I'm not an expert in that field, but PIPEDA does impose very clear responsibilities on organizations with regard to the securing of information, safeguarding information, and proper destruction of information when it is no longer needed. That varies in terms of how long you have to retain information, the level of sensitivity, and so on.
Again, it depends very much on context, the industry, and the sensitivity of the information. That is why PIPEDA is based on 10 principles and has the flexibility to apply differently to different contexts.