🔒

PIPEDA Basics

Canada's federal privacy law and what it means for you

Lesson 1 of 6 · Innovalead Foundation · Free Education

Overview

What Is PIPEDA?

1PIPEDA = Personal Information Protection and Electronic Documents Act — Canada's main federal privacy law since 2000.
2It governs how private-sector organizations collect, use, and disclose personal information during commercial activities.
3It applies across Canada, except where substantially similar provincial laws exist (Quebec, Alberta, BC).

📋 10 Fair Information Principles

PIPEDA is built on 10 principles: Accountability, Identifying Purposes, Consent, Limiting Collection, Limiting Use, Accuracy, Safeguards, Openness, Individual Access, and Challenging Compliance.

Personal Information

What Counts as Personal Information?

👤

Identity

Name, age, SIN, driver's licence, passport numbers

💰

Financial

Income, credit records, banking information, tax returns

🏥

Health

Medical records, prescriptions, physical/mental conditions

📧

Digital

Email address, IP address, social media profiles, browsing history

💼

Employment

Performance reviews, disciplinary actions, salary history

🏠

Personal Life

Marital status, ethnic origin, opinions, religious beliefs

⚠️ Key Point

Any information that can identify you — directly or indirectly — is personal information under PIPEDA. Even your postal code combined with age and gender can identify you.

Who It Covers

Who Must Follow PIPEDA?

✓Private businesses that collect, use, or share personal information in commercial activities.
✓Federally regulated industries — banks, airlines, telecommunications, railways.
✓All businesses that transfer personal information across provincial or national borders.

✗Federal/provincial governments — covered by the Privacy Act instead.
✗Not-for-profits and charities — generally not covered unless engaged in commercial activities.
✗Purely personal use — e.g., your personal address book.

✅ Lesson 1 — Key Takeaways

✓PIPEDA is Canada's federal privacy law governing commercial use of personal data
✓Personal information includes anything that can identify you — from SIN to IP address
✓Built on 10 Fair Information Principles including consent and accountability
✓Applies to private businesses, not governments or most NFPs

🛡️

Your Privacy Rights

What you're entitled to under Canadian privacy law

Lesson 2 of 6 · Innovalead Foundation · Free Education

Your Rights

Key Rights Under PIPEDA

👁️

Right to Know

You can ask any organization what personal information they have about you and why

📝

Right to Access

Organizations must provide you with your personal information within 30 days of request

✏️

Right to Correct

You can request corrections to any inaccurate personal information

🚫

Right to Withdraw Consent

You can withdraw consent for data use at any time (with some exceptions)

⚖️

Right to Complain

You can file a complaint with the Office of the Privacy Commissioner (OPC)

🔒

Right to Protection

Organizations must protect your data with appropriate security safeguards

How To

Exercising Your Rights: Step by Step

1

Identify

Which organization has your data?

→

2

Request

Write to their Privacy Officer requesting access

→

3

Wait

They have 30 days to respond to your request

→

4

Escalate

If unsatisfied, complain to the OPC

💡 Free and Simple

Exercising your privacy rights is free. Organizations cannot charge you for access requests (except in rare cases with excessive costs). The OPC handles complaints at no charge.

✅ Lesson 2 — Key Takeaways

✓You have the right to know, access, correct, and withdraw consent for your data
✓Organizations must respond to access requests within 30 days
✓You can file free complaints with the Office of the Privacy Commissioner
✓These rights exist to give you control over your personal information

✋

Consent & Collection

How organizations must get and manage your permission

Lesson 3 of 6 · Innovalead Foundation · Free Education

Consent Rules

How Consent Works Under PIPEDA

1Meaningful consent — you must understand what you're agreeing to. Buried terms in fine print aren't sufficient.
2Purpose limitation — data collected for one purpose cannot be used for another without new consent.
3Minimum collection — organizations should only collect the minimum data necessary for the stated purpose.

✅

Express Consent

You actively say "yes" — required for sensitive info (health, finances)

🔄

Implied Consent

Reasonable in context — e.g., giving your address for delivery

🚫

Opt-Out

Consent assumed unless you say no — allowed for less sensitive data

Red Flags

Watch Out For These Practices

🚩

Bundled Consent

"Accept all or get nothing" — forcing consent for unrelated data collection

🚩

Excessive Collection

Asking for SIN, birthdate, or phone when not needed for the service

🚩

Vague Purposes

"To improve services" without explaining exactly how your data will be used

🚩

Hidden Sharing

Sharing your data with third parties without clear disclosure

⚠️ Your Power

You can say no. If a business requires excessive personal information for a simple service, ask why. If they can't justify it, you may choose not to use that service — and report them to the OPC.

