Canadian Guidance: Business Record Retention

PIPEDA Business SWOT Analysis & Data Storage Considerations

By L.Kenway BComm CPB Retired

Edited May 13, 2024  |  Revised April 13, 2024  |  Originally Published on in 2009

CRA & PIPEDA Different Purposes |
Who Must Keep | What to Keep | How to Store | Location of Servers | How Long to Keep | Keep ForeverEarly Destruction | PIPEDA Guidelines | PIPEDA SWOT Analysis | CRA Audit AccessWrap Up

NEXT IN SERIES >> Data storage considerations when selecting third party service providers

It's a balancing act. 

The Canada Revenue Agency (CRA) and the Personal Information Protection and Electronic Documents Act (PIPEDA) both have guidelines for business record retention, but they serve different purposes.

Feeling zen after getting all your ducks in a rowThis could be you after you follow these guidelines for business record retention in Canada.

Introduction About Business Record Retention in Canada

CRA’s Guidelines

CRA’s guidelines pertain to tax-related documents. They stipulate that all records, including supporting documents and related financial files used to prepare income tax returns, must be kept for at least six years from the end of the last tax year to which they relate.

PIPEDA Guidelines

PIPEDA, on the other hand, mainly governs the collection, use, and disclosure of personal information in a manner that respects individual privacy. PIPEDA requires businesses to obtain an individual's consent when they collect, use, or disclose the individual's personal information and to ensure it is kept secure. It doesn't have a specific retention guideline and states that organizations should only retain personal information for as long as necessary to fulfill the identified purposes.

Is It Possible To Comply With Both?

It is possible to comply with both sets of guidelines, but businesses need to be cautious in doing so. For example, depending upon the nature of the records, organizations may face situations where they are required to retain certain personal information due to CRA requirements but will have to ensure that the methods and duration of storage align with the privacy rules established by PIPEDA.

No one that I know of ever said running a business in Canada was easy!

CRA Business Record Keeping Requirements

Who Must Keep Business Records in Canada

Section 230 of the Income Tax Act requires books and records be kept in a format that allows assessment and payment of taxes. The Excise Tax Act, Employment Insurance and Canada Pension Plan legislation also have this requirement. Who must keep these records:

  • any person who carries on a business in Canada;
  • any person or business who is required to pay or collect government taxes which includes GST, HST, PST, and payroll source deductions;
  • any person or business required to file an income tax or GST return;
  • not for profit organizations.

What Business Records Must Be Kept In A Canadian Business

Businessman working on getting all his ducks in a rowIt can be a struggle getting all your supporting documentation organized. Decisions have to made.

Businesses must keep all records and supporting documents. Following is a general list of what must be kept:

Records generally refer to the organized method of documenting and summarizing accounting and financial information. This would include:

  • financial statements;
  • ledgers and journals - computerized or manual;
  • log and appointment books;
  • spreadsheets and working papers;
  • tax reports and records;
  • your Business Journal; and
  • other documents that support your claims.

In addition, invoices MUST display sales tax information on a separate line OR by a statement that shows the amount of sales tax paid. Other invoicing information requirements must also be met.

When supporting documents are requested, it usually is a reference to source documents. Source documents are the original documents which prove the transaction occurred. Examples of this are:

  • bank statements, cancelled cheques and deposit slips;
  • sales invoices and receipts, cash register tapes, purchase orders;
  • credit card statements and all business purchase receipts;
  • legal and government correspondence;
  • any other documents and correspondence including e-mails.

If you are claiming the GST/HST input tax credits (ITCs), the detailed information required to support your claim is very specific. Read more here.

MORE >> CRA Audit Trails

Data Storage Retention Considerations? Paper Format or Electronic Format? Inside Canada or Across The Border?

How Must Business Records Be Kept in Canada

How must you keep your records? Your records must be kept at your place of business or residence. They may not be kept outside of Canada, even if electronic access is available in Canada ... unless you receive CRA permission*. They must meet this criteria:

  • be complete and reliable;
  • be in paper format or electronic format (but you must ensure they are accessible and readable even if technology changes);
  • provide correct information to assist in meeting your tax obligations and entitlements
  • be supported by source documents (discussed above); and
  • include other documents (described under records above).

If you have more than one business, you must keep separate records for each business. It is also interesting to note that if the original transaction was electronic in nature, you must retain the original computerized or electronic files in a readable format ... even if you have printouts of the records.

The electronic format link above discusses CRA's policy on scanned receipts ... scanning is NOT the same as imaging. Articles I've read feel that scanned documents may be treated as secondary evidence in court the same way photocopies or microfiche images are. Scanned receipts will be subject to authentication.

*Cloud Accounting - Location of Servers

CRA's GST/HST Memorandum 15-2 Computerized Records> place of retention> location outside Canada:

Point 16 states, "Persons with businesses that operate via the Internet and that are hosted on a server located outside Canada should be cognizant of their responsibility of maintaining their records within Canada. Persons with Internet-based businesses have the same responsibilities for record retention as all other business operators."

