Canada · PIPEDA

Private-sector privacy access and breach management for Canada

AccessPoint manages PIPEDA access and correction requests, mandatory breach-of-security-safeguards reporting, and privacy impact assessments — pre-configured for Canada's federal private-sector law and running inside your own Microsoft 365 tenant.

Canada — PIPEDA at a glance

Access deadline
Respond to an access request no later than 30 days after receipt (s. 8(3)), with a single extension of up to 30 more days in defined circumstances (s. 8(4))
Correction
Amend personal information shown to be inaccurate or incomplete; an unresolved challenge is recorded and passed to third parties with access (Schedule 1, cl. 4.9.5-4.9.6)
Access fees
Access must be at minimal or no cost; an organization may charge only after informing the individual of the approximate cost (s. 8(6))
Breach reporting
Report breaches of security safeguards to the OPC and notify affected individuals where there is a real risk of significant harm, and keep a record of every breach (since November 1, 2018)
Oversight
Office of the Privacy Commissioner of Canada (ombudsman model; matters proceed to the Federal Court)
Languages
Bilingual — English and French

Built for Canada — PIPEDA

One platform for the whole access-and-privacy mandate, pre-configured for this regime and running in your own Microsoft 365 tenant.

PIPEDA access and correction

Intake to disclosure on the 30-day clock (s. 8) — access to an individual's own personal information, correction requests with the unresolved-challenge note where the organization disagrees, and defensible records, all on Microsoft 365.

Breach reporting to the OPC

Log a breach of security safeguards, assess whether it creates a real risk of significant harm, and get a live checklist for the Office of the Privacy Commissioner of Canada and affected individuals — a duty in force since November 1, 2018.

The breach register

Maintain the record of every breach of security safeguards that PIPEDA requires — regardless of the harm it poses — ready to produce for the Commissioner on request.

Consent and disclosure

Track the consents and disclosure decisions at the core of PIPEDA's fair-information principles, with an auditable record of every collection, use, and disclosure.

Privacy impact assessments

Run a PIA before a new collection, use, or information system goes live — a guided questionnaire, an embedded risk register, and an exportable, defensible record.

In your own tenant

Every request, assessment, and record stays inside your own Microsoft 365 and Azure tenant — no third-party cloud, no cross-border transfers, no per-user fees.

Ombudsman today, orders tomorrow

The OPC recommends today — and reform would give it orders and fines. AccessPoint gets you ready either way.

Today the Office of the Privacy Commissioner of Canada operates as an ombudsman: it investigates complaints and breaches and issues findings and recommendations, and a complainant can take the matter to the Federal Court, which decides it afresh and can order changes and award damages. That balance is set to shift — the Consumer Privacy Protection Act, proposed under Bill C-27, would have added order-making power and significant financial penalties before it died on the Order Paper when Parliament was prorogued in January 2025, and reform remains on the agenda. Either way, a complete, defensible record is what protects you. AccessPoint runs access and correction on the 30-day clock, computes breach reporting under the real-risk-of-significant-harm test, keeps the breach register PIPEDA requires, and captures every decision on a hash-chained audit trail — in your own tenant.

Breach on the record Report to the OPC and notify individuals on the real-risk test, with the mandatory breach register.
Ombudsman to Federal Court Findings and recommendations today, with matters proceeding to the Federal Court.
Ready for reform Governed access, correction, and breach records that meet a stricter standard as the law changes.

Configured out of the box

Installing the ca-pipeda configuration pack seeds your tenant with everything this regime needs — a starting point you can adjust, not a lock-in.

Related guide: FOI Workflow Quick Check
  • PIPEDA and its fair-information principles (Schedule 1) as the legal-authority spine
  • Federal statutory-holiday calendar and the 30-day due-date rules under s. 8
  • Access and correction grounds, with the unresolved-challenge note for refused corrections
  • Consent and disclosure tracking across collection, use, and disclosure
  • Breach reporting under the real-risk-of-significant-harm test, for the OPC and affected individuals
  • The mandatory breach register required since November 1, 2018
  • OPC complaint grounds and Federal Court referral tracking
  • Bilingual (English/French) correspondence and privacy impact assessment templates

Canada — PIPEDA Questions

How long does an organization have to respond to a PIPEDA access request?

PIPEDA requires an organization to respond to an access request no later than 30 days after receiving it, with a single extension of up to 30 more days where meeting the limit would unreasonably interfere with the organization's activities or where necessary consultations make it impracticable. AccessPoint computes the due date and tracks every request against it.

When must a breach be reported under PIPEDA?

Since November 1, 2018, an organization must report a breach of security safeguards to the Office of the Privacy Commissioner of Canada and notify affected individuals where it is reasonable to believe the breach creates a real risk of significant harm — and it must keep a record of every breach, whatever harm it poses. AccessPoint assesses the real-risk test, computes both notifications, and maintains the breach register.

Does the Privacy Commissioner make binding orders?

Not today. The OPC operates on an ombudsman model — it investigates and issues findings and recommendations, and a complainant can then apply to the Federal Court, which hears the matter afresh and can order changes and award damages. The Consumer Privacy Protection Act proposed under Bill C-27 would have added order-making and penalties, but it died when Parliament was prorogued in January 2025. AccessPoint keeps a defensible record either way.

Where does your PIPEDA data reside?

Entirely within your own Microsoft 365 and Azure tenant. Requests, records, assessments, and audit history never leave your control — no third-party cloud and no cross-border data transfers.

Run PIPEDA Access, Breach, and Assessments in One Platform

Try AccessPoint free for 30 days, pre-configured for Canada's PIPEDA. No credit card required.

Start Free Trial