✅ Lesson 3 — Key Takeaways

✓Consent must be meaningful — you must understand what you're agreeing to
✓Data collected for one purpose cannot be used for another without new consent
✓Watch for red flags: bundled consent, excessive collection, vague purposes
✓You can say no to unnecessary data collection and report violations to the OPC

🚨

Data Breaches

What happens when your data is compromised — and what organizations must do

Lesson 4 of 6 · Innovalead Foundation

Breach Rules

Mandatory Breach Reporting Under PIPEDA

1Since 2018, organizations must report breaches that pose a "real risk of significant harm" (RROSH) to the OPC.
2They must notify affected individuals as soon as feasible after discovering a breach.
3Organizations must keep records of ALL breaches for 24 months — even minor ones.

680+

Breaches reported to OPC (2023)

$100K

Max fine per violation

What To Do

If Your Data Is Breached

1

Change Passwords

Immediately for affected accounts

→

2

Monitor Accounts

Watch for unauthorized activity

→

3

Credit Alert

Place fraud alert with Equifax/TransUnion

→

4

Report

File complaint with OPC if needed

⚠️ Free Credit Monitoring

After a breach, the organization should offer you free credit monitoring. If they don't, request it. You can also request a free credit report from Equifax and TransUnion once per year.

✅ Lesson 4 — Key Takeaways

✓Organizations must report breaches with "real risk of significant harm" to OPC
✓They must notify you as soon as feasible and keep breach records for 24 months
✓If breached: change passwords, monitor accounts, place credit alerts, report to OPC

🏛️

NGO Privacy Compliance

Privacy best practices for not-for-profits and charities

Lesson 5 of 6 · Innovalead Foundation

NGO Context

Why NGOs Should Care About Privacy

1NFPs are generally exempt from PIPEDA — but best practices still apply and build trust with donors.
2NFPs engaged in commercial activities (selling goods, renting lists) ARE covered by PIPEDA.
3CASL (anti-spam law) applies to ALL organizations — including charities sending emails.
4Donors and beneficiaries trust you with sensitive data — protecting it is an ethical obligation.

📋

Privacy Policy

Every NGO should have a clear privacy policy on their website

🔒

Data Security

Encrypt donor databases, use strong passwords, limit access

📧

CASL Compliance

Get consent before sending emails; include unsubscribe links

Checklist

NGO Privacy Quick Checklist

✓Privacy policy published on website and shared with donors
✓Consent forms for collecting volunteer, donor, and beneficiary data
✓Data retention policy — don't keep data longer than needed
✓Staff training on privacy basics and handling personal information
✓Secure storage — encrypted databases, locked physical files
✓CASL compliance — opt-in email lists with unsubscribe option

✅ Lesson 5 — Key Takeaways

✓NFPs are generally exempt but should follow privacy best practices
✓CASL (anti-spam) applies to ALL organizations including charities
✓Every NGO needs a privacy policy, consent forms, and secure data storage
✓Protecting donor/beneficiary data builds trust and institutional credibility

⚡

Taking Action

Protecting your privacy and holding organizations accountable

Lesson 6 of 6 · Innovalead Foundation

Filing Complaints

How to File a Privacy Complaint

1

Contact Organization

Write their Privacy Officer first

→

2

Document Everything

Keep copies of all correspondence

→

3

File with OPC

priv.gc.ca — online form available

→

4

Investigation

OPC investigates and issues findings

📞 Contact the OPC

Office of the Privacy Commissioner: 1-800-282-1376 (toll-free) | priv.gc.ca | Complaints are free and confidential.

Daily Habits

Protect Your Privacy Every Day

✓Read before you click: Review privacy policies before signing up for services.
✓Limit sharing: Only provide the minimum information required.
✓Strong passwords: Use unique passwords and enable two-factor authentication.
✓Review permissions: Check app permissions on your phone regularly.

🎓 Module Complete!

You now understand PIPEDA, your rights, consent rules, breach response, NGO compliance, and how to take action. Share this knowledge to strengthen privacy in your community!

✅ Lesson 6 — Key Takeaways

✓Contact the organization first, then file with the OPC if unsatisfied
✓OPC complaints are free, confidential, and available at priv.gc.ca
✓Daily privacy habits: read policies, limit sharing, strong passwords, check permissions
✓Share your privacy knowledge — empowering others multiplies the impact