Email is still how most small Canadian accounting firms exchange T4s, social insurance numbers, and bank statements. Under PIPEDA, that's not just risky — it's a liability.
The Personal Information Protection and Electronic Documents Act requires organizations to protect personal information using safeguards appropriate to its sensitivity. SINs, tax returns, and banking data are among the most sensitive categories that exist. Standard email is not an adequate safeguard.
Why the habit persists
Email works well enough, most of the time. Clients know how to use it. Files arrive. Nobody complains. The risk is invisible until it isn't — a misconfigured email rule, a phishing attack on the client's account, or an unencrypted laptop stolen from a car. Under PIPEDA's mandatory breach reporting rules (in force since 2018), you must report to the Office of the Privacy Commissioner when a breach creates a real risk of significant harm. Emailing a SIN to the wrong address qualifies.
What good looks like
Accounting firms that have moved to encrypted client portals — through Karbon, Canopy, or ShareFile — report a dramatic reduction in document-related risk. Most clients, when told "click this link to securely upload your T4s," simply do it. The barrier is much lower than most accountants assume.
The minimum viable upgrade
You don't need a full practice management overhaul. Start with a dedicated secure file exchange for any document containing a SIN or banking information. Full portal migration can happen over 12 months.
A free QBO Health Check reviews your current file exchange process alongside your accounting stack and flags your top compliance gaps. Get your free QBO Health Check →