PIPEDA + CPA Code of Conduct: A Practical Compliance Checklist for Canadian Accounting Firms (2026)

This article is practical guidance, not legal advice. For privacy questions specific to your firm, consult a Canadian privacy lawyer or your provincial CPA body.

The two regimes that apply to your firm

Every Canadian CPA firm operates under at least two compliance frameworks simultaneously:

• PIPEDA (federal) — or its provincial equivalents in Alberta (PIPA), British Columbia (PIPA), and Quebec (Law 25). Governs how you collect, use, disclose, and protect personal information
• CPA Code of Professional Conduct (provincial) — set by your provincial CPA body (CPA Ontario, CPA Alberta, CPA Quebec, etc.). Governs professional conduct, including confidentiality, independence, and competency

They overlap on confidentiality but aren't the same. PIPEDA is broader (any personal information, not just professional engagement info). The Code is more specific (it addresses things PIPEDA doesn't, like professional independence and conflicts of interest).

Worth noting: Quebec's Law 25 (formerly Bill 64) is significantly more stringent than PIPEDA. Firms with any Quebec clients should treat Law 25 as the floor.

The 10 PIPEDA principles, in plain English

PIPEDA is built on ten principles. Here's what each one means for a CPA firm in practice:

1. Accountability — Someone in your firm owns privacy. By name. Even at 1 person, that person is the privacy officer
2. Identifying purposes — Tell clients why you're collecting their information. The engagement letter is usually enough
3. Consent — Get express or implied consent for collection/use. Most professional engagements imply consent for the work scope; non-obvious uses (sharing data with subcontractors, marketing) need express consent
4. Limiting collection — Don't collect what you don't need. SIN for a T1, yes. Date of birth for a T2 corporate client's bookkeeping engagement, probably no
5. Limiting use, disclosure, retention — Don't use client data for purposes outside the engagement. Don't keep it forever
6. Accuracy — Take reasonable steps to ensure information is correct (especially before relying on it for filings)
7. Safeguards — Protect data with security appropriate to its sensitivity. Tax data is sensitive — encryption is the floor
8. Openness — Have a publicly-available privacy policy explaining your practices
9. Individual access — Clients can request access to the personal information you hold about them. You must respond within 30 days
10. Challenging compliance — Have a process for clients to challenge your privacy practices (and to escalate to the Privacy Commissioner if they're not satisfied)

Most of these are box-checking once you've set up the system. The hard part is having the system in the first place.

The practical compliance checklist

1. Foundational documents

2. Technical controls

3. Operational practices

4. Vendor management

5. Client-facing

6. Breach response readiness

The CPA Code of Professional Conduct overlay

The Code adds requirements beyond PIPEDA. The big ones:

Confidentiality (Rule 208 in most provincial codes)

Information acquired in a professional engagement must not be disclosed without client consent — except where legally required or permitted by the Code. This applies to everyone in the firm, not just CPAs. Your bookkeeper is bound by the Code via your supervision.

Practical impact: don't discuss specific client matters with non-firm members. Don't post about clients on social media (even disguised). Don't use client data for marketing without consent.

Independence (Rule 204)

For assurance engagements (audit, review), strict independence rules apply. For tax-only engagements, requirements are looser but professional independence still matters — don't accept gifts that compromise judgment, don't hold financial interests in client entities, etc.

Professional competence (Rule 203)

Maintain the knowledge required for engagements you accept. Take continuing education. Decline engagements outside your competence. PIPEDA doesn't require this; the Code does.

Conflicts of interest (Rule 210)

Identify and disclose potential conflicts. Two competing clients in the same industry, related entities engaged separately, prior relationships — all need to be flagged.

Where the two frameworks diverge

PIPEDA cares about any personal information. The Code cares mostly about professional engagement information. So:

• Your employee records are PIPEDA's concern but not directly the Code's
• Your marketing email list is PIPEDA's concern, governed by anti-spam law (CASL) too, but not specifically the Code's
• Your compliance with audit independence rules is the Code's concern but not PIPEDA's

You need both regimes covered. A "PIPEDA-only" approach misses the Code's professional rules. A "Code-only" approach misses PIPEDA's broader personal-information scope.

