Home · Standards · PIPEDA — Personal Information Protection and Electronic Documents Act

Standard · PIPEDA

PIPEDA — Personal Information Protection and Electronic Documents Act

The Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5) is Canada's federal private-sector privacy law. It applies to organisations engaged in commercial activity that collect, use or disclose personal information in the course of those activities. For ITAD specifically, PIPEDA Principle 5 (Limiting Use, Disclosure, and Retention) and Principle 7 (Safeguards) translate operationally into per-asset data destruction with documentation that the Office of the Privacy Commissioner (OPC) can review on inspection. Maxicom Canada engagements are written to evidence PIPEDA-conformant data destruction in admissible form.

Request a Quote Contact

PIPEDA Principle 5 — retention and destruction

Principle 5 of Schedule 1 to PIPEDA requires organisations to retain personal information only as long as necessary to fulfil the identified purposes, and to destroy or render anonymous personal information when those purposes are fulfilled. For retired enterprise IT containing personal data, this translates to: (1) identification of personal-data-bearing assets at retirement; (2) sanitisation method appropriate to the medium and the data sensitivity; (3) documentation that demonstrates the personal information has been destroyed; (4) retention of that documentation. Maxicom certificates evidence each step.

PIPEDA Principle 7 — safeguards in transit

Principle 7 requires safeguards appropriate to the sensitivity of the information, including security against loss, theft, or unauthorised access during transfer. For ITAD specifically, this means chain-of-custody discipline during pickup and transit. Maxicom protocol: signed manifest at every transfer, GPS-tracked vehicles, tamper-evident sealed containers on top-classified loads, no unsigned hand-off windows.

OPC enforcement and breach reporting

The Office of the Privacy Commissioner can investigate complaints, conduct audits, and recommend remediation. Mandatory breach reporting under PIPEDA (since November 2018) requires reporting breaches that pose a "real risk of significant harm" to affected individuals. ITAD-related breaches in scope: theft of data-bearing media in transit, unauthorised disclosure from retired assets. Maxicom's incident-response playbook supports the customer's OPC reporting workflow.

PIPEDA reform and Bill C-27

Bill C-27 (the Digital Charter Implementation Act 2022, working through Parliament as of 2026) would replace PIPEDA with the Consumer Privacy Protection Act (CPPA) and create a new Personal Information and Data Protection Tribunal. The CPPA strengthens consent, establishes new individual rights, and significantly increases penalties (up to 5% of global revenue or $25M, whichever is higher). For ITAD, the operational obligations remain similar but the cost of failure rises. Maxicom certificates are designed to remain admissible under both PIPEDA and the future CPPA framework.

Provincial privacy laws — substantially similar

Quebec (Loi 25, formerly Bill 64), Alberta (PIPA), and British Columbia (PIPA) have substantially-similar private-sector privacy laws that displace PIPEDA for activities within those provinces. Quebec Law 25 is the strictest of the three. Maxicom certificates are written to satisfy PIPEDA + the relevant provincial law simultaneously.

Reviewed by the Maxicom compliance desk. Last updated April 2026.

Operates to NIST 800-88 · PIPEDA · OSFI B-13 · NAID-grade · IEEE 2883-2022

References

Authoritative references

Primary sources for the standards and frameworks referenced on this page. Maxicom maps every engagement to these recognised authorities.

Frequently asked questions

Does PIPEDA require physical destruction of all retired drives?

No. PIPEDA is method-neutral — it requires that personal information be destroyed or rendered anonymous. NIST SP 800-88 Rev. 1 Purge satisfies this for most data classifications. Physical destruction is typically reserved for top-classified data per the data owner's policy.

How long must I retain destruction certificates under PIPEDA?

PIPEDA does not specify a fixed period; retention follows the purpose-related obligation. Maxicom default 7 years; longer where industry-specific rules apply.

What about Bill C-27 and the CPPA — should I plan for it?

Yes. The operational obligations are similar but penalties are significantly higher. Maxicom certificates are designed to remain admissible under both frameworks; no engagement-level changes are anticipated.

Does PIPEDA apply across all of Canada?

PIPEDA is the federal default; Quebec / Alberta / BC have substantially-similar provincial laws that displace PIPEDA for in-province activities. PHIPA in Ontario displaces PIPEDA for personal health information. Maxicom certificates are written to satisfy whichever law applies.

A photograph of the rack works. A spreadsheet works better. CAD settlement, against PO.

Sell IT — Start an RFQ — 90 seconds → Request a service WhatsApp +1 437-996-2283

purchase@maxicom.ca · per engagement SLA