Privacy Law for Accounting Firms in Canada
By Yong Du
PIPEDA and provincial PIPA obligations for Canadian accounting firms and CPAs — what client data you hold, your breach reporting requirements, and what a compliance program looks like for a practice of any size.
What makes accounting firms a high-value breach target
Accounting firms hold a concentration of personal information that is rare in any single type of organization. A single individual client file may contain a Social Insurance Number, employment income and source, investment holdings, real property details, banking account information, family composition, and prior-year returns extending the data history back years.
For a business client, the file adds shareholder SINs, officer compensation, payroll records, supplier and customer financial relationships, and corporate banking details.
Ransomware groups specifically target accounting firms because SINs, financial records, and banking details in a single archive is among the most monetizable datasets for identity fraud and business email compromise targeting the firm's clients.
Which laws apply
| Jurisdiction | Applies when | Regulator |
|---|---|---|
| PIPEDA | The firm conducts commercial activity involving personal information; or clients are in provinces without substantially similar legislation (Ontario, Manitoba, New Brunswick, and others) | Office of the Privacy Commissioner of Canada (OPC) — priv.gc.ca |
| Alberta PIPA | Clients or employees are Alberta residents | OIPC Alberta — oipc.ab.ca / breachnotice@oipc.ab.ca |
| BC PIPA | Clients or employees are BC residents | OIPC BC — oipc.bc.ca |
Professional regulatory overlay: CPA Alberta and CPABC govern professional conduct separately. A privacy breach affecting client confidentiality may also trigger professional conduct obligations to the provincial CPA body. Those are separate from PIPEDA and must be addressed independently.
What personal information accounting firms hold
Individual clients: Full legal name, address, date of birth, SIN, employment income (T4s, employer names), investment income (T3s, T5s, brokerage statements), real property details, banking information for refund deposit, marital status, dependant information, prior-year returns, CRA correspondence and notices of assessment.
Business clients: Shareholder names, SINs, and compensation; officer and director information; payroll records (employee names, SINs, banking details, T4s); financial statements and bank reconciliations; corporate banking details; HST/GST filing records.
Employees of the firm: SINs, banking details, T4s, compensation history, employment records.
Common breach scenarios
Ransomware: The most common and highest-impact breach type for accounting firms. Client file servers, cloud accounting platforms, and shared drives are primary targets. Every client whose file was encrypted or exfiltrated is a potential affected individual. See Ransomware Attack: What Canadian SMEs Must Do.
Phishing and BEC: A compromised accountant's email account contains years of client correspondence, tax returns sent as attachments, and banking details. BEC attackers also impersonate the firm to redirect client refunds or payments. See Phishing and Business Email Compromise.
Cloud platform breach: If a cloud accounting platform (QuickBooks Online, Xero, etc.) is breached, your accountability for client data held there does not transfer to the provider. See Vendor or Third-Party Breach.
Unauthorized employee access: A staff member accesses client files outside their assigned engagements. See Unauthorized Employee Access.
Improper disposal: Unshredded working papers in recycling, strip-cut shredded sensitive documents, or retired computers not securely wiped. See Physical Records Breach.
RROSH in an accounting breach
Because accounting files contain SINs, financial records, and banking details — individually the most sensitive categories under PIPEDA, and together the combination most associated with identity theft — RROSH is present in nearly every accounting breach involving client files. The practical question is usually not whether RROSH is met but how many clients are affected and which regulators must be notified.
For business clients whose payroll records were affected, the notification obligation extends to the employees whose SINs and banking details were in those files — not just the business client entity itself.
Core compliance obligations
Privacy officer: Designate a named individual — typically the managing partner or a senior accountant — responsible for PIPEDA compliance. Their contact information must appear in your privacy policy.
Privacy policy: Describe what you collect, why, how it is used and protected, retention periods, and how clients can access their information. Must be available to clients on request. See How to Write a Privacy Policy for a Canadian Business.
Retention schedule: The Income Tax Act requires client records to be retained for at least 6 years. After that minimum, destroy files that are no longer needed. Indefinite retention is not compliant with PIPEDA Principle 5. See Personal Information Retention and Destruction.
Vendor contracts: Every cloud platform, payroll processor, and IT provider that touches client data needs a written contract with privacy and security obligations.
Safeguards: Encrypted storage for client files, MFA on all systems holding client data, role-based access limiting staff to their assigned engagements, and audit logging. Safeguards must be proportionate to the sensitivity — and accounting data is among the most sensitive categories.
Client notification specifics: Notification letters must identify what was involved (SIN, tax return, banking details), advise clients to place a fraud alert with Equifax (1-800-465-7166) and TransUnion Canada (1-877-525-3823), and advise monitoring their CRA My Account for unauthorized activity.
Experienced a breach at your firm? ClearBreach walks accounting firms through their RROSH assessment across PIPEDA, Alberta PIPA, and BC PIPA simultaneously and generates regulator reports and client notification letters in under 15 minutes. Start your assessment →
Related guides
- PIPEDA Breach Reporting Requirements
- Alberta PIPA Breach Notification
- BC PIPA Breach Reporting
- Ransomware Attack: What Canadian SMEs Must Do
- Vendor or Third-Party Breach: What Canadian Organizations Must Do
- Personal Information Retention and Destruction Under Canadian Privacy Law
This guide covers PIPEDA, Alberta PIPA, and BC PIPA obligations for private-sector accounting firms. CPA professional conduct obligations to provincial CPA bodies are separate and not covered here. Quebec's Law 25 is not covered here.
Frequently asked questions
Does PIPEDA apply to my accounting firm?
Yes. PIPEDA applies to all private-sector organizations that collect, use, or disclose personal information in the course of commercial activity. An accounting firm's client work — tax preparation, bookkeeping, audit, advisory — is commercial activity. There is no small-firm exemption. If your clients are Alberta or BC residents, Alberta PIPA and BC PIPA apply in addition to PIPEDA.
My client's tax return was accessed in a ransomware attack — do I have to report it?
If the breach poses a real risk of significant harm (RROSH) to affected individuals, yes. A tax return contains SINs, banking details, income information, business information, and in many cases information about the client's family members. This combination of sensitive data almost always meets the RROSH threshold. You must notify the OPC under PIPEDA, the applicable provincial regulator if Alberta or BC residents are affected, and your clients directly.
Do my professional obligations under CPA standards satisfy my PIPEDA obligations?
No, and neither satisfies the other. Your CPA obligations run to the provincial CPA body and govern professional conduct, client confidentiality, and engagement standards. Your PIPEDA obligations run to the OPC and to affected individuals and govern how you collect, protect, and disclose personal information. A breach of client information can simultaneously trigger a CPA professional conduct matter and a PIPEDA breach notification obligation. Both must be addressed independently.
If a client asks for all the personal information I hold about them, do I have to provide it?
Generally yes, subject to specific exceptions. Under PIPEDA, individuals have the right to access their personal information held by your firm. You may withhold information that would reveal a third party's personal information that cannot be severed, or information subject to solicitor-client privilege if your firm retains legal counsel in a legal capacity. Business records for a corporation are not the personal information of the corporation — but working papers containing an individual's SIN or compensation details are their personal information.
This guide is educational and does not constitute legal advice. It is grounded in the text of PIPEDA, Alberta PIPA, and BC PIPA and published guidance from the OPC, OIPC Alberta, and OIPC BC. If your situation involves regulatory investigation, litigation risk, or circumstances not addressed here, engage a qualified privacy lawyer.