Skip to content
Lunarlink

Federal (Canada)

PIPEDA — Personal Information Protection and Electronic Documents Act

PIPEDA governs how businesses collect, use, and disclose personal information. Video surveillance falls squarely inside its scope, which means every commercial camera deployment has a PIPEDA angle whether the installer addresses it or not.

Applies to

Private-sector organizations collecting personal information in the course of commercial activity.

What it requires

The obligations, in plain English.

  • Reasonable purpose

    The business must identify a specific, reasonable purpose for collecting personal information (including video) — 'just in case' is not a reasonable purpose.

  • Notice

    Individuals must be informed that monitoring is taking place. Posted signage at every entrance is the minimum standard.

  • Minimal collection

    The system should capture only what's needed for the identified purpose. Framing, retention, and analytics should all be constrained accordingly.

  • Safeguards

    Reasonable physical, technical, and administrative safeguards must protect the collected information — passwords, access controls, retention limits, and disposal.

  • Right of access

    Individuals have the right to request what personal information an organization holds about them. For video systems, this means being able to identify and retrieve clips featuring a specific requester.

How we design against it

From rule to drawing.

  • Purpose-mapped camera placement

    Every camera on the drawing has a documented purpose (deterrence, investigation, loss prevention). Cameras without a purpose don't get installed.

  • Privacy zones configured, not just supported

    Windows onto neighbouring property, staff-only areas, and unit-entry framing get pixel-level masks — applied at commissioning and tested.

  • Retention policy on paper

    The written retention window drives storage sizing. Default is 30 days commercial, with documented exceptions for specific cases (incidents, regulated sectors).

  • Signage specification

    OPC-aligned signage language provided and placed at every entrance. Not left to the customer to figure out later.

  • Access-request workflow

    VMS configured with search tooling that lets the customer honour an access request in under 30 minutes, not a week.

Common mistakes

What gets flagged on audit.

  • No visible signage at site entrances.

  • Cameras pointed at neighbouring property without masking.

  • Retention window set to 'maximum storage' by default.

  • Shared admin credentials on the VMS — no audit trail of who watched what.

References

Where to read the source.

  • Office of the Privacy Commissioner of Canada (OPC)

    Publishes the overarching PIPEDA guidelines and sector-specific guidance.

  • OPC Guidelines for Overt Video Surveillance

    Practical document covering when and how private-sector video surveillance is acceptable.

Audit-prep review.

We'll walk your existing system against PIPEDA and deliver a written gap analysis — so you know what the regulator would find before they do.

Request a PIPEDA review