Redacting Personal Information Under Canada's PIPEDA

What PIPEDA covers

PIPEDA (Personal Information Protection and Electronic Documents Act) is Canada's federal private-sector privacy law. It applies to organisations that collect, use, or disclose personal information in the course of commercial activity. If your business operates in Canada and handles customer, employee, or client data, PIPEDA likely applies - unless your province has enacted substantially similar legislation (Alberta, British Columbia, and Quebec each have their own).

The definition of personal information under PIPEDA is broad: "any information about an identifiable individual." That includes the obvious categories - names, addresses, dates of birth, Social Insurance Numbers - but also extends to opinions, evaluations, employment records, financial information, medical history, and even IP addresses in certain contexts. If the information can be linked back to a specific person, it qualifies.

Where PIPEDA intersects with redaction is straightforward. When you disclose documents - whether responding to an access request, sharing records with a business partner, or producing documents for litigation - any personal information about individuals other than the requester generally needs removing. The Act's ten fair information principles, built on the CSA Model Code, govern how this works in practice.

Access requests and the duty to redact

Under Principle 4.9 of Schedule 1 to PIPEDA, individuals have the right to access their personal information held by an organisation. The organisation must respond within 30 days of receiving the request - a tighter window than some jurisdictions allow.

The obligation to disclose is not absolute. Section 9(1) sets out specific grounds for refusing access, including information that would reveal personal information about a third party, confidential commercial information, or information protected by solicitor-client privilege. But refusal has to be specific and justified - you cannot withhold an entire document because one paragraph contains third-party information. You redact the protected portions and disclose the rest.

The Office of the Privacy Commissioner of Canada (OPC) has been clear on this point in multiple findings. Organisations that withhold entire documents when redaction would suffice face adverse findings. The expectation is severance - removing the protected information while releasing everything else.

"Severance" is the term used in Canadian access-to-information practice. It means the same thing as redaction - removing specific information from a document before disclosure. You will see both terms used interchangeably in OPC guidance.

What needs redacting in practice

The categories of personal information you will encounter in a typical PIPEDA redaction exercise depend on your industry. A financial services firm's records look different from a healthcare provider's. But certain categories appear consistently:

Third-party names and contact details. When responding to an individual's access request, other people's names, email addresses, phone numbers, and addresses appearing in the records need removing. A complaint file about a noisy neighbour, for instance, contains the complainant's personal information and the neighbour's - the requester is entitled to their own information, not the other person's.

Social Insurance Numbers (SINs). These nine-digit identifiers are the Canadian equivalent of US Social Security numbers. They appear in employment records, tax documents, and financial applications. SINs should be redacted from any disclosure where they are not directly relevant to the request.

Employee opinions and internal assessments. An internal email where a manager evaluates an employee's performance contains the manager's personal information (their opinion) and the employee's personal information (the subject of the evaluation). Depending on who is making the access request, different portions may need redacting.

Financial account numbers. Bank account numbers, credit card details, and loan reference numbers belonging to third parties. These surface in joint accounts, co-signed documents, and transaction records that reference multiple parties.

Health information. In provinces where PIPEDA applies to health data (rather than provincial health privacy legislation), medical information about third parties needs redacting. A family medical history form, insurance claim, or workplace accommodation request may contain health details about people other than the requester.

Provincial variations that affect redaction scope

Canada's privacy framework is not uniform. Three provinces have enacted private-sector privacy legislation that the federal government has deemed substantially similar to PIPEDA:

Alberta's Personal Information Protection Act (PIPA), British Columbia's Personal Information Protection Act (also PIPA), and Quebec's Act respecting the protection of personal information in the private sector (known as Law 25 after its 2023 modernisation). In these provinces, provincial law generally governs intra-provincial commercial activity, while PIPEDA still applies to federally regulated industries and cross-border data flows.

Quebec's Law 25 deserves particular attention. Since September 2023, it introduced mandatory privacy impact assessments, stricter consent requirements, and a private right of action for privacy violations. Organisations operating in Quebec face the most prescriptive regime in Canada. Redaction requirements under Law 25 mirror PIPEDA's general approach but with tighter enforcement mechanisms - including administrative monetary penalties of up to CAD 25 million or 4% of worldwide turnover.

For organisations operating across multiple provinces, the safest approach is to apply the most protective standard consistently. Redacting to PIPEDA requirements and then checking against applicable provincial legislation avoids the risk of under-redacting for a stricter jurisdiction.

PIPEDA versus GDPR and HIPAA

Organisations handling Canadian data alongside UK, EU, or US records will notice overlaps and gaps between the regimes. PIPEDA shares GDPR's broad definition of personal information and its principle-based approach. Both require data minimisation and purpose limitation. Both give individuals the right to access their data. But PIPEDA lacks GDPR's formal concept of special category data - there is no elevated protection tier for health data or biometric data under federal law (though provincial health privacy laws fill some of this gap).

Compared to HIPAA, the scope is completely different. HIPAA is sector-specific - it applies to covered entities and business associates in healthcare. PIPEDA is economy-wide. A Canadian healthcare provider might be subject to PIPEDA, provincial health privacy legislation, and - if treating US patients - HIPAA requirements simultaneously.

For redaction purposes, the practical difference is that PIPEDA does not provide a prescriptive checklist of identifier types to remove (unlike HIPAA's Safe Harbor 18 identifiers). The test under PIPEDA is contextual: can this information, alone or combined with other available information, identify an individual? If yes, it is personal information and subject to the Act's requirements.

A practical redaction workflow for PIPEDA compliance

Start by identifying the purpose of the disclosure. An access request from the data subject themselves requires a different redaction scope than sharing records with a regulator or producing documents in litigation. The purpose determines what stays and what goes.

Collect all responsive documents into a single review set. For paper records, scan them first - you cannot automate redaction of physical pages.

Run automated PII detection across the full document set. RedactProof identifies 40+ types of personal information including names, SINs, addresses, financial account numbers, dates of birth, and email addresses. Automated detection catches the identifiers that repeat across every page of a multi-document bundle - the kind that human reviewers miss on page 30 after catching them on page 1.

Review each flagged item in context. Not every piece of personal information needs redacting - only information that falls outside the scope of the disclosure. The requester's own name and address in their own file stays. A third party's name in that same file goes.

Apply permanent redaction. Under PIPEDA, disclosed documents must not allow recovery of the redacted information. Pixel-burn redaction - which permanently destroys the underlying text rather than merely covering it with a visual overlay - meets this requirement. Overlay-style redaction, where a black box is drawn over text that remains intact in the file, does not.

Document your redaction decisions. If a complaint reaches the OPC, you will need to explain why specific information was withheld. A verification certificate that records the redaction and confirms the document has not been modified since provides an auditable trail.

Common mistakes in PIPEDA redaction

Withholding entire documents instead of severing them. The OPC has repeatedly found against organisations that refused to disclose documents entirely when partial disclosure with redaction was possible. Unless every word in a document falls under an exemption, sever and disclose.

Ignoring metadata. A PDF's properties can contain author names, revision history, tracked changes, and comments that reveal personal information even after the visible text has been redacted. Strip document metadata before disclosure.

Over-redacting to avoid the work. Some organisations redact far more than necessary, effectively denying meaningful access while claiming compliance. The OPC considers this a form of non-compliance. Redact what the Act permits you to withhold - nothing more, nothing less.

Missing the 30-day deadline. The clock starts when the organisation receives the request, not when it finishes reviewing the documents. Build redaction time into your response timeline from day one.