What does PIPEDA require for data retention in Canada?

The Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5) establishes ten fair information principles in Schedule 1. Principle 5 (Limiting Use, Disclosure, and Retention) states that personal information shall be retained only as long as necessary for the fulfilment of the purposes for which it was collected. Personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. Organizations should develop guidelines and implement procedures with respect to the retention of personal information, including minimum and maximum retention periods. The Office of the Privacy Commissioner of Canada (OPC) has published guidance emphasizing that organizations must establish documented retention schedules and not retain personal information indefinitely.

How long must CRA tax records be retained?

Under the Income Tax Act (R.S.C. 1985, c. 1 (5th Supp.)), section 230, every person carrying on a business in Canada must keep records and books of account for at least 6 years from the end of the last tax year to which they relate. The Excise Tax Act imposes the same 6-year retention period for GST/HST records. The CRA may extend the retention period in specific circumstances, such as where an objection or appeal has been filed, or where the CRA has requested retention in writing. Records may be destroyed before the 6-year period only with written permission from the CRA. Standard practice is to retain financial and tax records for 7 years to provide a safety margin. Under Canada law, Canada Business Corporations Act (R.S.C. 1985, c. C-44), parties should seek independent legal advice from a qualified lawyer to confirm compliance with all applicable requirements. Under the Canada Business Corporations Act (R.S.C. 1985, c. Forms-legal.com provides this template as a starting point for Canada-compliant documentation.

What provincial privacy laws affect data retention in Canada?

Three provinces have enacted their own private-sector privacy legislation that has been declared substantially similar to PIPEDA: British Columbia's Personal Information Protection Act (PIPA, S.B.C. 2003, c. 63), Alberta's Personal Information Protection Act (PIPA, S.A. 2003, c. P-6.5), and Quebec's Act Respecting the Protection of Personal Information in the Private Sector (CQLR, c. P-39.1, as amended by Bill 25/Law 25). These provincial laws impose similar retention and disposal obligations. Provincial health privacy legislation — including Ontario's Personal Health Information Protection Act (PHIPA, 2004) and Alberta's Health Information Act (HIA) — imposes specific retention periods for personal health information, typically 10 years after the last entry. Under Canada law, Canada Business Corporations Act (R.S.C. 1985, c. C-44), parties should seek independent legal advice from a qualified lawyer to confirm compliance with all applicable requirements. Under the Canada Business Corporations Act (R.S.C. 1985, c. Forms-legal.com provides this template as a starting point for Canada-compliant documentation.

What are the penalties for non-compliance with PIPEDA retention requirements?

Under PIPEDA, the OPC can investigate complaints and make recommendations. If an organization fails to comply, the OPC can apply to the Federal Court for an order requiring compliance. The Federal Court may award damages, including damages for humiliation. Under the Breach of Security Safeguards Regulations (SOR/2018-64), organizations that knowingly fail to report a breach of security safeguards or maintain required records may be liable to a fine of up to $100,000 per offence. Provincial privacy commissioners have similar enforcement powers under their respective legislation. Alberta's PIPA, for example, provides for fines of up to $100,000 for individuals and $500,000 for organizations. Under Canada law, Canada Business Corporations Act (R.S.C. 1985, c. C-44), parties should seek independent legal advice from a qualified lawyer to confirm compliance with all applicable requirements. Under the Canada Business Corporations Act (R.S.C. 1985, c. Forms-legal.com provides this template as a starting point for Canada-compliant documentation.

Do I need a lawyer to create a Data Retention Policy (Canada) in Canada?

