Principles
PIPEDA's ten fair information principles, explained
Last reviewed 2026-06-29 · Plain-language summary, not legal advice.
PIPEDA's substantive obligations live in Schedule 1 of the Personal Information Protection and Electronic Documents Act, which incorporates the CSA Model Code as ten fair information principles. Section 5 of the Act makes following them a legal duty — so these are not guidelines, they are the binding core of the law. The Office of the Privacy Commissioner publishes the canonical list as PIPEDA fair information principles. Here is what each one requires in practice.
1. Accountability
An organization is responsible for the personal information under its control and must designate an individual — commonly a Privacy Officer — accountable for compliance. Accountability does not end when you hand data to a processor: you must use contractual or other means to ensure that third party provides a comparable level of protection. In practice this principle is what a questionnaire is checking when it asks who owns your privacy program and whether you have a data-processing agreement.
2. Identifying purposes
You must identify the purposes for collecting personal information at or before the time of collection. Purposes should be specific enough that an individual can understand how their information will be used, and documenting them is what lets you apply the later limiting principles. If you later want to use the information for a new purpose, you generally need fresh consent.
3. Consent
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where the Act specifically allows otherwise. The form of consent should reflect the sensitivity of the information — express consent for sensitive data, implied consent where appropriate — and an individual may withdraw consent subject to legal or contractual limits. We cover the nuances in consent and meaningful consent under PIPEDA.
4. Limiting collection
Collect only the personal information your identified purposes actually require, and collect it by fair and lawful means. This principle is the antidote to "collect everything in case it is useful": if a data point does not serve a stated purpose, you should not be gathering it. Over-collection is also the kind of thing that surfaces in a privacy impact assessment.
5. Limiting use, disclosure, and retention
Personal information must not be used or disclosed for purposes other than those for which it was collected, except with consent or as required by law, and it must be retained only as long as necessary to fulfil those purposes. When the purpose is spent, you should have a documented schedule to delete or anonymize the data. Indefinite retention is a common gap that this principle directly targets.
6. Accuracy
Personal information must be as accurate, complete, and up to date as is necessary for the purposes for which it is used. The standard is tied to use: information used to make a decision about an individual must be accurate enough that the decision is fair. You are not required to routinely update data that no longer drives any decision.
7. Safeguards
You must protect personal information with security safeguards appropriate to its sensitivity — physical, organizational, and technological. Higher sensitivity demands stronger protection, and the safeguards should guard against loss, theft, and unauthorized access, use, disclosure, copying, or modification. For most vendors this is the hardest principle to answer well, because reviewers want named controls and cadences, not the phrase "industry-standard security."
8. Openness
An organization must make its policies and practices relating to the management of personal information readily available to individuals — typically through a published privacy policy. Openness means someone should be able to learn, without unreasonable effort, what you collect, why, who to contact, and how to access their information.
9. Individual access
On request, you must tell an individual whether you hold personal information about them, what it is, and how it has been used or disclosed, and you must give them access to it and a way to correct inaccuracies. There are narrow grounds to refuse, and timelines apply. The mechanics — the 30-day clock, fees, and refusal grounds — are in access to personal information under PIPEDA.
10. Challenging compliance
An individual must be able to challenge an organization's compliance with these principles by complaining to the designated accountable person. You need a process to receive, investigate, and respond to complaints, and to correct practices or information where a complaint is justified. This principle closes the loop: accountability names who is responsible, and challenging compliance gives individuals a way to hold them to it.
Together these ten principles are the structure of nearly every Canadian privacy program — and of the buyer questionnaires that test one. When a customer sends a PIPEDA review, our PIPEDA questionnaire guide shows how to map your answers to each principle, and the privacy-law hub places PIPEDA alongside the provincial laws that may also apply to you.
Common questions.
Where are PIPEDA's ten principles found in the law?
They live in Schedule 1 of the Personal Information Protection and Electronic Documents Act, which incorporates the CSA Model Code for the Protection of Personal Information. Section 5 of the Act makes compliance with Schedule 1 a legal obligation, so the principles are not best-practice guidance — they are the binding core of PIPEDA.
Which principle is hardest for vendors to satisfy?
Safeguards and accountability are usually the heaviest lifts. Safeguards demands named security controls appropriate to the sensitivity of the data — encryption, access control, logging, and cadences — not a vague claim of being secure. Accountability requires a designated Privacy Officer and contractual protection for data handed to processors. Consent and identifying purposes are often lighter for a processor, because the customer collected the data and set the purpose.
Is consent always required under PIPEDA?
Consent is the default, but the Act lists specific exceptions where collection, use, or disclosure can occur without it — for example certain investigations, legal requirements, or emergencies threatening life and security. Outside those exceptions, you need knowledge and consent appropriate to the sensitivity of the information.
What is the difference between the principles and the rest of the Act?
Schedule 1 sets out the ten principles in fair-information language. The body of the Act qualifies and clarifies them — for example, Section 5(3) limits collection, use, and disclosure to purposes a reasonable person would consider appropriate, and other sections add the breach-reporting and record-keeping duties. Read the principles for the obligations and the Act's clauses for the precise legal tests.