Ontario law firms and accounting practices sit on some of the most sensitive personal data in Canada: social insurance numbers, tax returns, financial statements, estate documents, litigation files, and client correspondence spanning decades. If your firm collects, uses, or discloses personal information in the course of commercial activity, PIPEDA applies to you — and the compliance bar has risen significantly in 2026.

This guide covers what PIPEDA requires specifically from Ontario professional services firms, the seven most common compliance gaps we see in practice, and the concrete steps you can take to close them.

Does PIPEDA Apply to Ontario Law Firms and Accounting Firms?

Yes — unambiguously. Unlike British Columbia, Alberta, and Quebec (which have provincial legislation deemed “substantially similar” to PIPEDA), Ontario does not have a private-sector privacy statute governing commercial activity. That means PIPEDA, Canada’s federal private-sector privacy law, governs how Ontario law firms and accounting practices collect, use, and disclose personal information.

PIPEDA applies to your firm if you collect client data, process personal information in the course of legal or accounting services, handle employee personal information in the context of commercial activity, or transfer personal data across provincial or international borders.

The 10 PIPEDA Privacy Principles — What They Mean for Your Firm

PIPEDA is built on ten Fair Information Principles derived from the CSA Model Code. These are legal obligations, not optional guidelines:

Principle	What It Requires from Your Firm
Accountability	Appoint a Privacy Officer. Document your privacy program.
Identifying Purposes	Specify why you are collecting client information before or at the time of collection.
Consent	Obtain meaningful consent for collection, use, and disclosure. Express consent required for secondary uses.
Limiting Collection	Collect only what is necessary. Do not accumulate client data “just in case.”
Limiting Use, Disclosure, Retention	Use information only for the purpose collected. Implement retention schedules and destruction policies.
Accuracy	Maintain accurate client records. Provide mechanisms for clients to correct inaccurate information.
Safeguards	Protect personal information with security measures appropriate to its sensitivity. This is where cybersecurity controls become a legal obligation.
Openness	Maintain a publicly available privacy policy describing your data practices.
Individual Access	Respond to client access requests within 30 days.
Challenging Compliance	Establish a complaints process. Investigate and respond to privacy complaints.

The 7 Most Common PIPEDA Gaps in Ontario Professional Services Firms

Based on our gap assessments, these are the compliance failures most frequently found in Ontario law firms and accounting practices:

1. No Appointed Privacy Officer

PIPEDA requires a designated individual responsible for the firm’s compliance with the Act. Many Ontario firms have no one formally in this role, no published contact information for privacy inquiries, and no process for receiving complaints. This is the foundational gap — everything else flows from it.

2. Outdated or Missing Privacy Policy

PIPEDA requires a publicly available privacy policy. Many Ontario professional services firms either have no policy or use a generic template that does not reflect actual data practices. The policy must describe what you collect, why, how long you keep it, who you share it with, and how clients can access or correct their information.

3. No Breach Notification Process

Since November 2018, PIPEDA has required mandatory breach notification. If a breach creates a “real risk of significant harm,” you must notify the Office of the Privacy Commissioner of Canada (OPC) and affected individuals as soon as feasible — in practice, within 72 hours. You must also maintain a breach record for 24 months.

A ransomware attack exposing client SINs, financial records, or litigation strategy to an unauthorized third party is a mandatory reportable breach. Failing to notify the OPC is itself a PIPEDA violation.

4. Third-Party Vendor Agreements Without Privacy Provisions

PIPEDA holds your firm accountable for personal information transferred to service providers — your cloud storage, case management software, payroll processor, and IT provider. If those vendors have a breach involving your client data, it is your breach under PIPEDA. Your vendor agreements must include contractual privacy protections.

5. No Retention Schedule and Destruction Policy

PIPEDA requires that you retain personal information only as long as necessary for the identified purpose. Most Ontario firms retain client files indefinitely without a documented schedule — creating compliance gaps and unnecessary breach risk.

