{"id":1329,"slug":"pipeda-core-duties-consent-safeguarding-access","title":"PIPEDA core duties: meaningful consent, safeguards appropriate to sensitivity, data minimization, accountability (designated privacy officer), access/correction rights","kind":"reference","scope":"business","status":"current","audiences":["kevin","smb-owner","candid-team"],"topics":["regulatory-compliance","privacy-pipeda"],"reference_body":"**Claim:** **PIPEDA** (Personal Information Protection and Electronic Documents Act) governs private-sector collection / use / disclosure of personal information in commercial activity in Canada. Core duties relevant to a portal: **meaningful consent**, **safeguards appropriate to sensitivity**, **limiting collection (data minimization)**, **accountability (designated privacy officer)**, **access / correction rights**.\n\n**Source:** https://www.priv.gc.ca ; onetrust.com ; gdprlocal.com\n\n**Confidence:** Verified (primary / regulatory).\n\n**Why this matters for Candid:** Settles the *baseline* compliance posture. Any portal the SMB controls makes these duties live. The accountability principle — see [[control-accountability-third-party-processor]] — means a SaaS vendor does not relieve the SMB of compliance; it shares the operational burden.","rationale_body":null,"metadata":null,"links":{"outgoing":[],"incoming":[{"slug":"research-brief-client-portals-smb-june-2026","title":"Research brief: client portals for SMBs — the honest case (June 2026)","kind":"reference","scope":"business","link_type":"relates-to"},{"slug":"pipeda-breach-reporting-rrosh-24-month-records","title":"PIPEDA mandatory breach reporting (in force Nov 1, 2018): report RROSH breaches to OPC + notify affected individuals + KEEP RECORDS OF ALL BREACHES for 24 months","kind":"reference","scope":"business","link_type":"depends-on"},{"slug":"control-accountability-third-party-processor","title":"PIPEDA control = accountability: the principal organisation controlling the data stays accountable even when a third-party processor holds it; contracts must address this","kind":"reference","scope":"business","link_type":"depends-on"},{"slug":"quebec-law-25-gdpr-ccpa-analog","title":"Quebec Law 25, GDPR (EU/UK), CCPA/CPRA (US) — analog privacy regimes; Quebec Law 25 specifically imposes stronger GDPR-comparable obligations than PIPEDA","kind":"reference","scope":"business","link_type":"relates-to"},{"slug":"rule-treat-data-custody-as-line-item","title":"R4 — Treat data custody as a project line item, not a footnote: PIPEDA consent + MFA + encryption + breach response plan + 24-month breach records all live in scope before launch","kind":"rule","scope":"business","link_type":"depends-on"}]},"created_at":"2026-06-20T17:57:32.181Z","updated_at":"2026-06-20T17:57:32.181Z"}