PIPEDA Compliance Checklist for Canadian Organizations

What this checklist covers

PIPEDA requires every private-sector organization engaged in commercial activity in Canada to meet ten compliance obligations under Schedule 1. This checklist translates each of those ten principles into concrete yes/no questions. A "No" answer identifies a gap — an obligation not yet met. Closing those gaps before a complaint is filed is the most effective compliance strategy available to a small or medium organization.

The OPC's 2025–2026 business survey found 28% of Canadian businesses have no designated privacy officer, 26% have no documented staff privacy policies, and 23% have no complaint procedure — the three most common starting points for an OPC investigation.

---

Principle 1: Accountability

• A specific named individual is designated as your privacy officer — not a team, department, or job title with no named occupant
• That individual knows they hold the role
• Their role is identified in your privacy policy as the contact for privacy questions and complaints
• Vendor and service provider contracts that involve personal information include a clause requiring those parties to protect the information consistent with your PIPEDA obligations

→ Do I need a designated privacy officer?

---

Principle 2: Identifying Purposes

• The purpose for each type of personal information you collect is documented before collection begins
• Your privacy policy states those purposes in plain language
• Staff who collect personal information can explain to individuals why it is needed

---

Principle 3: Consent

• Individuals are told what is being collected and why before they are asked to consent
• Sensitive personal information — health information, financial data, social insurance numbers, passwords — requires express consent
• Individuals can withdraw consent and you have a documented process for handling withdrawal
• You do not require consent to purposes beyond what is necessary as a condition of service

---

Principle 4: Limiting Collection

• You collect only the personal information necessary for the stated purpose — no pre-emptive collection for potential future uses
• Collection forms and intake processes have been reviewed against the documented purposes to confirm no excess collection

---

Principle 5: Limiting Use, Disclosure, and Retention

• Personal information is only used for the purpose it was collected for, or a purpose the individual has separately consented to
• Personal information is not disclosed to third parties without consent unless PIPEDA specifically authorizes the disclosure
• You have a retention schedule — personal information is destroyed or de-identified once the purpose is fulfilled
• The retention policy covers backup systems, archives, and copies held by vendors or cloud platforms

---

Principle 6: Accuracy

• Personal information used in decisions affecting individuals is kept accurate and up to date
• Individuals can request corrections to their personal information and you have a documented process for handling those requests

---

Principle 7: Safeguards

• Personal information stored on computers, servers, and mobile devices is encrypted
• Physical personal information — paper records, printed reports — is stored securely and access is limited to staff with a need for it
• Employees are trained on the information security practices relevant to their role
• Service providers and cloud platforms that hold personal information on your behalf have reviewed terms confirming they will protect it appropriately

---

Principle 8: Openness

• Your organization has a written privacy policy
• The privacy policy is available to anyone who asks — on your website or accessible on request
• The privacy policy identifies what personal information is collected, the purposes for collection, and how individuals can access their information or file a complaint

→ Do I need a written privacy policy?

---

Principle 9: Individual Access

• You have a process for responding to access requests within 30 days — the only fixed statutory deadline under PIPEDA
• You know what personal information your organization holds and where it is stored well enough to respond to an access request
• Requests to correct personal information are handled and documented

---

Principle 10: Challenging Compliance

• You have a complaint handling procedure — even a single page — that staff are aware of
• Privacy complaints are logged and responded to in writing
• Your privacy policy references the OPC complaint process so individuals know they can escalate to the regulator

→ What to do when you receive a PIPEDA privacy complaint

---

What compliance looks like for a 10-person organization

The minimum viable PIPEDA compliance posture for a small organization is not an elaborate program. It is six concrete elements:

1. A named privacy officer — the owner or a senior staff member, documented in the privacy policy
2. A written privacy policy — one or two pages, publicly available on your website
3. A complaint procedure — a single documented process for receiving and responding to privacy complaints
4. Encryption on devices — any computer, phone, or tablet that holds personal information
5. A basic retention practice — destroy or de-identify personal information once the purpose is fulfilled
6. A 30-day access request process — someone knows who to contact and what to retrieve when a request arrives

An organization with these six elements genuinely in place — not just documented but operational — is in a substantially stronger position than the majority of Canadian SMEs and is in a defensible position if a complaint is filed.

Proportionality applies to how these elements are implemented, not to whether they exist. PIPEDA Principle 7 requires safeguards "appropriate to the sensitivity of the information" — a 10-person firm and a 200-person firm have the same obligations; the implementation differs in scale and formality.

---

What the OPC looks for first

When the OPC opens an investigation following a complaint, the first questions are:

1. Does the organization have a designated privacy officer?
2. Does the organization have a written privacy policy?
3. Did the organization have a complaint procedure before this complaint arrived?

These are Principles 1, 8, and 10. An organization that cannot demonstrate all three has a foundational compliance gap that signals the broader program has not been established. The joint OPC/OIPC Alberta/OIPC BC Privacy Management Program guidance (2012) identifies designated accountability as the first of four foundational elements — before policies, safeguards, or complaint procedures are assessed. Foundational gaps affect how broadly the OPC investigates and how quickly the matter can be resolved.

---

Most common gaps

Based on the OPC's 2025–2026 business survey:

• 28% of Canadian businesses have no designated privacy officer (Principle 1)
• 26% have no documented staff privacy policies (Principles 2–3)
• 23% have no complaint handling procedure (Principle 10)
• 45% lack encryption on devices (Principle 7)

Closing all four of these gaps addresses the most common compliance failures across Canada's private-sector organizations.

---

Annual review

Run through this checklist once a year. Tie the review to a fixed calendar event so it does not become reactive. Additional triggers for an unscheduled review: a new vendor receives personal information, a new service launches, a staff member in a privacy-related role changes, or a security incident occurs.

A documented review — with a record of what was assessed, what gaps were found, and what actions were taken — is significantly more valuable than a review with no paper trail. If a complaint is filed after your review, the documented record of your compliance assessment and remediation activity is evidence of good-faith compliance.

ClearBreach's Privacy Management Program assessment runs your organization through all ten PIPEDA principles and generates a Compliance Posture Certificate and Gap Report — a timestamped, documented record of your compliance posture that you can retain in your compliance file.

Get early access →

---

Related guides

• PIPEDA Compliance Requirements — what each of the ten PIPEDA principles requires in detail
• Do I Need a Designated Privacy Officer? — Principle 1 accountability obligations
• Do I Need a Written Privacy Policy? — Principle 8 obligations and what a compliant policy must contain
• What to Do When You Receive a PIPEDA Privacy Complaint — Principle 10 complaint handling obligations
• PIPEDA Breach Reporting Requirements — what happens when a breach occurs and when RROSH triggers reporting

---

This checklist covers PIPEDA obligations for private-sector organizations. It does not cover Quebec's Act respecting the protection of personal information in the private sector (Law 25 / Bill 64), which has its own ten-principle compliance framework under s.3 and the Commission d'accès à l'information.

If your organization handles personal health information under provincial health legislation such as Alberta's Health Information Act, additional compliance obligations apply that are not covered here.