IBM Cloud® compliance: PIPEDA (Canada)
graphic showing two people standing on platforms, with one person looking at a map and the other at a security shield
What is PIPEDA?

The Canada Personal Information Protection and Electronic Documents Act (PIPEDA), which became effective on January 1, 2001, is a comprehensive data protection law. PIPEDA is similar to GDPR as it operates on principles encompassing accountability, collection and use limitation, accuracy, security and transparency. Unlike GPDR, PIPEDA applies to commercial "organizations" without distinguishing between controller and processors. Additionally, PIPEDA includes the individual rights of access and correction.

PIPEDA applies to: 

  • organizations which collect, use, or disclose PI (personal information) in the course of commercial activities in Canada, or
  • organizations outside of Canada if the relevant activities of the organization have a "real and substantial" connection to Canada,
  • personal information about employees or prospective employees of organizations that collect, use, or disclose PI in connection with the operation of a "federal work, undertaking, or business" in Canada

The law is currently under review for modernization.  For more information on PIPEDA, please click here.

IBM position

IBM has implemented a process to review all its products, offerings and services against PIPEDA requirements. IBM believes that its standard technical and organization measures, in combination with IBM DPA, are sufficient security measures to meet the requirements of Canada’s PIPEDA. 

The IBM DPA can be found on the IBM Terms site

For more information on IBM data privacy policies, please visit the IBM Trust Center.  If you have further questions about IBM privacy policy for external offerings, you can contact the IBM Chief Privacy Office Helpdesk.

Take the next step

Questions about a compliance program? Need a protected compliance report? We can help.

See more compliance programs