PIPEDA compliance for tax professionals: a practical guide

If you are a CPA or accounting professional in Canada, PIPEDA — the Personal Information Protection and Electronic Documents Act — applies to you. It governs how you collect, use, and disclose the personal information of your clients.

Most accountants know PIPEDA exists. Far fewer have taken concrete steps to comply with it.

What information is covered

PIPEDA applies to "personal information," which is defined broadly as any information about an identifiable individual. For a tax practice, this includes:

• Social Insurance Numbers (SINs)
• Income figures and tax documents
• Banking information
• Details about employment, investments, and family status
• Anything included on a T1, T2, or related schedule

In short: virtually everything you collect from clients is personal information under PIPEDA.

The ten principles — what they mean in practice

1. Accountability. You are responsible for personal information under your control, including information held by third parties on your behalf. If you use a cloud storage service or a document management platform, you are accountable for how they handle client data.

2. Identifying purposes. You must identify the purposes for collecting personal information before or at the time of collection. Your engagement letter should explain what information you collect and why.

3. Consent. You must obtain meaningful consent for the collection, use, and disclosure of personal information.

4. Safeguards. Use security safeguards appropriate to the sensitivity of the information. Financial documents are explicitly sensitive.

Where most practices fall short

Email attachment handling

Sending client documents by email is difficult to reconcile with PIPEDA's safeguards principle. Standard email is not encrypted in transit. Attachments are not encrypted at rest. A client's T4 slip sitting in your email inbox is exposed to any attacker who gains access to either account.

Data residency

Some cloud services store data in US data centers governed by US law, including the CLOUD Act, which allows US government access to data held by US companies regardless of where it is stored. For a Canadian practice with Canadian clients, keeping data in Canadian data centers is the most defensible approach.

Retention and disposal

Many practices retain client files long past when they are needed. The CRA generally requires records to be kept for six years after the last tax year they relate to. Beyond that, you should have a documented policy for disposal.

Breach notification

Since 2018, PIPEDA has included mandatory breach notification requirements. If you experience a breach of security safeguards involving personal information that creates a "real risk of significant harm," you must notify the Office of the Privacy Commissioner of Canada and affected individuals.

Practical steps

1. Audit your current data flows

2. Update your engagement letter to describe how you protect client information

3. Move document collection off email

4. Implement a data retention policy

5. Have a breach response plan

6. Keep records to demonstrate compliance

*This article provides general information and is not legal advice.*