What does PIPEDA require for data retention in Canada?

The Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5) establishes ten fair information principles in Schedule 1. Principle 5 (Limiting Use, Disclosure, and Retention) states that personal information shall be retained only as long as necessary for the fulfilment of the purposes for which it was collected. Personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. Organizations should develop guidelines and implement procedures with respect to the retention of personal information, including minimum and maximum retention periods. The Office of the Privacy Commissioner of Canada (OPC) has published guidance emphasizing that organizations must establish documented retention schedules and not retain personal information indefinitely.

How long must CRA tax records be retained?

Under the Income Tax Act (R.S.C. 1985, c. 1 (5th Supp.)), section 230, every person carrying on a business in Canada must keep records and books of account for at least 6 years from the end of the last tax year to which they relate. The Excise Tax Act imposes the same 6-year retention period for GST/HST records. The CRA may extend the retention period in specific circumstances, such as where an objection or appeal has been filed, or where the CRA has requested retention in writing. Records may be destroyed before the 6-year period only with written permission from the CRA. Standard practice is to retain financial and tax records for 7 years to provide a safety margin. Under Canada law, Canada Business Corporations Act (R.S.C. 1985, c. C-44), parties should seek independent legal advice from a qualified lawyer to confirm compliance with all applicable requirements. Under the Canada Business Corporations Act (R.S.C. 1985, c. Forms-legal.com provides this template as a starting point for Canada-compliant documentation.

What provincial privacy laws affect data retention in Canada?

Three provinces have enacted their own private-sector privacy legislation that has been declared substantially similar to PIPEDA: British Columbia's Personal Information Protection Act (PIPA, S.B.C. 2003, c. 63), Alberta's Personal Information Protection Act (PIPA, S.A. 2003, c. P-6.5), and Quebec's Act Respecting the Protection of Personal Information in the Private Sector (CQLR, c. P-39.1, as amended by Bill 25/Law 25). These provincial laws impose similar retention and disposal obligations. Provincial health privacy legislation — including Ontario's Personal Health Information Protection Act (PHIPA, 2004) and Alberta's Health Information Act (HIA) — imposes specific retention periods for personal health information, typically 10 years after the last entry. Under Canada law, Canada Business Corporations Act (R.S.C. 1985, c. C-44), parties should seek independent legal advice from a qualified lawyer to confirm compliance with all applicable requirements. Under the Canada Business Corporations Act (R.S.C. 1985, c. Forms-legal.com provides this template as a starting point for Canada-compliant documentation.

What are the penalties for non-compliance with PIPEDA retention requirements?

Under PIPEDA, the OPC can investigate complaints and make recommendations. If an organization fails to comply, the OPC can apply to the Federal Court for an order requiring compliance. The Federal Court may award damages, including damages for humiliation. Under the Breach of Security Safeguards Regulations (SOR/2018-64), organizations that knowingly fail to report a breach of security safeguards or maintain required records may be liable to a fine of up to $100,000 per offence. Provincial privacy commissioners have similar enforcement powers under their respective legislation. Alberta's PIPA, for example, provides for fines of up to $100,000 for individuals and $500,000 for organizations. Under Canada law, Canada Business Corporations Act (R.S.C. 1985, c. C-44), parties should seek independent legal advice from a qualified lawyer to confirm compliance with all applicable requirements. Under the Canada Business Corporations Act (R.S.C. 1985, c. Forms-legal.com provides this template as a starting point for Canada-compliant documentation.

Do I need a lawyer to create a Data Retention Policy (Canada) in Canada?

A Data Retention Policy (Canada) does not legally require a lawyer in Canada, and individuals and businesses may draft and execute the document independently. The Canada Business Corporations Act (R.S.C. 1985, c. C-44) does not mandate legal representation for the creation or signing of this type of document. However, seeking independent legal advice from a qualified Canada lawyer is recommended for transactions involving substantial financial value, complex regulatory requirements, or cross-border elements where multiple legal jurisdictions may apply. A lawyer can verify that the document complies with all applicable statutory requirements, identify potential risks specific to the transaction, and confirm that the terms adequately protect the interests of all parties involved. The Federal Court of Canada has jurisdiction over disputes arising from this type of document, and Corporations Canada may impose additional compliance obligations depending on the nature of the underlying transaction. Professional legal review is particularly advisable where the document will be submitted to government agencies or used as evidence in legal proceedings.

Data Retention Policy (Canada)

Maintained by Vladislav Sergienko, Founder·Template last modified: 2026-06-11·Report an error

What Is a Data Retention Policy (Canada)?

A Data Retention Policy in Canada sets how long the organisation keeps categories of data and when each is securely destroyed, governed primarily by PIPEDA and provincial privacy legislation.

In Canada, data retention is governed primarily by the Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5), which applies to organizations engaged in commercial activities across Canada. PIPEDA's Schedule 1 establishes ten fair information principles, of which Principle 5 (Limiting Use, Disclosure, and Retention) directly addresses data retention. This principle states that personal information shall be retained only as long as necessary for the fulfilment of the purposes for which it was collected, and that personal information no longer needed should be destroyed, erased, or made anonymous.

The Income Tax Act (R.S.C. 1985, c. 1 (5th Supp.)), section 230, requires every person carrying on a business in Canada to keep records for at least 6 years from the end of the last tax year to which they relate. The Canada Revenue Agency (CRA) enforces this requirement and may extend it in specific circumstances. The Canada Business Corporations Act (R.S.C. 1985, c. C-44) also imposes record-keeping obligations on federally incorporated companies.