A Data Retention Policy (Canada) does not legally require a lawyer in Canada, and individuals and businesses may draft and execute the document independently. The Canada Business Corporations Act (R.S.C. 1985, c. C-44) does not mandate legal representation for the creation or signing of this type of document. However, seeking independent legal advice from a qualified Canada lawyer is recommended for transactions involving substantial financial value, complex regulatory requirements, or cross-border elements where multiple legal jurisdictions may apply. A lawyer can verify that the document complies with all applicable statutory requirements, identify potential risks specific to the transaction, and confirm that the terms adequately protect the interests of all parties involved. The Federal Court of Canada has jurisdiction over disputes arising from this type of document, and Corporations Canada may impose additional compliance obligations depending on the nature of the underlying transaction. Professional legal review is particularly advisable where the document will be submitted to government agencies or used as evidence in legal proceedings.

Data Retention Policy (Canada)

PIPEDA Principle 5 — Provincial Privacy Laws & CRA Requirements

[Company Name]

[Company Street], [Company City], [Province] [Company Postal Code]

Effective Date: [Policy Date]

1. PURPOSE AND SCOPE

1.1 This Data Retention Policy is issued by [Company Name] to establish retention periods for all categories of personal information and business records, and to ensure that personal information is not retained longer than necessary for the purposes for which it was collected, in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5) Principle 5 (Limiting Use, Disclosure, and Retention) and applicable provincial privacy legislation.

1.2 This Policy applies to all personal information and business records held by [Company Name] in any format, including paper records, electronic files, email communications, databases, cloud storage, and backup systems. It applies to all employees, officers, contractors, and third-party service providers.

1.3 The Privacy Officer responsible for this Policy is [Privacy Officer Name], [Privacy Officer Title].

2. LEGAL FRAMEWORK

2.1 This Policy is designed to ensure compliance with the following principal federal and provincial laws:

Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5), Principle 5 — personal information shall be retained only as long as necessary for the fulfilment of those purposes.
Income Tax Act (R.S.C. 1985, c. 1 (5th Supp.)), section 230 — requiring books and records to be retained for at least 6 years from the end of the last tax year to which they relate.
Canada Labour Code (R.S.C. 1985, c. L-2), Part III — requiring payroll records to be retained for at least 3 years.
Canada Business Corporations Act (R.S.C. 1985, c. C-44), section 20 — requiring corporate records to be maintained.
Provincial privacy legislation of the Province of [Province], including any applicable personal information protection act (e.g., PIPA BC, PIPA Alberta, ATIPPA NL).
Provincial employment standards legislation of the Province of [Province], including record-keeping requirements for employment records.
Provincial limitations legislation of the Province of [Province], which informs minimum retention periods for commercial records.

2.2 The Office of the Privacy Commissioner of Canada (OPC) has published guidance on retention and disposal of personal information, recommending that organizations establish clear retention schedules and destroy personal information when it is no longer needed.

3. DATA RETENTION SCHEDULE

3.1 The following retention schedule sets out the maximum period for which each category of data will be retained. At the end of the retention period, records will be securely destroyed in accordance with Section 4 of this Policy.

3.2 Employee Records — Personnel files, employment contracts, performance reviews, payroll records, T4 slips, Records of Employment (ROE), and benefits documentation: [Employee Records Retention]. Legal basis: CRA (6 years from end of tax year), Canada Labour Code Part III (3 years for payroll), provincial employment standards legislation, limitation periods for wrongful dismissal and human rights complaints.

3.3 Financial and Accounting Records — General ledger, invoices, receipts, bank statements, tax returns, GST/HST records, and audit documentation: [Financial Records Retention]. Legal basis: Income Tax Act s. 230 (6 years), Excise Tax Act (6 years for GST/HST records), Canada Business Corporations Act s. 20.

3.4 Customer and Consumer Data — Contact information, transaction history, correspondence, and service records: [Customer Records Retention]. Legal basis: PIPEDA Principle 5 (retain only as long as necessary), provincial limitation period for contract claims (typically 2-6 years depending on province).

4. SECURE DESTRUCTION PROCEDURES

4.1 At the end of the applicable retention period, records must be destroyed securely to prevent unauthorized access or disclosure. [Company Name] uses the following primary method of destruction: [Destruction Method].

