, US-based companies can be compelled to disclose data to US law enforcement, which creates a tension with PIPEDA's safeguards principle. For a deeper look at this issue, see our guide on why Canadian companies need Canadian HR software.

What Happens If You Don't Comply?

PIPEDA itself does not give the Office of the Privacy Commissioner direct fining power. The OPC investigates complaints, issues findings and recommendations, and can take matters to Federal Court, which can order compliance and award damages. Provincial laws bite harder: Quebec's Law 25 imposes AMPs up to $10M or 2% (and penal sanctions up to $25M or 4% on prosecution); Alberta and BC PIPAs have their own commissioner orders and, in some cases, fines.

The bigger risk for most small businesses isn't a formal OPC investigation -- it's the reputational damage and operational disruption. An employee who discovers their SIN was stored insecurely, or that their health information was shared without consent, has grounds for a complaint that will consume your time and erode trust.

PIPEDA Is Not Going Away

As of 2026, there is no active federal bill replacing PIPEDA. Bill C-27 — which contained the proposed Consumer Privacy Protection Act — died on the order paper before the 2025 election and has not been reintroduced.

That doesn't mean the regulatory direction has reversed. Provincial frameworks (most visibly Quebec's Law 25) keep raising the bar, and any future federal reform is likely to land closer to Quebec's standards than to PIPEDA's current enforcement model. Building your HR practices and systems around PIPEDA compliance now means you're prepared for whatever comes next. The businesses that treat privacy as a foundation rather than an afterthought are the ones that avoid scrambling when regulations tighten.

For a comparison of how different HR software categories handle Canadian compliance, see our alternatives page, which covers data residency and privacy across the major categories.

Need HR software built for Canadian privacy requirements? Get started free with WalnutsHR -- Canadian data residency included on every plan.