Business Associate Agreement (Canada)
Data Sharing and Privacy Agreement
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement ("Agreement") is entered into as of [Agreement Date] between:
COVERED ORGANIZATION: [Covered Org Name], of [Covered Org Address] ("Covered Organization"); and
BUSINESS ASSOCIATE: [Associate Name], of [Associate Address] ("Business Associate").
This Agreement is governed by the laws of the Province of [Province] and the federal laws of Canada applicable therein.
1. DATA COVERED AND PERMITTED USE
1.1 This Agreement governs the Business Associate's handling of the following data: [Data Description]
1.2 Business Associate may only use or disclose the data for the following permitted purposes: [Permitted Purpose]
1.3 Business Associate agrees not to use or disclose the data for any purpose other than those specified above, and not to sell or transfer the data to any third party without the Covered Organization's prior written consent.
2. SECURITY SAFEGUARDS
2.1 Business Associate agrees to implement appropriate technical, organizational, and physical security safeguards to protect the data from unauthorized access, use, disclosure, modification, or destruction, consistent with PIPEDA Principle 7 (Safeguards).
2.2 Required safeguards include: (a) encryption of personal data in transit and at rest; (b) access controls limiting data access to personnel with a need to know; (c) audit logging of data access events; (d) a documented incident response plan; and (e) background screening of employees with access to sensitive data.
2.3 Business Associate will not engage sub-processors to handle the data without prior written consent from the Covered Organization and ensuring equivalent data protection obligations are imposed on any sub-processor.
3. PIPEDA AND PROVINCIAL PRIVACY COMPLIANCE
3.1 Business Associate agrees to handle all personal information in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5) and, where applicable, provincial privacy legislation including Quebec's Act respecting the protection of personal information in the private sector (as amended by Law 25), British Columbia's PIPA, and Alberta's PIPA.
3.2 Business Associate will respond to all access requests, correction requests, and complaints from individuals regarding their personal information that are directed to the Business Associate, and will cooperate with the Covered Organization in any regulatory investigation by the Office of the Privacy Commissioner of Canada or applicable provincial privacy commissioner.
4. BREACH NOTIFICATION
4.1 Business Associate will notify the Covered Organization within [Breach Notice Hours] hours of discovering any actual or suspected breach of security safeguards affecting the data covered by this Agreement.
4.2 The notification must include: (a) a description of the breach; (b) the data affected; (c) the number of individuals affected, if known; (d) corrective actions taken; and (e) contact information for the Business Associate's privacy officer.
4.3 Business Associate will cooperate with the Covered Organization in any breach notification required under PIPEDA's Breach of Security Safeguards Regulations (SOR/2018-64) or applicable provincial legislation.
5. AUDIT RIGHTS AND DATA RETENTION
5.1 The Covered Organization may audit the Business Associate's data protection practices upon reasonable notice to verify compliance with this Agreement.
5.2 Business Associate will retain the data only for as long as necessary to provide the services, and will securely destroy or return all data to the Covered Organization within thirty (30) days of the termination or expiry of the services agreement.
5.3 Both parties will maintain records relating to data processing activities under this Agreement for a minimum of six (6) years, as required for CRA and privacy compliance purposes.
6. GOVERNING LAW
This Agreement is governed by the laws of the Province of [Province] and the federal laws of Canada applicable therein. In the event of any conflict between this Agreement and the underlying services agreement between the parties, this Agreement prevails with respect to data protection matters.
IN WITNESS WHEREOF, the parties have executed this Business Associate Agreement as of the date first written above.
Authorized Signatory
________________
Signature
Authorized Signatory
________________
Signature
What Is a Business Associate Agreement (Canada)?
A Business Associate Agreement in Canada sets how a service provider may handle protected information on the principal’s behalf and the safeguards required, governed primarily by PIPEDA and provincial health-information legislation.
Under PIPEDA (Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5), organizations that transfer personal information to third parties for processing remain accountable for confirming that the information receives comparable protection to that which they themselves provide. PIPEDA Principle 4.1.3 requires the use of contractual or other means to confirm this protection. A BAA is the standard mechanism for satisfying this accountability obligation.
In Quebec, Law 25 (amendments to the Act respecting the protection of personal information in the private sector) imposes additional requirements: organizations must conduct privacy impact assessments before transferring personal information outside Quebec, enter into written agreements with third-party processors, and confirm that comparable protection is provided. The Commission d'accès à l'information (CAI) has enforcement authority over these obligations.
For organizations handling health information, provincial health information protection statutes impose sector-specific requirements. Ontario's PHIPA (Personal Health Information Protection Act, S.O. 2004, c. 3) governs health information custodians and their agents. Alberta's Health Information Act (R.S.A. 2000, c. H-5) applies to custodians of health information in Alberta. These statutes may require more detailed BAA provisions than PIPEDA alone.
A well-drafted BAA confirms that service providers handling your data are contractually obligated to protect it, respond to breaches promptly, and return or destroy data when the relationship ends.