4.2 Paper records containing personal information must be cross-cut shredded to a particle size meeting DIN 66399 P-4 or higher, or placed in a locked confidential waste bin for collection by an approved destruction vendor.

4.3 Electronic records must be permanently deleted using methods compliant with NIST SP 800-88 (Guidelines for Media Sanitization). Simple file deletion or formatting does not constitute secure destruction. Storage media being decommissioned must be physically destroyed or degaussed before disposal.

4.4 A destruction log must be maintained recording: the description of records destroyed, the retention category, the date of destruction, the method used, and the name of the person who authorized the destruction. The destruction log itself is retained for 7 years.

5. RESPONSIBILITIES

5.1 The Privacy Officer ([Privacy Officer Name], [Privacy Officer Title]) is responsible for: maintaining and updating this Policy; providing training and guidance to staff on data retention obligations; conducting periodic audits of data holdings; and reporting material non-compliance to senior management.

5.2 All employees and contractors are responsible for: managing records in accordance with this Policy; not retaining personal information beyond the periods set out in the retention schedule; reporting suspected breaches of this Policy to the Privacy Officer; and cooperating with retention audits.

5.3 Department heads are responsible for ensuring that their teams comply with this Policy and for identifying any categories of records not addressed in the schedule that require a retention decision.

6. LEGAL HOLDS AND EXCEPTIONS

6.1 Records subject to a legal hold must not be destroyed even if the standard retention period has expired. A legal hold is triggered by: notice of actual or threatened litigation; receipt of a government investigation or demand; a regulatory inquiry by the OPC or provincial privacy commissioner; an access request under PIPEDA or provincial legislation; or any other circumstance where destruction of records could constitute spoliation of evidence.

6.2 Under PIPEDA, individuals have the right to access their personal information held by an organization (Principle 9). Records subject to an access request must be retained until the request has been fully resolved.

6.3 Where a record falls under two or more retention categories, the longer retention period applies.

7. INDIVIDUAL DATA RIGHTS

7.1 Under PIPEDA Principle 9 (Individual Access), individuals have the right to be informed of the existence, use, and disclosure of their personal information and to have access to that information. Under PIPEDA Principle 6 (Accuracy), individuals may challenge the accuracy and completeness of their information.

7.2 [Company Name] will respond to access and correction requests within 30 days as required by PIPEDA. Where personal information has been disclosed to third parties, [Company Name] will notify those third parties of any corrections.

7.3 Where personal information is no longer required for the identified purposes and is not subject to a legal hold or statutory retention requirement, [Company Name] will destroy the information in accordance with Section 4 of this Policy.

8. REVIEW AND AUDIT

8.1 This Policy will be reviewed [Review Frequency] by the Privacy Officer, or sooner if required by a material change in applicable law or the organization's data processing activities.

8.2 The Privacy Officer will conduct an annual audit of data holdings to verify that records are being retained and destroyed in accordance with this Policy.

8.3 Next scheduled review date: [Review Date].

9. BREACH OF THIS POLICY

9.1 Failure to comply with this Policy may result in: a privacy breach requiring notification to the OPC and affected individuals under the Breach of Security Safeguards Regulations (SOR/2018-64); enforcement action by the OPC or provincial privacy commissioner; civil litigation and damages; and disciplinary action up to and including termination.

9.2 Deliberate breach of this Policy — including the unauthorized destruction of records before the retention period has elapsed or the willful retention of personal information beyond the maximum retention period — may result in disciplinary action up to and including termination.

10. POLICY APPROVAL

This Data Retention Policy was approved on [Policy Date] and is effective as of that date.

Policy Owner: [Policy Owner]

Approved By: [Approved By]

Next Review Date: [Review Date]

This Policy is governed by the laws of the Province of [Province] and applicable federal law.

