PIPEDA compliance checklist for Canadian SMBs with contractors

PIPEDA (the Personal Information Protection and Electronic Documents Act) is Canada's federal private-sector privacy law. If your business collects, uses, or discloses personal information in the course of commercial activities, PIPEDA applies to you. For businesses that work with contractors and remote workers, the compliance requirements go further than most owners realize. This checklist covers what you need to have in place.

What PIPEDA actually requires

PIPEDA is built around 10 fair information principles: accountability, identifying purposes, consent, limiting collection, limiting use and retention, accuracy, safeguards, openness, individual access, and challenging compliance.

In practice, your business must know what personal information you hold and where it lives, have a stated purpose for collecting it, get proper consent, protect it with appropriate safeguards, and report breaches to the Privacy Commissioner within 72 hours of determining a real risk of significant harm.

Why contractors make this harder

Every contractor you hire potentially has access to personal information: customer data, employee records, financial information. Unlike full-time employees, contractors often work across multiple clients, use personal devices, and connect from personal networks.

PIPEDA holds your organization accountable for how third parties handle personal information on your behalf. If a contractor mishandles customer data, the liability is yours.

• No data handling agreement signed at onboarding
• Contractors using personal email to receive business data
• Shared passwords or accounts (no individual audit trail)
• No offboarding process to revoke access when the contract ends
• No documentation of what data the contractor can access
• No security awareness training for contractors
• No clear policy on which devices contractors can use
• No incident reporting process for contractors
• No inventory of which contractors have access to what systems
• No process to notify affected individuals after a contractor breach

Privacy foundation

Start with the basics before addressing contractors specifically.

• Appoint a privacy officer (can be the business owner in a small business)
• Write a plain-language privacy policy describing what you collect, why, and how you protect it
• Create an internal policy covering staff and contractor data handling
• Maintain a record of personal information holdings: what you have, where it lives, who can access it

Contractor onboarding checklist

These steps should happen before any contractor gets access to your systems.

• Sign a data handling agreement specifying what data the contractor can access and what they must do with it
• Provision individual accounts (not shared) with the minimum permissions needed
• Enforce multi-factor authentication on those accounts from day one
• Brief contractors on your privacy policy, acceptable use policy, and incident reporting process
• Document which systems and data the contractor is authorized to access

During the engagement

• Log contractor access to sensitive systems
• Review contractor access quarterly to confirm it is still needed
• Include contractors in security awareness training and phishing simulations
• Have a process for contractors to report suspected incidents without penalty

Contractor offboarding checklist

This is the step most businesses skip. Eight out of ten assessments find no documented offboarding procedure.

• Revoke all system access on the final day of the engagement
• Document the offboarding: who, when, which access was revoked
• Confirm that company data has been returned or deleted from contractor devices
• Disable or delete the contractor's individual accounts

Breach readiness

• Document your breach response process before an incident happens
• Know the 72-hour reporting window and what triggers it
• Know who to notify: Privacy Commissioner of Canada (priv.gc.ca) and affected individuals
• Keep records of any breach risk assessments you perform

The Quebec difference

If your contractors are based in Quebec or your customers include Quebec residents, Quebec Law 25 (formerly Bill 64) adds requirements on top of PIPEDA. Law 25 is more strictly enforced and adds mandatory Privacy Impact Assessments for any technology that processes personal information, a named privacy officer registered with the Commission d'acces a l'information, and breach notification within 72 hours.

Law 25 is actively enforced. Fines for non-compliance can reach $25 million or 4% of worldwide revenues.

Where most SMBs fall short

In assessments of Canadian businesses with contractors, the most common gap is not the privacy policy but the contractor lifecycle: onboarding without a data handling agreement, no individual accounts, no offboarding process.

If you'd like a scored assessment of your contractor compliance posture across PIPEDA, Quebec Law 25, and the CCCS Baseline Controls, HuCortex offers a free 90-minute assessment through the BYOE program.