Canada · PIPEDA
Private-sector privacy access and breach management for Canada
AccessPoint manages PIPEDA access and correction requests, mandatory breach-of-security-safeguards reporting, and privacy impact assessments — pre-configured for Canada's federal private-sector law and running inside your own Microsoft 365 tenant.
Canada — PIPEDA at a glance
- Access deadline
- Respond to an access request no later than 30 days after receipt (s. 8(3)), with a single extension of up to 30 more days in defined circumstances (s. 8(4))
- Correction
- Amend personal information shown to be inaccurate or incomplete; an unresolved challenge is recorded and passed to third parties with access (Schedule 1, cl. 4.9.5-4.9.6)
- Access fees
- Access must be at minimal or no cost; an organization may charge only after informing the individual of the approximate cost (s. 8(6))
- Breach reporting
- Report breaches of security safeguards to the OPC and notify affected individuals where there is a real risk of significant harm, and keep a record of every breach (since November 1, 2018)
- Oversight
- Office of the Privacy Commissioner of Canada (ombudsman model; matters proceed to the Federal Court)
- Languages
- Bilingual — English and French
Built for Canada — PIPEDA
One platform for the whole access-and-privacy mandate, pre-configured for this regime and running in your own Microsoft 365 tenant.
PIPEDA access and correction
Intake to disclosure on the 30-day clock (s. 8) — access to an individual's own personal information, correction requests with the unresolved-challenge note where the organization disagrees, and defensible records, all on Microsoft 365.
Breach reporting to the OPC
Log a breach of security safeguards, assess whether it creates a real risk of significant harm, and get a live checklist for the Office of the Privacy Commissioner of Canada and affected individuals — a duty in force since November 1, 2018.
The breach register
Maintain the record of every breach of security safeguards that PIPEDA requires — regardless of the harm it poses — ready to produce for the Commissioner on request.
Consent and disclosure
Track the consents and disclosure decisions at the core of PIPEDA's fair-information principles, with an auditable record of every collection, use, and disclosure.
Privacy impact assessments
Run a PIA before a new collection, use, or information system goes live — a guided questionnaire, an embedded risk register, and an exportable, defensible record.
In your own tenant
Every request, assessment, and record stays inside your own Microsoft 365 and Azure tenant — no third-party cloud, no cross-border transfers, no per-user fees.
Ombudsman today, orders tomorrow
The OPC recommends today — and reform would give it orders and fines. AccessPoint gets you ready either way.
Today the Office of the Privacy Commissioner of Canada operates as an ombudsman: it investigates complaints and breaches and issues findings and recommendations, and a complainant can take the matter to the Federal Court, which decides it afresh and can order changes and award damages. That balance is set to shift — the Consumer Privacy Protection Act, proposed under Bill C-27, would have added order-making power and significant financial penalties before it died on the Order Paper when Parliament was prorogued in January 2025, and reform remains on the agenda. Either way, a complete, defensible record is what protects you. AccessPoint runs access and correction on the 30-day clock, computes breach reporting under the real-risk-of-significant-harm test, keeps the breach register PIPEDA requires, and captures every decision on a hash-chained audit trail — in your own tenant.
Configured out of the box
Installing the ca-pipeda configuration pack seeds your tenant with everything this regime needs — a starting point you can adjust, not a lock-in.
Related guide: FOI Workflow Quick Check- PIPEDA and its fair-information principles (Schedule 1) as the legal-authority spine
- Federal statutory-holiday calendar and the 30-day due-date rules under s. 8
- Access and correction grounds, with the unresolved-challenge note for refused corrections
- Consent and disclosure tracking across collection, use, and disclosure
- Breach reporting under the real-risk-of-significant-harm test, for the OPC and affected individuals
- The mandatory breach register required since November 1, 2018
- OPC complaint grounds and Federal Court referral tracking
- Bilingual (English/French) correspondence and privacy impact assessment templates
Canada — PIPEDA Questions
How long does an organization have to respond to a PIPEDA access request?
When must a breach be reported under PIPEDA?
Does the Privacy Commissioner make binding orders?
Where does your PIPEDA data reside?
Run PIPEDA Access, Breach, and Assessments in One Platform
Try AccessPoint free for 30 days, pre-configured for Canada's PIPEDA. No credit card required.
Start Free Trial