Compliance · Canada PIPEDA · 10 Fair Information Principles

PIPEDA Readiness Self-Assessment

Track readiness against the 10 Fair Information Principles under Canada's Personal Information Protection and Electronic Documents Act. Progress saved in your browser.

Overall readiness

Principle 1 — Accountability 0%

Organization is responsible for personal information under its control.

Privacy officer designated Name + contact published

Third-party data processors held to equivalent standards DPA/contracts on file

Principle 2 — Identifying Purposes 0%

Identify purposes before or at the time of collection.

Purposes documented for every data field collected

New uses of data trigger fresh consent

Principle 3 — Consent 0%

Knowledge + consent required, except where law allows otherwise.

Consent obtained at collection — meaningful + informed

Withdraw consent process documented

Implicit / explicit consent appropriate to sensitivity

Principle 4 — Limiting Collection 0%

Collection limited to what is necessary for the identified purposes.

Data minimization review on every form / field

Collected by fair + lawful means

Principle 5 — Limiting Use, Disclosure, Retention 0%

Personal info only used + disclosed for the purpose collected. Retained only as long as needed.

Data retention schedule documented

Secure destruction at end of retention

Disclosure log maintained

Principle 6 — Accuracy 0%

Information kept accurate + complete + up-to-date.

User-initiated correction process available /aria-data-export supports this

Routine accuracy checks documented

Principle 7 — Safeguards 0%

Security safeguards appropriate to sensitivity.

Encryption at rest + in transit

Access controls + MFA on admin accounts

Physical security for any on-prem data

Employee training on PIPEDA + breach response

PIPEDA breach notification process documented (mandatory >72h reporting)

Principle 8 — Openness 0%

Policies + practices publicly available.

Privacy officer contact info publicly available

Plain-language explanations of data use

Principle 9 — Individual Access 0%

Users have the right to access + correct + challenge their data.

Self-serve data export available /aria-data-export already live

Self-serve account deletion available /aria-account-delete already live

Response within 30 days of request

Principle 10 — Challenging Compliance 0%

Users can challenge compliance to the designated privacy officer.

Complaints process documented

Process to escalate to Office of the Privacy Commissioner if unresolved

SOC 2 Readiness ISO 27001 Readiness