Compliance crosswalk · PIPEDA
PIPEDA (Canada) - email + domain controls, mapped to Wiredepth
Framework version: S.C. 2000, c.5; mandatory breach reporting under s.10.1 since November 2018
Who this is for. Federally-regulated private-sector organisations in Canada, plus provincially-regulated organisations in provinces without substantially-similar privacy legislation (everywhere except Alberta, BC, and Quebec). PIPEDA applies whenever an organisation collects, uses, or discloses personal information in the course of commercial activities.
Where email + domain controls fit. Mostly under Principle 7 - Safeguards(Schedule 1) which requires security measures appropriate to the sensitivity of the information. Email is one of the channels personal information moves through; spoof-resistance + transport encryption are the standard safeguards an OPC investigator checks. Section 10.1 (breach reporting) brings real teeth since 2018: organisations must notify both the OPC and affected individuals when there's a real risk of significant harm.
Quebec note. Quebec is covered by Quebec Law 25 (formerly Bill 64), not PIPEDA, for provincially-regulated activities. See /compliance/quebec-law-25 for that crosswalk.
Clause-by-clause mapping
Each row maps a specific PIPEDArequirement to the Wiredepth surface that addresses it. The clause ids are the framework's own naming - verify them against the official text. We use precise language: "addresses" (the tool directly satisfies the control), "supports" (the tool contributes evidence the auditor will need), and "evidence for" (the artifact is part of the attestation package).
| Clause | Requirement | Wiredepth response |
|---|---|---|
Principle 7 - Safeguards Transport | Personal information should be protected by security safeguards appropriate to the sensitivity of the information. The nature of the safeguards will vary depending on factors such as the volume, distribution method, and sensitivity. | TLS + MTA-STS analyser scores per-domain transport encryption against the sensitivity baseline an OPC investigation would apply. Per-port testing (25 / 587 / 465 / 443) covers the submission + relay surface. |
Principle 7.2 - Methods of protection Authentication | Methods of protection should include (a) physical measures, (b) organisational measures, and (c) technological measures. For email: sender authentication, transport encryption, and access controls. | DMARC + SPF + DKIM checkers cover the sender-authentication technical measures. Combined with TLS + MTA-STS for transport, this is the email-channel technological-measure surface PIPEDA expects. |
Principle 7.3 - Care of personal information Monitoring | Care must be exercised in the disposal or destruction of personal information to prevent unauthorised access. Includes vendors authorised to send email containing personal information. | Vendor consolidation audit enumerates third-party email senders that could be authorised to send personal information. De-authorisation guides at /docs/deauthorize cover the offboarding side (removing vendor authorisation when the relationship ends). |
Section 10.1 - Breach of security safeguards Reporting | Organisations must (a) report breaches involving real risk of significant harm to the OPC, (b) notify affected individuals, and (c) keep records of every breach for 24 months, whether reportable or not. | Incident-readiness workpaper documents the breach-notification playbook in the format PIPEDA s.10.1 expects. Audit-log Merkle chain (see /docs/verify) provides the tamper-evident records OPC investigations look for in retrospective breach analysis. |
Principle 4.7 - Safeguards apply to outsourcing Inventory | Personal information transferred to a third party for processing remains the responsibility of the transferring organisation. Contractual + technical safeguards must be in place. | Vendor inventory + per-vendor posture grade quantifies the security level of authorised email senders. The audit-log entry trail covers the "demonstrated due diligence" element of an OPC investigation into a vendor incident. |
Principle 8 - Openness Reporting | An organisation should make readily available specific information about its policies and practices relating to the management of personal information. Public-facing security claims (DMARC posture, TLS) help demonstrate openness. | Public scorecard PDF + the email-auth badge at /badge/<domain> demonstrate per-domain security posture in a form an OPC investigator (or curious customer) can verify independently. |
Principle 9 - Individual access (security context) Monitoring | When responding to individual access requests, the organisation must ensure the requester is who they claim to be. Email-based identity verification depends on the underlying email-channel security. | DMARC enforcement (p=reject) prevents impersonation of the inbound channel used for identity-verification email loops. Spoofability checker provides the on-the-wire test. |
Principle 10 - Challenging compliance Reporting | An organisation must put procedures in place to receive and respond to complaints + inquiries about its handling of personal information. The OPC may also conduct investigations. | Continuous monitoring history + the tamper-evident audit log are the evidence base for responding to an OPC s.13/s.16 investigation. The free public verifier (see /verify) lets the OPC validate the records without relying on Wiredepth's representations. |
What auditors actually look at
An OPC investigator (or internal privacy office) reviewing the email + domain surface would typically request:
- The privacy management programme documentation (PIPEDA Accountability + Schedule 1 principles)
- Per-domain DMARC / SPF / DKIM / TLS posture sampled across the investigation window
- Vendor register of authorised email senders + last-reviewed dates
- Incident records for any breach of security safeguards (whether reportable or not - retention is 24 months)
- Evidence of due diligence on outsourced processing arrangements that touch personal information
Generate a PIPEDA-tagged evidence pack (Wiredepth Prove)
Prove subscribers can generate a ZIP of all five workpapers + a PIPEDA README in one click. Single domain, single click, ready to file in your audit binder. See pricing at /pricing#prove ($499/mo standalone, bundled in Enterprise).
Other compliance crosswalks
Disclaimer. This crosswalk is provided for informational purposes. It is not legal advice, audit guidance, or a substitute for engagement with a qualified assessor (QSA for PCI, accountant or QSA for SOC 2, lawyer for HIPAA / NIS2 / SEC). Framework clause ids and language may have been updated since publication; verify against the official text. Wiredepth does not guarantee compliance based on the use of any tool or page on this site.