What Is a Privacy Management Program Under Bill C-36 (PPCDA)?

What section 9 of the PPCDA requires

Every organization subject to Bill C-36's Protecting Privacy and Consumer Data Act must implement and maintain a privacy management program. Section 9(1) states this obligation directly. Section 10 gives the Digital Safety and Data Protection Commission the right to request access to the program at any time — including before any complaint is filed.

Under PIPEDA, organizations were expected to have a designated privacy officer and privacy policies, but there was no explicit statutory requirement to maintain a documented program. The PPCDA changes that. The obligation at section 9 is not guidance — it is a statutory requirement with its own enforcement path.

---

What the program must include

Section 9(1) identifies four elements. Each must be present and documented.

1. Policies and practices to protect personal information

This is the governance layer of the program — how personal information is collected, stored, accessed, retained, and disposed of. It covers security safeguards, access controls, and the organization's response process if a breach occurs. Where the organization handles sensitive categories of personal information (health, financial, identity), the program must reflect that sensitivity in its policies.

2. How the organization receives and handles access requests and complaints

An individual whose personal information is held by the organization has the right to access it and to file a complaint if they believe it has been mishandled. The program must include a documented procedure for each: how the request or complaint is received, who handles it, what the response timeline is, and how the outcome is communicated in writing. The procedure does not need to be complex — it does need to be functional and documented.

3. Staff training policies and procedures

Staff who handle personal information need to know the organization's obligations and what they are personally responsible for. The program must document how training is delivered, how often, and how it is recorded. Annual acknowledgement of the privacy policy is a minimum. Staff with access to sensitive categories of personal information require more.

4. Public-facing materials explaining the organization's privacy practices

The organization must have materials — typically a privacy notice or policy — that explain to the public what personal information it collects, why it collects it, how it is used, and how individuals can access or correct their information. Those materials must reflect what the organization actually does. A boilerplate template that does not match real practices does not satisfy this element.

---

The proportionality requirement

Section 9(2) ties the program to the organization's actual risk profile: the program must be proportionate to the volume and sensitivity of personal information the organization holds.

This matters for small organizations. A 10-person dental office handling patient records operates under a different risk profile than a 10-person software company handling email addresses. The program each one needs reflects that difference.

For a small organization handling modest volumes of personal information — contact details, billing records, appointment histories — a proportionate program looks like:

• A named privacy officer (this can be the owner at a very small organization)
• A written privacy policy that reflects what the organization actually does
• A one-page complaint handling procedure
• Annual staff training or acknowledgement, documented
• A public privacy notice available on the website or on request

None of those elements requires external legal counsel to produce. They require documentation and consistency.

---

What the Commission can do with it

Section 10 is the provision most organizations underestimate. The Privacy and Consumer Data Commissioner of the Digital Safety and Data Protection Commission of Canada can request access to the privacy management program at any time, proactively, without a complaint triggering the inquiry.

Under PIPEDA, the OPC's access to organizational practices was largely complaint-driven. Under the PPCDA, the Commission can examine whether a program exists before any incident occurs. If the program does not exist — or if what exists does not reflect actual practices — that is a contravention of section 9, independently of any breach.

This makes the privacy management program an ongoing governance obligation, not a one-time document.

---

What the 2012 joint guidance showed regulators expect

In April 2012, the OPC, OIPC Alberta, and OIPC BC published joint guidance on privacy management programs. That guidance described five components: privacy policies, internal practices and procedures, complaint handling, staff training, and public information about the organization's privacy practices.

The PPCDA's section 9(1) requirements map directly onto those five components. What the three regulators recommended in 2012 is what Bill C-36 mandates under the new law. The 2012 joint guidance remains the most detailed public articulation of what regulators consider a functioning program to look like — and it is the practical starting point for organizations building one today.

---

What most Canadian organizations currently have

The OPC's business survey data shows the gap. Twenty-eight percent of Canadian businesses had no designated privacy officer. Twenty-three percent had no formal complaint handling procedure. Both are mandatory elements of a section 9 privacy management program under the PPCDA.

Roughly one in four Canadian businesses is missing at least one core component of what Bill C-36 will require. For very small organizations, the gaps are often larger — no named privacy officer, no complaint procedure, and a public privacy policy generated from a template and never reviewed against actual practices.

The gap is not about knowledge of privacy law. It is about having internal governance structures that are documented and functional.

---

Scope note

This article covers the PPCDA (Bill C-36), which applies to private-sector organizations engaged in inter-provincial or international commercial activity. Organizations primarily engaged in intra-provincial commercial activity in Quebec are governed by Quebec's Act respecting the protection of personal information in the private sector (Law 25 / Bill 64), which has its own privacy management program requirements. Quebec obligations are not covered here.

---

What to do before Bill C-36 comes into force

The PPCDA is not yet law. PIPEDA remains operative. But building a privacy management program now — before there is enforcement pressure — is easier than building one after the obligation is enforceable.

Five steps for a small organization:

1. Designate a privacy officer by name. Write it down. The Commission needs to know who is accountable for the program.

2. Write a one-page complaint handling procedure. Cover how a complaint is received, who handles it, what the response timeline is, and how the organization communicates the outcome in writing.

3. Map your data flows. Know what personal information you collect, why, who has access, and how long you keep it. This is the foundation of your privacy policy and your program. Without it, you cannot write a policy that reflects actual practices.

4. Publish a privacy policy that reflects reality. A boilerplate policy that diverges from actual practices is worse than a plain accurate one — the divergence is itself a contravention under the PPCDA.

5. Document staff training. Annual acknowledgement of the privacy policy is a minimum for staff with access to personal information. For staff handling sensitive categories, more is appropriate.

---

Related guides

• What Is Bill C-36? Canada's New Privacy Law for Small Businesses
• Do I Need a Privacy Officer? Canada's Requirements Explained
• Bill C-36 (PPCDA): Canada's New Privacy Law Lets Customers Sue You Directly
• Legitimate Interest Under Bill C-36 (PPCDA)

---

Start your breach assessment

Breach reporting obligations under the PPCDA are identical to PIPEDA. Your current breach assessment process transfers directly. Confirm it is in place now.

Start your breach assessment →

Privacy Management Program assessment coming soon. The PPCDA's mandatory program requirement is a Phase 2 ClearBreach module. Notify me when available →