Does this mean cloud accounting options don't meet CRA's criteria. Yes and no. Yes the servers are outside Canada but the work around is to have a copy of your General Ledger in csv or pdf format on your local computer or hard drive. Keeping a backup of your file in Canada also works if you can remember to keep updating it so it is accessible.

Don't bother requesting permission from CRA. It is only provided in exceptional circumstances. Focus more on access to the data. A PDF file is a very accessible type of document unlike data files which are always being updated and upgraded to utilize the latest technology.

Large intensive data storage companies are becoming more accommodating in helping businesses in Canada meet data residency requirements. Check out where your SaaS providers store your business data.

MORE >> Common SaaS Platform Data Storage Locations

CRA's Position On Electronic Records Location:

CRA Website - Keeping Records: "Records kept outside of Canada and accessed electronically from Canada are not considered to be records kept in Canada."

How Long To Keep Business Records in Canada

The general rule for business record retention is records must be kept for six years from the end of the tax year which they are referring ... which really means seven years ... or as long as CRA has informed you (usually by registered letter).

The tax year is the calendar year for taxpayers and unincorporated businesses and the fiscal year for corporations.

MORE >>  What is the difference between calendar year-end and fiscal year-end?

Keep Forever

Some records and supporting documents that must be kept indefinitely are:

  • acquisition and disposal of property;
  • share registry;
  • historical information that would have an impact on the sale, liquidation, or wind-up of the business;

Some situations have different business record retention requirements:

  • corporations - two years from dissolution (mergers and amalgamations are considered to be a continuation of the business);
  • late filed returns must be kept six years from the date the return is filed;
  • notice of objections must be kept until the objection or appeal is over AND the later of the time for filing appeals has passed or the normal six year period.
  • charities and political donation receipts and specified records - generally two years from the end of the calendar year they relate but verify this with CRA.

Early Destruction of Business Records

Records may be destroyed early if permission is received from CRA and any other relevant authority. File T137 Request for Destruction of Records with CRA. Early destruction without permission may lead to prosecution.

PIPEDA Privacy Requirements

PIPDEA Guidelines For Business Record Retention

In Canada, privacy rules and data retention guidelines are mainly governed by two federal regulations, (i) the Privacy Act and (ii) the Personal Information Protection and Electronic Documents Act (PIPEDA) in addition to several provincial laws, where applicable.

Quebec, Alberta and BC have their own privacy laws similar to PIPEDA. The Privacy Act is currently under review to be modernized as much has changed since 1983.

Both Acts regulate how businesses can collect, use, and disclose personal information in the course of commercial activities. PIPEDA is based on 10 internationally recognized principles for protecting personal information:

  1. Accountability;
  2. Identifying purposes;
  3. Consent;
  4. Limiting collection;
  5. Limiting use, disclosure and retention;
  6. Accuracy;
  7. Safeguards;
  8. Openness and transparency;
  9. Individual access; and
  10. Challenging compliance.

Here are some key points of PIPEDA:

1. What you can collect:

Under PIPEDA, businesses can collect personal information for purposes that a reasonable person would consider appropriate in the circumstances. Businesses should identify these purposes to the individual at or before the time of collection.

2. Consent:

Organizations must obtain an individual's consent when they collect, use, or disclose the individual's personal information. The consent must be obtained in a manner that ensures that the individual understands what they are consenting to.

3. Limiting Collection:

The collection of personal information must be limited to that which is necessary for the identified purposes. Information must be collected by fair and lawful means.

4. How long to keep the data:

PIPEDA does not specify a particular period for data retention. However, organizations should only retain personal information for as long as necessary to fulfill the purposes identified. Once the personal information is no longer required, it should be destroyed, erased, or rendered anonymous.

5. Security Safeguards:

Organizations must protect personal information using security safeguards appropriate to the sensitivity of the information to protect it against loss, theft, unauthorized access, disclosure, copying, use, or modification.

Lastly, businesses must also adhere to specific industry or sector-specific regulations which may specify the types of data to be collected and retention periods. 

Keep in mind that the exact rules can vary depending on the province and the type of data involved. As mentioned, Quebec, Alberta, and BC have their own privacy laws.

Reference: Justice Laws Website: Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5) and Justice Proposals for discussion for modernizing the Privacy Act 2021-09-01

Business Record Retention

PIPEDA Business SWOT Analysis

It's crucial to address privacy regulations on data retention as businesses often deal with confidential and sensitive data. In Canada, violation of privacy regulations can lead to legal complications, penalties, and reputational damage for the businesses.

Cybersecurity becomes an issue when records are kept electronically. Businesses should adopt robust cybersecurity measures to prevent data breaches - easy to say, harder to do. Implementing secure backups, firewalls, encryption, and user access controls are a few means of ensuring data safety - again easy to say, harder to do.

You may need the assistance of an IT security consultant initially to help you identify potential cyber risks and recommend a strategic solution customized for your business. Depending on the size of your business, you may need to consider ongoing managed IT services to take care of that part of your business so you can do the stuff you enjoy working on.

