Don’t Email That T4: How to Safely Send T4 Slips in 2026

It is February. Payroll is closed, the books are reconciled, and your inbox is filling with one familiar request: “Can you send me my T4?” You attach the PDF, hit send, and move on. The trouble is, that single click may have just exposed your employee’s full name, address, Social Insurance Number, and a year’s worth of income to anyone who can read an email along the way.

T4 slips are among the most sensitive documents Canadian businesses produce. However, they are also routinely sent through the least secure channels available — email attachments, password-protected PDFs, and even paper mail. The Canada Revenue Agency requires you to deliver them on time. PIPEDA requires you to do so without putting your employees’ personal information at risk. Here is exactly how to do both.

In This Guide

1. Why T4 Slips Are a Target
2. What the Law Actually Requires
3. Why Email Is the Wrong Tool for T4 Slips
4. The Safest Ways to Send T4 Slips in 2026
5. A Step-by-Step Workflow That Works
6. Common Mistakes Employers Still Make
7. If a T4 Lands in the Wrong Inbox
8. Frequently Asked Questions

Why T4 Slips Are a Target

A T4 is a complete identity-theft starter pack on a single page. Each slip contains your employee’s full legal name, mailing address, Social Insurance Number, employer details, and gross income for the year. In the wrong hands, that combination is enough to file a fraudulent tax return, open a line of credit, or impersonate the employee with the CRA itself.

Furthermore, the volume matters. A small business sending fifteen T4 slips and a payroll firm sending fifteen hundred face the same problem at different scales. One misaddressed email or one breached inbox can cascade into months of remediation work, regulatory reporting, and a permanent dent in employee trust.

In short, this is not a routine document transfer. It is a regulated transmission of high-risk personal information, and it deserves to be treated like one.

What the Law Actually Requires

Two regulatory frameworks govern how T4 slips are handled in Canada, and both apply to every employer regardless of size.

The Canada Revenue Agency requires employers to give each employee their T4 slip on or before the last day of February following the calendar year the slip applies to. (For the 2025 tax year, the deadline lands on March 2, 2026, because February 28 falls on a Saturday.) The CRA’s distribution rules were updated in 2024 and now treat each delivery channel differently:

• Secure employer or payer portal. The CRA permits portal delivery without prior written or electronic consent, provided none of the exceptions below apply.
• Email. Permitted only if the employer has obtained the employee’s consent — in writing or in electronic format — before sending the slip.
• Paper. Two copies must be provided in person or by mail. Paper is mandatory if the employee requests it, if the employee cannot reasonably be expected to access the slip electronically when it is issued, or — for T4 slips specifically — if the employee is on extended leave or is a former employee at the time of issuance.

PIPEDA — the Personal Information Protection and Electronic Documents Act — applies separately. It requires you to protect personal information using safeguards appropriate to its sensitivity. T4 slips contain a Social Insurance Number, which the Office of the Privacy Commissioner of Canada classifies as among the most sensitive identifiers an organization can hold. In practice, this means encryption in transit and at rest, access controls, recipient verification, and a documented process for handling the information.

Consequently, satisfying one law is not enough. A delivery method that meets CRA timing requirements but fails PIPEDA’s security expectations — or vice versa — leaves you exposed. The CRA may technically allow email delivery with consent, but that does not make ordinary email an appropriate channel for a document containing a SIN.

Why Email Is the Wrong Tool for T4 Slips

Email is convenient, but it was never designed to be secure. When you send a T4 PDF as an email attachment, the file travels across multiple servers in plain or near-plain text, sits in the recipient’s inbox indefinitely, and is backed up on infrastructure you do not control. Anyone with access to any of those points — a curious IT contractor, a compromised account, a misconfigured backup — can read the slip.

Password-protected PDFs are a common workaround, but they are weaker than they appear. The passwords are usually short, often shared in the same email or by text message, and trivial to crack with freely available software. Additionally, the password protects only the file itself — the email body, subject line, and metadata still travel in the clear.

