PIPEDA control = accountability: the principal organisation controlling the data stays accountable even when a third-party processor holds it; contracts must address this

reference · Scope: business · Status: current

regulatory-compliance privacy-pipeda build-vs-buy-software

Created 2026-06-20

Summary

Claim: Under PIPEDA, the principal organisation that controls the data remains accountable even when a third-party processor (e.g., a SaaS host) holds it; contracts must address this.

Source: priv.gc.ca ; Thomson Reuters Practical Law

Confidence: Verified.

Why this matters for Candid: The single most-elided cost in the bought-portal pitch. Buying a portal does not transfer PIPEDA accountability to the vendor — only the operational security work. The SMB still owns: consent language, breach response, the 24-month record, processor contracts. Pair with R4 — Treat data custody as a project line item, not a footnote: PIPEDA consent + MFA + encryption + breach response plan + 24-month breach records all live in scope before launch.

Related entries

Depends on

reference PIPEDA core duties: meaningful consent, safeguards appropriate to sensitivity, data minimization, accountability (designated privacy officer), access/correction rights

Summary

Related entries

Depends on

Referenced by (2)