Here is a quick SWOT (Strengths Weakness Opportunities Threats) analysis on other aspects of data storage for businesses to consider:

Businessman finished putting all his ducks in a rowGood compliance practices don't happen on any one particular day. They aren't an event; they are a HABIT.
  • Strengths: Efficient record keeping helps businesses keep track of their performance, maintain legal compliance, make informed decisions, and improve operation efficiency. Good compliance practices don't happen on any one particular day. They aren't an event; they are a HABIT.
  • Weaknesses: Insufficient or poorly managed record keeping can increase the risk of fines and penalties, lead to poor decision-making due to lack of information, and potentially damage a company's reputation. That's what this site is about - helping you get all your ducks in a row so you will be tax compliant in your business.
  • Opportunities: Technology advances present opportunities for better and more efficient digital record keeping. It's crucial to leverage technological solutions like cloud storage, automation, and advanced security measures to improve business record retention.
  • Threats: Apart from cybersecurity threats, other risks include regulatory changes that may necessitate changes in how records are retained, physical damage to paper records, and human error leading to loss of records. Location of the data storage should be assessed if data is not stored in Canada due to the U.S. Patriot Act and CRA data residency requirements.

The SWOT analysis above is not in-depth. It would be worth your while to do a more detailed SWOT analysis for your business. Generally, businesses should prioritize regular policy reviews, staff training, and a solid disaster recovery plan to ensure effective business record retention.

CRA Audits and Computerized Books and Records Access

The CRA has legal rights to inspect the books and records of a business during an audit. The documents must be either in hard copy or electronic format. If these records are kept electronically, they must be in an electronically readable format even if you have paper copies.

While Canadian business owners are required to keep their computerized records in an electronically readable format for CRA to be able to review them, CRA, unlike the IRS, does not require actual access to your accounting program as a user.

It is my understanding that the CRA does not normally need the hardware or software used to create these records. They only ask for hardware or software when the data in electronically readable format cannot be converted into a standard accessible software type.

Here are two options to provide a CRA auditor with access to the information they require during an audit. I used the QuickBooks® Online (QBO) Canada platform as an example.

Option 1: If you decide to give a CRA auditor access, set them up  as Reports Only user which requires read-only access. In QBO Canada, this will give the auditor access to all reports except the Audit Log and Payroll Reports. Intuit says the auditor will be able to create a group of reports, memorize a report, and drill down as far as a transactions report. However, they will not have the ability to view the actual transaction. Unfortunately, this type of user is only available in QuickBooks Online Plus and is not available in QuickBooks Online Essentials. This means you may need to upgrade your subscription during an audit if your auditor requires this type of access.

You may want to create a new business file that includes only the relevant audit period prior to giving the CRA Auditor Report Only access. It may be advisable to provide a fourteen month period which includes the month before and after the relevant period in case cutoff procedures affect the data but check with your accountant before you do this.

Option 2: Another option if you use QuickBooks Online Canada is to export QBO data during a CRA audit. Exporting the data allows you to select only the data relevant to the dates you are being audited for. The export file will be in XLM format that you can provide to your CRA auditor.

If the auditor doesn't require actual access to your electronic data, you should be able to print out a group of PDF reports that meets the CRA auditor's information requirements.

It is always advisable to check in with your accountant prior to providing audit information to a CRA auditor. Your accountant will help you ensure you only provide the information needed for the auditor and nothing more.

Wrap Up Business Record Retention

Pay attention to CRA's record retention requirements and remember to factor in all the regulations pertaining to privacy and cyber security - where keeping too much information and for too long puts you at risk - not to mention the costs related to storing of the records.

Also keep in mind that I only discussed CRA's record retention requirements and PIPEDA's privacy rules. Other government agencies such as provincial finance departments or worker compensation boards may have different requirements.


1. Both CRA and PIPEDA have guidelines for business record retention in Canada, serving different purposes. CRA's guidelines are tax-related while PIPEDA governs personal information's collection, usage, and disclosure. Complying with both guidelines is possible but requires careful management, especially regarding personal information in line with both tax and privacy regulations.

2. CRA has specific rules exist about who should keep records, what records should be kept, how they should be kept and for how long. 

3. PIPEDA privacy regulations also have specific rules regarding what can be collected, how it should be collected, and how long it should be retained.  PIPEDA includes guidance on security safeguards for personal information.

4. Cybersecurity measures and data safety practices should be in place to avoid the risk of data breaches and safeguard against data loss or unauthorized use. 

5. Regular SWOT analysis and policy reviews on data storage especially as it relates to the Patriot Act and CRA's data residency requirements are needed for businesses to reduce the likelihood of data breaches. Cybersecurity measures and data safety practices should be in place to avoid the risk of data breaches and safeguard against data loss or unauthorized use. 

6. Businesses may consider engaging professional IT security consulting for comprehensive solutions and possibly ongoing managed IT services for maintaining the integrity and security of their records. This is especially important the more your business grows.

7. During an audit, CRA requires access to your business records. you have options on how you provide CRA access to your business computerized books an records.

Other Audit Related Articles

Back to top