Canadian ComplianceFederal, Provincial, and Sectoral Coverage
GuardsArm supports organizations across Canada’s privacy, health, financial, and critical-infrastructure regulatory landscape — from federal statutes like PIPEDA and CCSPA to provincial health and privacy acts.
The Canadian compliance landscape, mapped
Whether you operate in a single province or across the country, the requirements stack quickly. We help organizations identify which of these frameworks apply, how they overlap, and how to build a single security and privacy program that satisfies all of them.
PIPEDA
FederalFederalPersonal Information Protection and Electronic Documents Act
Canada’s federal privacy law governing how private-sector organizations collect, use, and disclose personal information in the course of commercial activity. Enforced by the Office of the Privacy Commissioner of Canada.
Who must comply
Most federally regulated businesses and any private-sector organization handling personal information across provincial or national borders.
How GuardsArm helps
Privacy impact assessments, breach notification procedures, consent framework reviews, and safeguard control mapping aligned to the 10 PIPEDA Fair Information Principles.
BC PIPA
British ColumbiaProvincialPersonal Information Protection Act (British Columbia)
BC’s substantially similar private-sector privacy law, applying to organizations operating within British Columbia. Overseen by the Office of the Information and Privacy Commissioner for BC.
Who must comply
Private-sector organizations operating in BC, including non-profits and trade unions.
How GuardsArm helps
Provincial privacy compliance reviews, employee information handling assessments, and alignment with OIPC BC guidance.
CCSPA (Bill C-8)
FederalFederalCritical Cyber Systems Protection Act
Proposed federal legislation establishing mandatory cybersecurity requirements for designated operators in vital federal sectors — finance, telecommunications, energy, and transportation — with reporting obligations and ministerial directive authority.
Who must comply
Designated operators of critical cyber systems in federally regulated industries.
How GuardsArm helps
Cyber security program design, incident reporting workflow development, and readiness assessments aligned to expected CCSPA designated-operator obligations.
CASL
FederalFederalCanada’s Anti-Spam Legislation
Federal law governing commercial electronic messages, installation of computer programs, and altering of transmission data. Enforced by the CRTC with substantial monetary penalties.
Who must comply
Any organization that sends commercial electronic messages to or from a Canadian computer system.
How GuardsArm helps
Consent record-keeping reviews, marketing automation control audits, and breach risk assessments for software installation flows.
OSFI B-13
FederalSectoralTechnology and Cyber Risk Management Guideline
OSFI guideline setting expectations for federally regulated financial institutions on governance of technology and cyber risk, including third-party arrangements, resilience, and incident management.
Who must comply
Federally regulated banks, insurers, trust companies, and other OSFI-supervised institutions.
How GuardsArm helps
B-13 readiness gap analysis, third-party cyber risk programs, board-level reporting, and resilience testing aligned to the guideline’s domains.
ITSG-33
FederalFederalIT Security Risk Management: A Lifecycle Approach
Canadian Centre for Cyber Security publication providing the IT security risk management framework and control catalogue used across Government of Canada IT systems.
Who must comply
Government of Canada departments, agencies, and contractors operating Crown IT systems.
How GuardsArm helps
Security control selection workshops, profile tailoring, and authority-to-operate evidence development for federal projects.
FINTRAC / PCMLTFA
FederalSectoralProceeds of Crime (Money Laundering) and Terrorist Financing Act
Federal anti-money laundering and counter-terrorist financing regime administered by FINTRAC, requiring reporting entities to maintain compliance programs, perform client due diligence, and report prescribed transactions.
Who must comply
Banks, money services businesses, securities dealers, real estate, accountants, dealers in precious metals and stones, and other reporting entities.
How GuardsArm helps
AML technology control reviews, transaction monitoring system assessments, and information security controls for FINTRAC reporting infrastructure.