The legal framework governing the Business Associate Agreement (Canada) in Canada draws on several key statutes and regulatory bodies. Under the Canada Business Corporations Act (R.S.C. 1985, c. C-44), Corporations Canada maintains the federal registry. Section 12 of the CBCA governs corporate name requirements. The Competition Bureau enforces the Competition Act (R.S.C. 1985, c. C-34). Provincial securities commissions — including the Ontario Securities Commission (OSC) and British Columbia Securities Commission (BCSC) — regulate capital markets. The Federal Court of Canada has jurisdiction under the Federal Courts Act. Parties executing a Business Associate Agreement (Canada) in Canada should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Canada Business Corporations Act (R.S.C. 1985, c. C-44) sets the foundational requirements.
When Do You Need a Business Associate Agreement (Canada)?
You need a Business Associate Agreement whenever your organization shares personal information or sensitive business data with a third-party service provider.
Healthcare organizations sharing patient data with IT vendors, billing services, or cloud providers need a BAA to satisfy PHIPA or provincial health information obligations.
Financial institutions and fintech companies sharing customer financial data with payment processors, analytics providers, or software vendors need a BAA to meet PIPEDA accountability requirements.
HR departments sharing employee personal information with payroll processors, benefit administrators, or recruitment platforms need a BAA to document the data protection obligations of each vendor.
Any business moving to cloud services and sharing data with SaaS providers — whether CRM systems, accounting software, or document management platforms — should require a BAA from each cloud vendor.
Quebec-based businesses transferring personal information to service providers outside Quebec must comply with Law 25 requirements, which include a written agreement governing data processing comparable to a BAA.
Parties in Canada should prepare a Business Associate Agreement (Canada) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under the Canada Business Corporations Act (R.S.C. 1985, c. C-44), Corporations Canada maintains the federal registry. Section 12 of the CBCA governs corporate name requirements. The Competition Bureau enforces the Competition Act (R.S.C. 1985, c. C-34). Provincial securities commissions — including the Ontario Securities Commission (OSC) and British Columbia Securities Commission (BCSC) — regulate capital markets. The Federal Court of Canada has jurisdiction under the Federal Courts Act. Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.
What to Include in Your Business Associate Agreement (Canada)
Data Description — A clear identification of the categories of personal or confidential information that will be shared with the business associate, and the specific purpose for which it may be processed.
Permitted Uses — Restrictions on how the business associate may use or disclose the information, limited to what is necessary to provide the contracted services.
Security Safeguards — Specific technical and organizational security measures the business associate must implement, proportionate to the sensitivity of the information.
Sub-processing — Restrictions on the business associate engaging sub-contractors to process the information, and the requirement to flow down equivalent data protection obligations.
Breach Notification — The business associate's obligation to notify the client promptly (typically within 24–72 hours) upon discovering a security breach, and to cooperate with breach assessment and notification obligations under PIPEDA's Breach of Security Safeguards Regulations.
Audit Rights — The client's right to audit the business associate's data protection practices, review security documentation, and conduct periodic assessments.
Data Retention and Destruction — Maximum retention periods for personal data and secure destruction obligations at contract end.
Applicable Law — PIPEDA compliance requirements, and any applicable provincial privacy legislation such as Quebec's Law 25, Ontario's PHIPA, or Alberta's HIA.
Additional compliance elements for a Business Associate Agreement (Canada) used in Canada include: Under the Canada Business Corporations Act (R.S.C. 1985, c. C-44), Corporations Canada maintains the federal registry. Section 12 of the CBCA governs corporate name requirements. The Competition Bureau enforces the Competition Act (R.S.C. 1985, c. C-34). Provincial securities commissions — including the Ontario Securities Commission (OSC) and British Columbia Securities Commission (BCSC) — regulate capital markets. The Federal Court of Canada has jurisdiction under the Federal Courts Act. Forms-legal.com provides this template as a starting point for Canada-compliant documentation.
Sources & Citations
Statutory citations link to official government sources.
- R.S.C. 1985, c. C-44CA official
- R.S.C. 1985, c. C-34CA official
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Business Associate Agreement (Canada) (Canada) [Legal document template]. Forms Legal. https://forms-legal.com/canada/business/contracts/business-associate-agreement-canada
"Business Associate Agreement (Canada) (Canada)." Forms Legal, 2026, https://forms-legal.com/canada/business/contracts/business-associate-agreement-canada.
@misc{formslegal-business-associate-agreement-canada,
author = {{Forms Legal}},
title = {Business Associate Agreement (Canada) (Canada)},
year = {2026},
howpublished = {\url{https://forms-legal.com/canada/business/contracts/business-associate-agreement-canada}},
note = {Free legal document template. Based on Canada Business Corporations Act (R.S.C. 1985, c. C-44)}
}Also available for these jurisdictions:
Frequently Asked Questions
A Business Associate Agreement (BAA) is a contract between a business and a service provider (the 'business associate') that will have access to the business's confidential or personal information in providing services. While the term 'Business Associate Agreement' originates in US HIPAA legislation, the concept is directly applicable in Canada wherever one organization shares personal information with another organization in the course of commercial activity. Under PIPEDA (S.C. 2000, c. 5), an organization that transfers personal information to a third party for processing remains responsible for ensuring that the information receives comparable protection. PIPEDA Principle 4.1.3 explicitly requires organizations to use contractual or other means to protect personal information transferred to third parties. A BAA is the primary mechanism for meeting this obligation. In Quebec, Law 25 (Bill 64) imposes additional requirements, including privacy impact assessments before sharing personal information with third parties and written agreements governing data processing.