6. Inadequate Technical Safeguards

The PIPEDA Safeguards Principle requires security measures appropriate to the sensitivity of the information. For professional services firms holding financial records, litigation files, and personal identifiers, “appropriate” means: encrypted file storage and email, multi-factor authentication on all systems, access controls so staff only access what they need, endpoint protection (EDR), and tested backup and recovery. Basic antivirus no longer meets this standard.

7. No Access Request Process

Under PIPEDA, clients have the right to access their personal information held by your firm within 30 days. Many Ontario firms have no documented process for receiving, verifying, and responding to these requests. Failing to respond is a PIPEDA violation reportable to the OPC.

PIPEDA and Law Society of Ontario (LSO) Requirements

Ontario law firms have a dual compliance obligation. The LSO’s Rules of Professional Conduct impose confidentiality obligations, and the LSO’s Technology Practice Management Guidelines address cloud storage, remote access, and vendor due diligence. PIPEDA and LSO requirements are complementary — a well-structured PIPEDA compliance program covers most LSO technology guidance.

Key LSO requirements relevant to PIPEDA: conducting due diligence on cloud and SaaS vendors before storing client data, maintaining competence in the security implications of technology you use, and documenting your risk assessment when adopting new technology tools.

PIPEDA and CPA Ontario Requirements for Accounting Firms

CPA Ontario members are subject to professional standards including confidentiality and due care. PIPEDA adds a legal layer on top of professional ethics obligations. Accounting practices holding client tax records, financial statements, and SINs face high data sensitivity classifications under PIPEDA — meaning the Safeguards Principle requires correspondingly robust controls.

PIPEDA Compliance Checklist for Ontario Professional Services Firms

• Appoint a named Privacy Officer and publish their contact information
• Conduct a data mapping exercise: what personal information do you collect, why, how, and where is it stored?
• Publish a PIPEDA-compliant privacy policy on your website
• Implement a breach notification procedure with 72-hour OPC notification capability
• Establish a breach record retention process (24-month minimum)
• Audit your vendor agreements for privacy protection clauses
• Create a client retention schedule and documented data destruction process
• Implement technical safeguards: MFA, encrypted storage, EDR, access controls
• Train staff on privacy obligations and phishing awareness annually
• Document a process for responding to individual access requests within 30 days
• Create a privacy complaints intake and investigation process

What Happens If You Have a PIPEDA Violation?

The OPC investigates PIPEDA complaints and can issue findings, recommendations, and public reports. Bill C-27 (when enacted) will expand penalties significantly — up to 5% of global revenue or $25M, whichever is greater. Currently, courts can impose fines up to $100,000 per count for certain offences. Reputational damage from a public OPC finding can be far more costly for a firm whose entire value rests on client trust.

---

Frequently Asked Questions

Does PIPEDA apply to small Ontario law firms with fewer than 10 employees?

Yes. PIPEDA applies to private-sector organizations of any size that collect personal information in the course of commercial activities. There is no employee threshold exemption. A sole practitioner law firm collecting client SINs, financial records, or health information is subject to PIPEDA.

How long do we have to respond to a client access request under PIPEDA?

30 days from the date the request is received. You can seek a 30-day extension if meeting the original deadline is not reasonably practicable — but you must notify the client. Failure to respond is a PIPEDA violation that can be reported to the OPC.

We use a US-based cloud storage provider. Does PIPEDA apply to cross-border transfers?

Yes. PIPEDA requires that personal information transferred to third parties — including US cloud providers — receive comparable protection. Your vendor agreement must include privacy protection clauses, and your firm remains accountable if the vendor has a breach.

What is the difference between a PIPEDA compliance assessment and a privacy audit?

A PIPEDA compliance gap assessment identifies where your firm’s practices fall short of PIPEDA’s ten principles and provides a prioritized remediation roadmap. A formal privacy audit is a more comprehensive externally certified examination. For most Ontario SMB professional services firms, a gap assessment is the appropriate starting point.