PIPEDA core duties: meaningful consent, safeguards appropriate to sensitivity, data minimization, accountability (designated privacy officer), access/correction rights
Summary
Claim: PIPEDA (Personal Information Protection and Electronic Documents Act) governs private-sector collection / use / disclosure of personal information in commercial activity in Canada. Core duties relevant to a portal: meaningful consent, safeguards appropriate to sensitivity, limiting collection (data minimization), accountability (designated privacy officer), access / correction rights.
Source: https://www.priv.gc.ca ; onetrust.com ; gdprlocal.com
Confidence: Verified (primary / regulatory).
Why this matters for Candid: Settles the baseline compliance posture. Any portal the SMB controls makes these duties live. The accountability principle — see PIPEDA control = accountability: the principal organisation controlling the data stays accountable even when a third-party processor holds it; contracts must address this — means a SaaS vendor does not relieve the SMB of compliance; it shares the operational burden.
Related entries
Referenced by (5)
- reference Research brief: client portals for SMBs — the honest case (June 2026) relates-to
- reference PIPEDA mandatory breach reporting (in force Nov 1, 2018): report RROSH breaches to OPC + notify affected individuals + KEEP RECORDS OF ALL BREACHES for 24 months depends-on
- reference PIPEDA control = accountability: the principal organisation controlling the data stays accountable even when a third-party processor holds it; contracts must address this depends-on
- reference Quebec Law 25, GDPR (EU/UK), CCPA/CPRA (US) — analog privacy regimes; Quebec Law 25 specifically imposes stronger GDPR-comparable obligations than PIPEDA relates-to
- rule R4 — Treat data custody as a project line item, not a footnote: PIPEDA consent + MFA + encryption + breach response plan + 24-month breach records all live in scope before launch depends-on