Cyber Policies
Policy 6

Legal Obligations

What: This policy highlights certain legal aspects to take into account in terms of cybersecurity practices of organizations. 

Who: It is intended specifically for the management and board of directors. 

Approx. time: Plan a two-hour meeting to become familiar with the content and choose a person who will do more research to ensure that your practices are in good standing. Then plan an one-hour meeting to discuss the possible impact with the rest of the team.

In this policy, we emphasize the most important aspects of three laws that may concern you.

  1. PIPEDA: Personal Information Protection and Electronic Documents Act 
  2. GDPR: General Data Protection Regulation
  3. CASL: Canada’s Anti-Spam Legislation

Personal Information Protection and Electronic Documents Act

PIPEDA regulates the collection and use of personal information by organizations.

The Act applies only to private-sector organizations and to their commercial activities. Unless “they are engaging in commercial activities that are not central to their mandate and involve personal information,” PIPEDA does not apply to not-for-profit organizations. However, applying their principles can be useful as a best practice. 

Several provinces (Quebec, British Columbia, and Alberta) have their own private-sector privacy laws. The activities carried out in all other provinces and territories must comply, however, with PIPEDA.

What is personal information?

Personal information includes any factual or subjective information “about an identifiable individual.” This includes information such as:

  • age, name, ID numbers, income, ethnic origin, or blood type
  • opinions, evaluations, comments, social status, or disciplinary actions
  • employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).

What is protected by the Act?

The Act is based on five fundamental principles to which every individual has a right:

  • to know what information an organization has about you
  • the ability to correct any inaccurate information
  • the possibility to file a complaint with the organization or an industry association
  • the possibility to file a complaint with the Office of the Privacy Commissioner of Canada
  • the right to file a complaint, in certain situations, with the Federal Court of Canada.

The Act also stipulates that personal information shall only be used for the purposes for which it was collected and “shall be retained only as long as necessary for the fulfillment of those purposes.” (PIPEDA, 2000, Schedule 1, Clause 4.5, Principle 5)

A good practice, therefore, means formalizing your data storage and archive management practices to ensure that the personal information that has been entrusted to you is kept only for the minimum time required.

What to do in case of a data breach?

Another aspect of this Act concerns the notification of data breaches. In Canada, any organization that has had a data breach or compromise must:

  • Report to the Office of the Privacy Commissioner of Canada the breach of security safeguards of personal information that may present a real risk of causing the individuals great harm.
  • Notify the affected individuals of the breach.
  • Maintain a record of all breaches.

In case of a breach, the organization must provide the Commissioner with a description of the cause and circumstances, the day on which or the period during which the breach occurred, a description of the personal information targeted, the number of affected individuals, as well as the name and contact information of a person who can answer questions about the breach. The organization must also describe the steps it has taken to reduce the risk or mitigate the harm that could result from the breach, as well as the steps it has taken or intends to take to notify affected individuals. (Breach of Security Safeguards Regulations, 2018, Section 2(1))

In Canada, these steps must be taken “as soon as possible.” If the breach affects European nationals, the GDPR requires that the governments concerned be informed within 72 hours.

General Data Protection Regulation (GDPR)

If your organization deals with clients, partners, or anyone in the distribution list who comes from the European Union, you need to apply the provisions of the GDPR.

There are many similarities between PIPEDA and GDPR. It seems that Canadian organizations that conform to PIPEDA have a greater chance of having a similar relationship with the GDPR.

However, various aspects of the GDPR don’t have equivalents in PIPEDA. For example, the GDPR has requirements related to data portability, the right to erasure, and “privacy by design” (which encourages the protection of privacy right from the design of services) that are not included in PIPEDA. 
For more information on the GDPR and to see whether it applies to your organization, you can consult this website.

Canada’s Anti-Spam Legislation (CASL)

According to CASL, certain rules apply when sending mass email (mailing lists, newsletters, MailChimp, etc.). Among other aspects, the legislation stipulates that any organization must:

  • Avoid collecting addresses and personal information without permission.
  • Ensure that it’s easy for an individual to unsubscribe from a list.
  • Ensure that all electronic messages contain the sender’s name and/or that of the organization, the street address and contact information, as well as an unsubscribe mechanism.

To conform to regulations, you must be sure that every person receiving your newsletter can easily unsubscribe from it. In addition, you must not add people without their express consent.

Implied consent applies when:

  • A recipient has purchased a product, a service, or has had a business relationship, a contract, or a subscription with an organization in the last twenty-four months.
  • You are a registered charity or a political organization, and the recipient has made a donation or gift, done volunteer work, or has attended a meeting you organized.
  • The person to whom the message is sent has disclosed the electronic address without indicating a wish not to receive unsolicited commercial messages.

CASL does not apply to messages that

  • are not commercial 
  • relate to fundraising
  • solicit contributions.

To know more about CASL 

visit the following website: understanding CASL.


  • Verify whether PIPEDA applies to your organization.
  • Understand the PIPEDA issues at stake for your organization.
  • Make sure to save personal information in an efficient and documented manner.
  • Devise a plan in case personal information is compromised. 
  • Understand and verify whether the GDPR applies to your organization.
  • Take the necessary steps to conform to it. 
  • Understand the CASL issues at stake for your organization.
  • Make sure you have the user’s consent before adding their email address to a mailing list. 
  • In every email, provide the option to unsubscribe.
  • In a mass email (newsletter), always indicate the name of the organization, the street address, and contact information.

Useful link

All the policies