The five mistakes Canadian CPA firms make most often

1. No designated privacy officer

"We're all kind of privacy officers." That's not a privacy officer. PIPEDA requires one named individual. At a 1-person firm, that's the partner. Document it, even if it's just "Privacy Officer: [Name], info@firm.ca" on the privacy policy.

2. Privacy policy is a generic template that doesn't match the firm's practices

Many firms downloaded a privacy policy template years ago, never updated it, and don't actually do what it says. That's worse than no policy. The OPC can hold you to your stated policy. Read yours; align practice.

3. Email is the primary document collection channel

Emailed PDFs of T-slips with SIN visible in the file name. Someone replies-all and the document goes to 12 people. The CRA notice gets forwarded to the wrong client. These are PIPEDA breaches you may not even know about. A secure portal as the deposit point removes most of this risk.

4. No retention/destruction schedule

Old client folders accumulate forever. Departed clients' tax data sits on the file server seven years after the relationship ended. PIPEDA requires destruction when no longer needed. Best practice: 7-year retention for tax records, then secure destruction with a destruction log entry. Your document management should handle the lifecycle.

5. No breach log even though they've had small breaches

Every firm has had small privacy incidents — wrong email recipient, lost USB stick, departed employee taking client list. PIPEDA requires you to log all breaches even if not reportable. Most firms don't, which becomes a problem later if a serious incident triggers a regulator review and they ask for the breach log.

How MyCPACRM supports compliance out of the box

We built MyCPACRM with Canadian compliance as a core requirement, not an afterthought. Hosted in Canada. Encrypted in transit and at rest. Role-based permissions with audit trail. Encrypted client portal as the deposit point. SOC 2-aligned security. Configurable retention rules in document management. Compliance documentation available for your firm's policy alignment. Multi-factor authentication required. Built so that the technical-control checklist above is largely satisfied by the platform — leaving you to focus on the operational and documentation pieces.

None of which substitutes for getting your policies, training, and breach response plan written. Software handles the controls; your firm has to handle the documentation and culture.

Frequently Asked Questions

Does PIPEDA apply to small CPA firms?

Yes. PIPEDA applies to every organization that collects, uses, or discloses personal information in the course of commercial activity in Canada (in provinces without substantially-similar privacy legislation — Alberta, B.C., and Quebec have their own laws that apply instead). Solo practitioners are not exempt.

What's the difference between PIPEDA and the CPA Code of Professional Conduct?

PIPEDA is federal privacy law applying to all organizations. The CPA Code is professional rules from your provincial CPA body governing CPA conduct specifically. They overlap on confidentiality but PIPEDA is broader (applies to any personal info, not just client info) and the Code is more specific (covers professional independence, conflicts, etc., not just privacy).

Do I need to encrypt client emails to be PIPEDA-compliant?

PIPEDA doesn't mandate specific technical controls but requires safeguards "appropriate to the sensitivity of the information." Tax data is sensitive (SIN, financial details). Standard practice in 2026 is: encrypted-in-transit always, encrypted-at-rest for storage, and a secure portal as the primary document deposit channel. Plain unencrypted email for sensitive documents is increasingly hard to defend if challenged.

What is a privacy breach and what must I do if one happens?

A privacy breach is any loss, unauthorized access to, or disclosure of personal information. Under PIPEDA's Breach of Security Safeguards Regulations, you must report to the Privacy Commissioner and notify affected individuals if the breach poses "real risk of significant harm." You must keep records of all breaches for 24 months — even minor ones.

Where should client data be hosted?

Canada is preferred. U.S. hosting is permissible if you have proper contractual safeguards, but it triggers cross-border transfer disclosure requirements — clients must be informed. Hosting outside Canada and the U.S. is significantly more complex; most Canadian CPA firms avoid it. Alberta has additional requirements via PIPA Alberta for cross-border transfers.

How long do I need to retain client records?

Income Tax Act requires 6 years of supporting records. CPA professional bodies may require longer (often 7–10 years for working papers). PIPEDA requires you to dispose of personal information when it's no longer needed for the purposes for which it was collected. Best practice: 7 years for tax-related records, then secure destruction with a destruction log.