Canada's breach notification framework is set out in PIPEDA's Breach of Security Safeguards Regulations (SOR/2018-64), which came into force in November 2018. Organizations must: (1) notify the Office of the Privacy Commissioner of Canada (OPC) of any breach of security safeguards involving personal information where it is reasonable to believe the breach creates a 'real risk of significant harm' to affected individuals; (2) notify affected individuals of such breaches; and (3) notify any organization that may be able to reduce the risk of harm (e.g., a bank if financial account information is compromised). Notifications to the OPC and affected individuals must be made 'as soon as feasible' after determining a reportable breach occurred. Organizations must also maintain a record of all security breaches for a minimum of 24 months. A Business Associate Agreement should require the service provider to promptly notify the client of any breach involving the client's data, to assist with the client's breach notification obligations, and to cooperate with OPC investigations.
A Canadian BAA should specify concrete security requirements for the service provider, proportionate to the sensitivity of the personal information being shared. Standard provisions include: (1) encryption of personal data in transit and at rest; (2) access controls limiting data access to personnel who need it to perform the services; (3) a documented information security policy and incident response plan; (4) background checks or security screening for employees with access to sensitive data; (5) prohibition on sub-contracting data processing to third parties without the client's prior written consent and without equivalent data protection obligations; (6) audit rights allowing the client to verify the service provider's compliance with security requirements; and (7) data return or destruction obligations at contract end. For healthcare-related data, additional requirements under provincial health information protection legislation — such as Ontario's Personal Health Information Protection Act (PHIPA) or Alberta's Health Information Act — may apply and should be addressed in the agreement.
A Business Associate Agreement (Canada) does not legally require a lawyer in Canada, and individuals and businesses may draft and execute the document independently. The Canada Business Corporations Act (R.S.C. 1985, c. C-44) does not mandate legal representation for the creation or signing of this type of document. However, seeking independent legal advice from a qualified Canada lawyer is recommended for transactions involving substantial financial value, complex regulatory requirements, or cross-border elements where multiple legal jurisdictions may apply. A lawyer can verify that the document complies with all applicable statutory requirements, identify potential risks specific to the transaction, and confirm that the terms adequately protect the interests of all parties involved. The Federal Court of Canada has jurisdiction over disputes arising from this type of document, and Corporations Canada may impose additional compliance obligations depending on the nature of the underlying transaction. Professional legal review is particularly advisable where the document will be submitted to government agencies or used as evidence in legal proceedings.
A Business Associate Agreement (Canada) does not legally require a lawyer in Canada, though legal advice is recommended for complex transactions. Under Canadian law, individuals may draft and execute this type of document independently. The Competition Act (R.S.C. 1985, c. C-34) provides consumer protections. However, Corporations Canada, the Canada Revenue Agency (CRA), or provincial regulatory bodies may have specific requirements. For property transactions, provincial land title offices require qualified lawyers or notaries. PIPEDA and provincial privacy legislation impose obligations on parties handling personal data. Where disputes arise, provincial superior courts or the Federal Court of Canada have jurisdiction. Forms-legal.com provides this template as a starting point — always review with a qualified Canadian lawyer for significant transactions.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Service Agreement (Canada)
Create a comprehensive Canadian service agreement covering the terms between a service provider and client. Includes GST/HST tax provisions, PIPEDA data protection compliance, limitation of liability, and province-specific governing law. Suitable for consulting, IT, marketing, and professional services across all provinces.
Consulting Agreement (Canada)
Create a professional Canadian consulting agreement that defines the scope of consulting services, deliverables, fees, and timeline. Includes CRA contractor status provisions, intellectual property assignment under the Copyright Act, non-compete and non-solicitation clauses (noting Ontario’s ban on non-competes for employees), and PIPEDA-compliant confidentiality terms. Province selector for governing law.
Mutual NDA (Canada)
Protect shared confidential information between two parties with a Canadian Mutual NDA. Both sides disclose and receive sensitive data with equal obligations, PIPEDA compliance, and Canadian dispute resolution.
Privacy Policy (Canada)
Canadian privacy policy compliant with PIPEDA, Quebec Law 25, and provincial privacy legislation (AB PIPA, BC PIPA), including CASL anti-spam requirements.
Independent Contractor Agreement (Canada)
Draft a Canadian independent contractor agreement that clearly defines the working relationship to avoid CRA misclassification. This template addresses Canada Revenue Agency tests for contractor vs. employee status, covers CPP and EI obligations, PIPEDA data protection, IP ownership, and references the Copyright Act. Includes province selector for governing law and HST/GST provisions.