What are PIPEDA and PHIPA, in plain terms?
PIPEDA is Canada's federal private-sector privacy law. It sets the ground rules for how private-sector organizations collect, use, and disclose personal information in the course of commercial activity. Personal information here means information about an identifiable individual: names, contact details, account records, and similar data.
PHIPA is Ontario's health-information privacy law. It governs how personal health information is handled by health information custodians in Ontario, meaning organizations and providers such as hospitals, pharmacies, laboratories, and many clinics and physicians. Its focus is narrower than PIPEDA's, but its rules for health data are more specific.
The two laws are not competing versions of the same thing. PIPEDA is broad and applies across sectors. PHIPA is specialized and applies to health information in one province. Where they meet, in health information held by Ontario custodians, PHIPA has been declared substantially similar to PIPEDA, so PHIPA is the operative law for that data instead of PIPEDA. Knowing which law governs which data is the first practical step.
Who does each law apply to?
PIPEDA applies to organizations that handle personal information in the course of commercial activity, across Canada. That covers most businesses that sell products or services. It also reaches the flow of personal information across provincial or national borders, and it applies to federally regulated workplaces for employee information.
For non-profits, the picture is more nuanced. Purely charitable, fundraising, or membership activities are often outside PIPEDA. But if a non-profit engages in commercial activity, for example selling goods or services or trading member lists, that part of its work can fall under the law. So the answer for a non-profit is usually "it depends on what you are doing," not a flat yes or no.
PHIPA applies to health information custodians in Ontario and to the agents who handle personal health information on their behalf. A custodian is a person or organization that, because of their work, has custody or control of personal health information. If you provide health care, or you handle health records for someone who does, PHIPA is likely in play. Businesses that process health information on a custodian's behalf are generally treated as agents, and the custodian stays responsible for how that information is handled.
What does each law actually require?
Both laws share a common backbone: be accountable for the personal information you hold, collect only what you need, get appropriate consent, keep the information accurate and secure, be open about your practices, and give people access to their own information. The differences are in the detail and the strictness.
Under PIPEDA, the practical requirements include naming someone accountable for privacy, having a privacy policy, obtaining meaningful consent, protecting information with safeguards appropriate to its sensitivity, and responding to access requests. PIPEDA also has mandatory breach obligations: you must report a breach to the Office of the Privacy Commissioner of Canada and notify affected individuals when there is a real risk of significant harm, and you must keep records of breaches.
PHIPA layers additional, health-specific rules on top of that general shape. It expects custodians to have information practices in place, to limit collection and use of health information, and to safeguard it carefully. It also has its own breach rules, which are stricter in places than PIPEDA's.
- PIPEDA breach reporting: triggered by a "real risk of significant harm," reported to the federal Privacy Commissioner, with records kept of all breaches.
- PHIPA breach reporting: custodians must notify affected individuals at the first reasonable opportunity, and must report certain breaches to Ontario's Information and Privacy Commissioner, including theft, insider snooping, breaches likely to cause harm, and patterns of similar breaches.
- Both: consent, safeguards proportionate to sensitivity, individual access to their own records, and clear accountability for who is responsible.
Why is health information treated more strictly?
Health information is among the most sensitive personal information a person has. It can reveal conditions, treatments, and circumstances that carry real consequences if exposed, from discrimination to distress. That sensitivity is why PHIPA sets out specific handling rules rather than leaving health data to a general-purpose privacy law.
The stricter treatment shows up most clearly in breach response. Under PHIPA, a custodian must notify affected individuals at the first reasonable opportunity, and Ontario's Information and Privacy Commissioner must be told about defined categories of breach, such as theft, insider snooping, breaches likely to cause harm, and patterns of similar incidents. The duty to report those breaches to the Commissioner has been in force since October 1, 2017.
It is worth being precise here. PHIPA being stricter for health data does not mean PIPEDA is weak. It means the two laws are tuned for different information. If your organization handles ordinary customer data and some health information in Ontario, you may be working under both, each for the data it governs.
Does either law require Canadian data residency?
This is a common point of confusion, so it is worth stating plainly. Canadian federal law does not require private-sector commercial data to be stored in Canada. PIPEDA allows personal information to be transferred across borders, provided the information receives comparable protection and the organization that collected it stays accountable for it.
PHIPA does not impose a blanket "health data must stay in Canada" rule either. There can be contractual terms, funder conditions, or sector expectations that push toward Canadian hosting, but that is different from a general legal requirement. Treating a preference as a legal mandate can lead to decisions that cost more than they need to.
So where does Canadian data residency fit? It is best understood as a trust and procurement advantage. Some clients, funders, and public-sector buyers prefer or require Canadian hosting in their contracts, and being able to offer it can smooth those relationships. Frame it as an option that helps you win and keep work, not as a law you are forced to follow.
How do you get ready, and where does Itsultant fit?
Getting ready for PIPEDA and PHIPA is less about a single big project and more about putting a few reliable practices in place. The steps below are a sensible starting order for most businesses and non-profits.
Itsultant is a Canadian-owned IT consulting and cybersecurity firm that works with small and medium businesses and non-profits, and this compliance work is part of what we do. We map a client's controls to PIPEDA and PHIPA, and we align the underlying security work to recognized frameworks, the CIS Controls and the NIST Cybersecurity Framework. To be accurate about what that means: these are frameworks we align to, not certifications we hold.
One practical output is what we call an evidence pack: the mapped controls, documented policies, and monitoring records gathered in one place. That is the material you reach for when an auditor, a funder, or a cyber-insurance questionnaire asks how you protect personal and health information. Having it ready turns a stressful scramble into a straightforward reply. We start with a free, no-obligation assessment and then scope a quote to your situation, so you can see where you stand before committing to anything.
- Map your data: know what personal and health information you hold, where it lives, and which law governs it.
- Assign accountability: name who is responsible for privacy, and write down your information practices.
- Set your consent and access practices: collect what you need, be clear about why, and be able to respond to access requests.
- Match safeguards to sensitivity: stronger protections for health information than for routine contact details.
- Build a breach response plan: know the PIPEDA "real risk of significant harm" trigger and, where it applies, the PHIPA duties to notify individuals and report to Ontario's Commissioner.
- Keep an evidence pack current: documented controls, policies, and monitoring records ready for audits and insurance questionnaires.