At the provincial level, British Columbia (PIPA, S.B.C. 2003, c. 63), Alberta (PIPA, S.A. 2003, c. P-6.5), and Quebec (Act Respecting the Protection of Personal Information in the Private Sector) have enacted their own private-sector privacy legislation with similar retention and disposal obligations. Provincial health privacy laws, such as Ontario's PHIPA and Alberta's HIA, impose specific retention periods for personal health information.

The legal framework governing the Data Retention Policy (Canada) in Canada draws on several key statutes and regulatory bodies. Under the Canada Business Corporations Act (R.S.C. 1985, c. C-44), Corporations Canada maintains the federal registry. Section 12 of the CBCA governs corporate name requirements. The Competition Bureau enforces the Competition Act (R.S.C. 1985, c. C-34). Provincial securities commissions — including the Ontario Securities Commission (OSC) and British Columbia Securities Commission (BCSC) — regulate capital markets. The Federal Court of Canada has jurisdiction under the Federal Courts Act. Parties executing a Data Retention Policy (Canada) in Canada should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Canada Business Corporations Act (R.S.C. 1985, c. C-44) sets the foundational requirements.

When Do You Need a Data Retention Policy (Canada)?

A Data Retention Policy is needed by every Canadian organization that collects, stores, or processes personal information or business records. This includes businesses of all sizes operating in any sector across Canada.

Under PIPEDA Principle 1 (Accountability), organizations are required to designate an individual who is accountable for the organization's compliance with the privacy principles. Establishing a documented data retention policy is a fundamental component of this accountability obligation. The Office of the Privacy Commissioner of Canada (OPC) has repeatedly emphasized the importance of documented retention schedules in its guidance and investigation reports.

Organizations handling personal health information must comply with additional provincial requirements. Ontario's PHIPA requires health information custodians to retain records of personal health information for at least 10 years after the last entry. Similar requirements exist in Alberta, British Columbia, and other provinces.

The CRA requires all businesses to retain tax and financial records for at least 6 years from the end of the last tax year to which they relate. Destruction of these records before the 6-year period requires written permission from the CRA. Failure to maintain adequate records can result in penalties and adverse assessment assumptions.

A Data Retention Policy should be established when the organization commences operations and should be reviewed at least annually. It must be updated whenever there is a material change in applicable law, the organization's data processing activities, or its business operations. Quebec's Law 25 amendments, which took effect in stages from 2022 to 2024, have introduced additional retention and disposal requirements that organizations operating in Quebec must address.

Parties in Canada should prepare a Data Retention Policy (Canada) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under the Canada Business Corporations Act (R.S.C. 1985, c. C-44), Corporations Canada maintains the federal registry. Section 12 of the CBCA governs corporate name requirements. The Competition Bureau enforces the Competition Act (R.S.C. 1985, c. C-34). Provincial securities commissions — including the Ontario Securities Commission (OSC) and British Columbia Securities Commission (BCSC) — regulate capital markets. The Federal Court of Canada has jurisdiction under the Federal Courts Act. Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.

What to Include in Your Data Retention Policy (Canada)

A thorough Canadian Data Retention Policy must address several essential elements to comply with the framework of federal and provincial data retention requirements.

The legal framework section should identify all applicable federal laws (PIPEDA, Income Tax Act, Canada Labour Code, Canada Business Corporations Act) and provincial privacy, employment standards, and limitations legislation. The scope should define what data and records are covered and who is subject to the policy.

The retention schedule is the core of the policy. It must specify maximum retention periods for each category of data, including employee records, financial and accounting records, customer and consumer data, and health information where applicable. Each retention period should reference the specific legal basis, including CRA requirements, provincial limitation periods, and PIPEDA Principle 5.

Secure destruction procedures must comply with PIPEDA requirements and OPC guidance. NIST SP 800-88 guidelines provide a recognized standard for electronic media sanitization. The policy should specify methods for destroying paper records, electronic records, and storage media, and should require a destruction log.

Legal hold procedures are essential. The policy must establish a process for suspending routine destruction when litigation, government investigation, OPC complaint, or access request is anticipated or pending. PIPEDA access requests under Principle 9 require the organization to retain relevant records until the request is resolved.

Individual data rights must be addressed, including the right of access under PIPEDA Principle 9 and the right to challenge accuracy under Principle 6. The policy should describe the 30-day response timeline and the process for handling requests.

Responsibilities should be assigned to the privacy officer, department heads, and all employees. The policy review schedule, audit process, and consequences for non-compliance should be clearly stated. Breach notification obligations under the Breach of Security Safeguards Regulations (SOR/2018-64) should be referenced.

Additional compliance elements for a Data Retention Policy (Canada) used in Canada include: Under the Canada Business Corporations Act (R.S.C. 1985, c. C-44), Corporations Canada maintains the federal registry. Section 12 of the CBCA governs corporate name requirements. The Competition Bureau enforces the Competition Act (R.S.C. 1985, c. C-34). Provincial securities commissions — including the Ontario Securities Commission (OSC) and British Columbia Securities Commission (BCSC) — regulate capital markets. The Federal Court of Canada has jurisdiction under the Federal Courts Act. The Canada Labour Code (R.S.C. 1985, c. L-2) and Employment and Social Development Canada (ESDC) require federally regulated employers to retain payroll records under Section 254. The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) mandates retention of financial records under Section 54 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (S.C. 2000, c. 17). Forms-legal.com provides this template as a starting point for Canada-compliant documentation.

Sources & Citations

Statutory citations link to official government sources. Last verified by Forms Legal Editorial Team.

Also available for these jurisdictions:

Frequently Asked Questions

Based on Canada Business Corporations Act (R.S.C. 1985, c. C-44) — Template last modified June 2026Verify the source →

This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer

Found an error? Let us know