Alberta HIA
AlbertaProvincialAlberta Health Information Act
Alberta’s health-specific privacy law governing how custodians collect, use, disclose, and protect health information. Enforced by the Office of the Information and Privacy Commissioner of Alberta.
Who must comply
Designated custodians — Alberta Health Services, physicians, pharmacists, regional health authorities, and other health professionals named under the Act.
How GuardsArm helps
Custodian security risk assessments, electronic health record safeguard reviews, and breach response planning compliant with HIA notification rules.
Alberta FOIP
AlbertaProvincialFreedom of Information and Protection of Privacy Act (Alberta)
Alberta’s public-sector access-to-information and privacy law applying to provincial public bodies, including ministries, agencies, post-secondary institutions, and municipalities.
Who must comply
Alberta public bodies and entities listed under the FOIP Regulation.
How GuardsArm helps
Public-body security and privacy assessments, records management control reviews, and incident response procedures aligned to FOIP notification expectations.
Alberta Reg 84/2024
AlbertaSectoralAlberta Health Information Regulation 84/2024
Alberta regulation updating health-information requirements under the HIA, refining custodian obligations around safeguards, electronic systems, and information-sharing arrangements.
Who must comply
Alberta health information custodians and affiliates handling personal health information in scope of the regulation.
How GuardsArm helps
Regulation-aligned safeguard assessments, vendor agreement reviews, and operational control updates for custodians implementing the new requirements.
Manitoba PHIA
ManitobaProvincialPersonal Health Information Act (Manitoba)
Manitoba’s health information privacy law governing trustees who collect, use, or disclose personal health information in the province. Oversight by the Manitoba Ombudsman.
Who must comply
Designated trustees — regional health authorities, hospitals, physicians, and other health-information holders under the Act.
How GuardsArm helps
Trustee privacy and security program assessments, EHR safeguard audits, and breach handling procedures consistent with PHIA expectations.
Saskatchewan HIPA
SaskatchewanProvincialHealth Information Protection Act (Saskatchewan)
Saskatchewan’s health-information privacy legislation establishing rules for trustees collecting, using, or disclosing personal health information in the province.
Who must comply
Trustees as defined under HIPA, including health authorities, providers, and licensed practitioners.
How GuardsArm helps
HIPA-aligned security assessments, privacy impact assessments for new clinical systems, and incident response readiness aligned to the Information and Privacy Commissioner’s guidance.
Quebec Law 25
QuebecProvincialAct to modernize legislative provisions as regards the protection of personal information
Quebec’s significantly updated private-sector privacy regime, introducing privacy officer designation, mandatory breach notification, privacy impact assessments, consent rules, and individual rights including data portability.
Who must comply
Any organization — public or private — that collects, holds, uses, or communicates personal information of individuals in Quebec, regardless of where the organization is based.
How GuardsArm helps
Law 25 readiness programs, privacy impact assessments, consent and de-identification reviews, breach response operationalization, and DPO advisory engagements.
Ontario PHIPA
OntarioProvincialPersonal Health Information Protection Act (Ontario)
Ontario’s health-information privacy law setting rules for health information custodians and their agents. Oversight by the Information and Privacy Commissioner of Ontario.
Who must comply
Hospitals, physicians, pharmacies, long-term care homes, public health units, and other designated custodians in Ontario.
How GuardsArm helps
Custodian and agent privacy controls reviews, electronic health record audit trail design, and IPC-aligned breach handling procedures.
SOX / CSOX
Cross-borderSectoralSarbanes-Oxley (US) and Canadian SOX equivalents
Public-company financial reporting controls regime. SOX applies to SEC registrants; Canadian equivalents — most notably National Instrument 52-109 — require equivalent CEO and CFO certification of disclosure controls and ICFR for Canadian reporting issuers.
Who must comply
Canadian reporting issuers, SEC-registered Canadian companies, and cross-listed entities.
How GuardsArm helps
IT general controls scoping, application control reviews, automated control evidence design, and SOC reporting alignment supporting management certification and audit readiness.