Guides PIPEDA compliance for Canadian personal data handling, covering 10 fair information principles, consent, cross-border transfers, breach notification, and OPC enforcement.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-skills-completeThis skill uses the workspace's default tool permissions.
The Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5) is Canada's federal private-sector privacy law. It applies to organizations that collect, use, or disclose personal information in the course of commercial activities, and to personal information about employees of federal works, undertakings, and businesses. PIPEDA incorporates the Canadian Standards Ass...
Conducts multi-round deep research on GitHub repos via API and web searches, generating markdown reports with executive summaries, timelines, metrics, and Mermaid diagrams.
Dynamically discovers and combines enabled skills into cohesive, unexpected delightful experiences like interactive HTML or themed artifacts. Activates on 'surprise me', inspiration, or boredom cues.
Generates images from structured JSON prompts via Python script execution. Supports reference images and aspect ratios for characters, scenes, products, visuals.
The Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5) is Canada's federal private-sector privacy law. It applies to organizations that collect, use, or disclose personal information in the course of commercial activities, and to personal information about employees of federal works, undertakings, and businesses. PIPEDA incorporates the Canadian Standards Association (CSA) Model Code for the Protection of Personal Information (CAN/CSA-Q830-96) as Schedule 1, establishing 10 fair information principles.
The Office of the Privacy Commissioner of Canada (OPC) oversees PIPEDA compliance, investigates complaints, conducts audits, and publishes findings and guidance. The Digital Privacy Act (S.C. 2015, c. 32) amended PIPEDA to add mandatory breach reporting, valid consent requirements, and enhanced enforcement provisions.
Note: PIPEDA does not apply in provinces that have enacted substantially similar legislation (Alberta PIPA, British Columbia PIPA, Quebec's Act respecting the protection of personal information in the private sector). However, PIPEDA continues to apply to interprovincial and international transfers of personal information in all provinces and to federally regulated organizations.
An organization is responsible for personal information under its control. It must designate an individual or individuals who are accountable for compliance with the principles. Accountability remains with the organization even when personal information is transferred to a third party for processing.
Key requirements:
The purposes for which personal information is collected must be identified at or before the time of collection. If a new purpose arises after collection, the organization must identify the new purpose and obtain fresh consent before using the information for that purpose.
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate (as listed in sections 7(1)-(3) of PIPEDA).
Consent forms recognized by the OPC:
OPC Guidelines for Obtaining Meaningful Consent (2018):
The collection of personal information shall be limited to that which is necessary for the purposes identified. Information shall be collected by fair and lawful means. An organization must not collect personal information indiscriminately. Each element of personal information collected must be tied to an identified purpose.
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes. Organizations must develop guidelines and implement procedures for the retention and destruction of personal information.
Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. The degree of accuracy required depends on the use — information used to make a decision about an individual must be sufficiently accurate to minimize the possibility of an inappropriate decision.
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. The level of protection must be commensurate with the sensitivity — more sensitive information requires stronger safeguards.
Categories of safeguards:
An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information. This includes the name or title and address of the person accountable, how to access personal information, a description of the type of information held, and a general account of its use.
Upon request, an individual shall be informed of the existence, use, and disclosure of their personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Response requirements:
Permitted grounds for refusing access (Section 9(3)):
An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance. Organizations must have procedures to receive and respond to complaints or inquiries. They must investigate all complaints and take appropriate measures to correct information-handling practices.
An organization must report to the OPC any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm (RROSH) to an individual.
The RROSH assessment must consider:
Significant harm includes: bodily harm, humiliation, damage to reputation, loss of employment, financial loss, identity theft, negative effects on credit record, damage to or loss of property.
Report to OPC: Must contain:
Notify affected individuals (Section 10.1(4)):
Notify other organizations (Section 10.2): If notification to another organization may reduce the risk of harm, notify that organization.
Organizations must keep and maintain a record of every breach of security safeguards involving personal information under their control for 24 months after the day on which the organization determines that the breach has occurred. The OPC may request access to these records.
PIPEDA does not prohibit cross-border transfers of personal information. However, the transferring organization remains accountable for the information under Principle 1 (Accountability). The OPC requires:
Following the OPC findings in PIPEDA Case Summary 2009-008 and the Supreme Court of Canada decision in R. v. Spencer (2014 SCC 43), organizations must consider that personal information transferred to another jurisdiction may be subject to lawful access by foreign governments. This must be communicated to individuals.
On application by the Commissioner or the complainant, the Federal Court may order an organization to:
Offences under PIPEDA include:
Maximum fine: $100,000 CAD per offence (individual) under summary conviction.