Every organisation governed by PIPEDA must meet the following principles of the statute, which require that:

Þ	organisations be responsible for personal information under their control and designate an individual to be responsible for compliance;
Þ	the purpose for which the personal information is collected be identified before or at the time of collection;
Þ	consent be obtained for the collection, use and disclosure of personal information;
Þ	information collection be limited to that which is necessary to fulfil the purposes identified;
Þ	personal information not be used or disclosed for purposes other than those for which it was collected;
Þ	personal information be as accurate, complete and up-to-date as possible and that appropriate security safeguards are put in place to protect said information;
Þ	customers and employees be informed of the organisation's practices relating to the personal information;
Þ	on request, an individual be informed of the existence, use, and disclosure of their personal information and be given access to it; and
Þ	individuals are allowed to challenge the accuracy and completeness of the information.

Individuals can complain to the federal Privacy Commissioner of Canada, who can investigate the complaint and then issue a report to the parties with findings and recommendations. The Commissioner may make public any information about an organisation's personal information management practices, if he feels that it is in the public interest to do so.