Genealogists need to be aware of applicable privacy legislation, especially as more and more privacy laws come into effect. In Canada, one such legislation is a federal law called the Personal Information Protection and Electronic Documents Act (PIPEDA). (1)

PIPEDA applies to private-sector organizations as well as federally-regulated businesses. Although Alberta, British-Columbia, and Quebec have their own privacy legislation, PIPEDA will apply to organizations in those provinces when personal information crosses provincial or national borders. (2) Given that very few genealogists work exclusively in one jurisdiction, PIPEDA likely applies to most professional genealogists working in Canada.

PIPEDA exists to protect personal information, which is any information that can be used to identify a person. (3) As genealogists, we work with a lot of identifying information, including DNA!

So how do you make sure you’re complying with PIPEDA?

Thankfully, the federal government has made it easy to learn about this legislation by creating a webpage that details everything you need to know. (4)

In short, PIPEDA has 10 principles.

1. Accountability. Someone in your organization has to be responsible for compliance. Looks like I just got a promotion to Chief Privacy Officer!
2. Identifying purposes. Why are you collecting information?
3. Consent. Do you have informed consent from your clients to collect their information?
4. Limiting Collection. Once you know what you are collecting information for, make sure you are only collecting information needed for that purpose. You must also only collect information by fair and lawful means.
5. Limiting use, disclosure and retention. You can only use the information for the purpose you identified. Also, you should keep the information only for as long as needed for that purpose.
6. Accuracy. You should make sure the information you collect is accurate, complete, and up-to-date.
7. Safeguards. Once you have collected information, how are you going to make sure it stays private? Consider creating an information security policy that considers the security of email, file storage (both physical and digital), and devices you use to access that information. How will you make sure no one else can access them? Secure passwords, security software, and firewalls are a few things that can help with this.
8. Openness. How will people know about your privacy policy? Consider putting a link on the homepage of your website. Here’s my privacy policy! (5)
9. Individual access. If people have questions about how you’re using their information, or want to know what information you’re keeping on them, they have a right to know.
10. Challenging compliance. Make it clear who can be contacted if someone does not believe that you complying with PIPEDA.

Although compliance to legislation may seem complicated, it’s actually straightforward. The only thing I currently find confusing about PIPEDA is how to pronounce the acronym! Are you team Pip-eda or team Pi-peeda?

---

1. “The Personal Information Protection and Electronic Documents Act (PIPEDA),” Office of the Privacy Commissioner of Canada, last updated 8 Dec 2021 (https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/ : accessed 15 April 2025).
2. “Summary of privacy laws in Canada,” Office of the Privacy Commissioner of Canada, last updated 31 Jan 2018 (https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/02_05_d_15/ : accessed 15 April 2025).
3. Ibid.
4. “PIPEDA fair information principles,” Office of the Privacy Commissioner of Canada, last updated 13 Aug 2020 (https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/p_principle/ : accessed 15 April 2025).
5. Jennifer Wiebe, “Privacy Policy,” Jennealogie, last updated 15 April 2025 (https://jennealogie.com/privacy-policy/ : accessed 15 Apr 2025).