Approved By / Authorized Signatory

[Approved By]

Signature

Date: ________________

Maintained by Vladislav Sergienko, Founder·Template last modified: 2026-06-23·Report an error

What Is a Data Retention Policy (Canada)?

A Data Retention Policy in Canada sets how long the organisation keeps categories of data and when each is securely destroyed, governed primarily by PIPEDA and provincial privacy legislation.

In Canada, data retention is governed primarily by the Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5), which applies to organizations engaged in commercial activities across Canada. PIPEDA's Schedule 1 establishes ten fair information principles, of which Principle 5 (Limiting Use, Disclosure, and Retention) directly addresses data retention. This principle states that personal information shall be retained only as long as necessary for the fulfilment of the purposes for which it was collected, and that personal information no longer needed should be destroyed, erased, or made anonymous.

The Income Tax Act (R.S.C. 1985, c. 1 (5th Supp.)), section 230, requires every person carrying on a business in Canada to keep records for at least 6 years from the end of the last tax year to which they relate. The Canada Revenue Agency (CRA) enforces this requirement and may extend it in specific circumstances. The Canada Business Corporations Act (R.S.C. 1985, c. C-44) also imposes record-keeping obligations on federally incorporated companies.

At the provincial level, British Columbia (PIPA, S.B.C. 2003, c. 63), Alberta (PIPA, S.A. 2003, c. P-6.5), and Quebec (Act Respecting the Protection of Personal Information in the Private Sector) have enacted their own private-sector privacy legislation with similar retention and disposal obligations. Provincial health privacy laws, such as Ontario's PHIPA and Alberta's HIA, impose specific retention periods for personal health information.

The legal framework governing the Data Retention Policy (Canada) in Canada draws on several key statutes and regulatory bodies. Under the Canada Business Corporations Act (R.S.C. 1985, c. C-44), Corporations Canada maintains the federal registry. Section 12 of the CBCA governs corporate name requirements. The Competition Bureau enforces the Competition Act (R.S.C. 1985, c. C-34). Provincial securities commissions — including the Ontario Securities Commission (OSC) and British Columbia Securities Commission (BCSC) — regulate capital markets. The Federal Court of Canada has jurisdiction under the Federal Courts Act. Parties executing a Data Retention Policy (Canada) in Canada should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Canada Business Corporations Act (R.S.C. 1985, c. C-44) sets the foundational requirements.

When Do You Need a Data Retention Policy (Canada)?

A Data Retention Policy is needed by every Canadian organization that collects, stores, or processes personal information or business records. This includes businesses of all sizes operating in any sector across Canada.

Under PIPEDA Principle 1 (Accountability), organizations are required to designate an individual who is accountable for the organization's compliance with the privacy principles. Establishing a documented data retention policy is a fundamental component of this accountability obligation. The Office of the Privacy Commissioner of Canada (OPC) has repeatedly emphasized the importance of documented retention schedules in its guidance and investigation reports.

Organizations handling personal health information must comply with additional provincial requirements. Ontario's PHIPA requires health information custodians to retain records of personal health information for at least 10 years after the last entry. Similar requirements exist in Alberta, British Columbia, and other provinces.

The CRA requires all businesses to retain tax and financial records for at least 6 years from the end of the last tax year to which they relate. Destruction of these records before the 6-year period requires written permission from the CRA. Failure to maintain adequate records can result in penalties and adverse assessment assumptions.

A Data Retention Policy should be established when the organization commences operations and should be reviewed at least annually. It must be updated whenever there is a material change in applicable law, the organization's data processing activities, or its business operations. Quebec's Law 25 amendments, which took effect in stages from 2022 to 2024, have introduced additional retention and disposal requirements that organizations operating in Quebec must address.

