Understanding Canada’s Private Sector Data Security Laws (PIPEDA & PIPA)

Learn how to comply with Canada’s national data security law and key provincial laws.


Unlike the US, Canada has a single law covering privacy and data security. Passed in 2000, the Personal Information Protection and Electronics Documents Act (PIPEDA) rests on ten principles: accountability, identifying purpose of collection, consumer consent, limiting collection, limiting use and retention, accuracy, data safeguards, openness, individual access, and consumer right to challenge compliance.

In laymen’s terms, PIPEDA controls access to consumer’s personal information held by private organizations. PIPEDA’s definition of personal information is quite broad: it includes any data about an individual. Along with name, and other obvious identifiers, PIPEDA counts as personal information employee files, credit records, medical records, age, blood type, social status, and more.

Under PIPEDA, consumers have to give consent for personal information to be collected. After it’s taken, the consumers have the right to access their information held and to challenge its accuracy.
Organizations also have obligations to limit what they collect, use personal data only for the purposes consented to by the consumer, and not retain the data when those reasons or purposes no longer are in effect. Organizations are also required to put in place appropriate data security safeguards.

In June 2015, the Digital Privacy Act amended PIPEDA to include breach notification requirements. Organizations must notify affected individuals and the Privacy Commissioner of Canada when there is a breach that creates a “real risk of significant harm” to an individual. It also requires organizations to log a record of every breach of safeguards involving personal information, regardless of whether the breach results in a risk of significant harm.

Who Needs to Comply

PIPEDA covers any commercial organization in Canada. Federal agencies are covered by a different law — The Privacy Act. If a Canadian province adopts substantially similar legislation to PIPEDA, a local company would instead fall under the provincial law. To date, Alberta and British Columbia have each adopted their own private sector laws, each known as the Personal Information Protection Act (PIPA). Their laws are very similar if not exactly the same.

Quebec has followed with its version, which is referred to as the Private Sector Act. Ontario, New Brunswick, and Newfoundland have adopted similar legislation with regard to health records.  All of these provinces are exempt from PIPEDA.

Failure to Comply

Consumer complaints are taken to the Office of the Privacy Commissioner of Canada. The Commissioner is required to investigate the complaint and to produce a report at its conclusion. The Commissioner does not have any powers to order compliance or award damages or issue fines. Only under certain circumstances can a consumer take a complaint under PIPEDA to the Federal Court of Canada.

With the addition of the breach notification requirement, organizations can be fined for failing to notify the Commissioner or record a breach. Fines can reach up to $100,000 Canadian Dollars. However, this data breach notification regime will not take effect until the Canadian government issues regulations.

In the provinces, the fine schedules and damages are different than at the federal level. For PIPA (Alberta and British Columbia), individuals can be fined up to $10,000 and businesses up to $100,000. Individuals can sue companies for damages after the Privacy Commissioner has issued an order against a company.

Mapping Requirements to Varonis:

To see how Varonis can assist in your assessment, where applicable is an explanation describing how Varonis solutions can help keep your financial institution’s most important assets protected.


PIPEDA Requirement PIPA Requirement Varonis Product/Feature
Schedule 1
4.1 Accountability Principle
4.14a … implementing procedures to protect personal information.
Division 1

Compliance with the Act

5(1) An organization is responsible for personal information that is in its custody or under its control.
6(1) An organization must develop and follow policies and practices that are reasonable for the organization to meet its obligations under this Act

Varonis DataPrivilege helps organizations not only define the policies that govern who can access, and who can grant access to unstructured data, but it also enforces the workflow and the desired action to be taken (i.e. allow, deny, allow for a certain time period). This has a two-fold effect on the consistent and broad communication of the access policy: 1) it unites all of the parties responsible including data owners, auditors, data users and IT around the same set of information and 2) it allows organizations to continually monitor the access framework in order to make changes and optimize both for compliance and for continuous enforcement of warranted access.
Schedule 1
4.5 Limiting Use, Disclosure, and Retention Principle4.5.3 Personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information.
Division 2

Retention and destruction of information

35 (1) An organization may retain personal information only for as long as the organization reasonably requires the personal information for legal or business purposes.

35 (2) Within a reasonable period of time after an organization no longer reasonably requires personal information …

(a) destroy the records containing the personal information

Data Transport Engine provides the flexibility to configure complete end-to-end migration rules: define source criteria based on path, and/or content, classification rule, Varonis ownership and follow-up (flag/ tag) criteria, define destination path, folder, and permissions translation, and when the migration will take place. The ability to configure these rules allow for the rapid and safe execution of complex data migrations, and to easily implement and enforce policies for data retention and location based on content, accessibility, and activity.
Schedule 1
4.7 Safeguards Principle
4.7.1 The security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification.
Division 2

Protection of information

34 … protect personal information that is in its custody or under its control by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction

Varonis DatAdvantage recommends the revocation of permissions to data for those users who do not have a business need to the data – this ensures that user access to data is always warranted and driven by least privilege. DatAdvantage generates reports showing the history of permission revocations and the percentages by which overly permissive access was reduced. Division 1
10.1 Breaches of Security Safeguards

10.1 (1) An organization shall report to the Commissioner any breach of security safeguards involving personal information under its control …
10.1 (2) Unless otherwise prohibited by law, an organization shall notify an individual of any breach of security safeguards involving the individual’s personal information under the organization’s control …
10.1 (6) The notification shall be given as soon as feasible after the organization determines that the breach has occurred.

Schedule 2

Notification of loss or unauthorized access or disclosure

34(1) An organization having personal information under its control must, without unreasonable delay, provide notice to the Commissioner of any incident involving the loss of or unauthorized access to or disclosure of the personal information …

Power to require notification

37(1) … the Commissioner may require the organization to notify individuals to whom there is a real risk of significant harm as a result of the loss or unauthorized access or disclosure …

Varonis DatAlert provides real-time alerting based on file activity, Active Directory changes, permissions changes, and other events. Alert criteria and output are easily configurable so that the right people and systems can be notified about the right things, at the right times in the right ways. DatAlert improves your ability to detect possible security breaches, and misconfigurations. DatAlert can be configured to alert on changes made outside a particular time window.

Request a demo

Interested in finding out how Varonis can help with your compliance initiatives?

Request a demo

Or contact sales at 877-292-8767