Parties in Canada should prepare a Data Retention Policy (Canada) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under the Canada Business Corporations Act (R.S.C. 1985, c. C-44), Corporations Canada maintains the federal registry. Section 12 of the CBCA governs corporate name requirements. The Competition Bureau enforces the Competition Act (R.S.C. 1985, c. C-34). Provincial securities commissions — including the Ontario Securities Commission (OSC) and British Columbia Securities Commission (BCSC) — regulate capital markets. The Federal Court of Canada has jurisdiction under the Federal Courts Act. Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.

What to Include in Your Data Retention Policy (Canada)

A thorough Canadian Data Retention Policy must address several essential elements to comply with the framework of federal and provincial data retention requirements.

The legal framework section should identify all applicable federal laws (PIPEDA, Income Tax Act, Canada Labour Code, Canada Business Corporations Act) and provincial privacy, employment standards, and limitations legislation. The scope should define what data and records are covered and who is subject to the policy.

The retention schedule is the core of the policy. It must specify maximum retention periods for each category of data, including employee records, financial and accounting records, customer and consumer data, and health information where applicable. Each retention period should reference the specific legal basis, including CRA requirements, provincial limitation periods, and PIPEDA Principle 5.

Secure destruction procedures must comply with PIPEDA requirements and OPC guidance. NIST SP 800-88 guidelines provide a recognized standard for electronic media sanitization. The policy should specify methods for destroying paper records, electronic records, and storage media, and should require a destruction log.

Legal hold procedures are essential. The policy must establish a process for suspending routine destruction when litigation, government investigation, OPC complaint, or access request is anticipated or pending. PIPEDA access requests under Principle 9 require the organization to retain relevant records until the request is resolved.

Individual data rights must be addressed, including the right of access under PIPEDA Principle 9 and the right to challenge accuracy under Principle 6. The policy should describe the 30-day response timeline and the process for handling requests.

Responsibilities should be assigned to the privacy officer, department heads, and all employees. The policy review schedule, audit process, and consequences for non-compliance should be clearly stated. Breach notification obligations under the Breach of Security Safeguards Regulations (SOR/2018-64) should be referenced.

Additional compliance elements for a Data Retention Policy (Canada) used in Canada include: Under the Canada Business Corporations Act (R.S.C. 1985, c. C-44), Corporations Canada maintains the federal registry. Section 12 of the CBCA governs corporate name requirements. The Competition Bureau enforces the Competition Act (R.S.C. 1985, c. C-34). Provincial securities commissions — including the Ontario Securities Commission (OSC) and British Columbia Securities Commission (BCSC) — regulate capital markets. The Federal Court of Canada has jurisdiction under the Federal Courts Act. The Canada Labour Code (R.S.C. 1985, c. L-2) and Employment and Social Development Canada (ESDC) require federally regulated employers to retain payroll records under Section 254. The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) mandates retention of financial records under Section 54 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (S.C. 2000, c. 17). Forms-legal.com provides this template as a starting point for Canada-compliant documentation.

Sources & Citations

Statutory citations link to official government sources.

Cite this page

Reference this free template in an article, syllabus, or research note:

APA

Forms Legal. (2026). Data Retention Policy (Canada) (Canada) [Legal document template]. Forms Legal. https://forms-legal.com/canada/business/policies/data-retention-policy-canada

MLA

"Data Retention Policy (Canada) (Canada)." Forms Legal, 2026, https://forms-legal.com/canada/business/policies/data-retention-policy-canada.

BibTeX

@misc{formslegal-data-retention-policy-canada,
  author       = {{Forms Legal}},
  title        = {Data Retention Policy (Canada) (Canada)},
  year         = {2026},
  howpublished = {\url{https://forms-legal.com/canada/business/policies/data-retention-policy-canada}},
  note         = {Free legal document template. Based on Canada Business Corporations Act (R.S.C. 1985, c. C-44)}
}

Also available for these jurisdictions:

Frequently Asked Questions

Based on Canada Business Corporations Act (R.S.C. 1985, c. C-44) — Template last modified June 2026Verify the source →

This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer

Found an error? Let us know