The most common email mistakes employers make with T4 slips include:

• Auto-complete mismatches that send Jane Smith’s T4 to John Smith
• Reply-all on a payroll thread, exposing one employee’s slip to the entire team
• Sending the password and the file in the same email or chat thread
• Forwarding T4s to personal Gmail or Hotmail accounts at the employee’s request
• Storing the sent slip indefinitely in the “Sent” folder with no retention policy

Each of these is a routine human action. Each is also potentially a reportable privacy breach under PIPEDA if the information meets the “real risk of significant harm” threshold — and a slip carrying a SIN very often will. Even where the breach is not reportable, PIPEDA still requires organizations to keep an internal record of it.

The Safest Ways to Send T4 Slips in 2026

The good news is that secure delivery is no longer the domain of enterprise IT. Several options now exist for businesses of any size, and they break down into three broad categories.

1. Self-Service Payroll Portals

If your payroll provider offers a secure portal, employees can log in with their own credentials and download their T4 directly. This is the CRA’s preferred channel and does not require prior consent for current employees with active accounts. The downside is that portals only work for people who still have access — former employees, contractors, and anyone whose account was disabled at year-end need a different method, and the CRA explicitly carves these groups out of the no-consent rule for T4s.

2. Encrypted File Transfer Services

Purpose-built encrypted transfer tools — services that use encryption to deliver files to a verified recipient — are the strongest option for ad-hoc T4 delivery. The files are encrypted, the recipient verifies their identity to open it, and the link expires after a period of time. No password to forget, no copy sitting in an inbox forever, no unencrypted attachment travelling across mail servers.

3. Tracked Mail or Courier (When Paper Is Required)

For employees who request paper, who cannot reasonably access slips electronically, or who are on extended leave or no longer employed at the time of issuance, the CRA requires paper delivery. However, “paper” does not mean a regular envelope dropped in a corner mailbox. Use sealed, signature-required mail or a tracked courier service, address it to the employee personally rather than a household, and never include the SIN visible through a window envelope.

The right choice depends on what you are sending and who needs to receive it. For most modern workplaces, a combination works best: a portal for active employees, an encrypted file transfer for former employees and anyone the portal does not cover, and tracked mail when paper is the only option.

A Step-by-Step Workflow That Works

Here is the practical workflow we recommend for an organization sending T4 slips to a mixed group of current and former employees.

1. Confirm the delivery channel for each employee. Before the end of January, identify who will receive their slip through the payroll portal, who will receive it by email (and therefore needs documented written or electronic consent on file), and who needs paper. Keep those records together.
2. Verify recipient details. Cross-reference each employee’s current legal name, mailing address, and email address against your payroll system. Stale data is the most common cause of misdelivery.
3. Generate slips individually. Produce one PDF per employee. Never bundle multiple T4s into a single file — even for distribution to a single department head.
4. Send through an encrypted channel. Use your portal for current employees and a secure file transfer service for everyone else. Avoid plain email attachments entirely, even when consent is on file.
5. Confirm receipt. Most secure transfer tools provide a download confirmation. Keep these records — they are your audit trail if a question arises later.
6. Set retention rules. The CRA requires payroll records to be kept for six years; align your delivery and consent records to the same period, and dispose of anything beyond that on a schedule. Less data is less risk.

This workflow takes a fraction longer than the “attach and send” approach, but the time you save on potential breach response, employee remediation, and regulatory questions is enormous.

Common Mistakes Employers Still Make

Even organizations with good intentions stumble on the details. Here are the recurring issues we see.

• Treating an email request as consent to email delivery. An employee asking by email for their T4 is not the same as the documented consent the CRA requires before sending the slip by email. Capture a clear, recorded opt-in.
• Using shared inboxes. Sending T4s from a generic payroll@ address to a generic hr@ distribution list multiplies the number of people who can see the file. Use named, individual accounts.
• Reusing old delivery channels for former employees. A former employee’s @company.com email address is no longer secure once it has been disabled or reassigned, and former employees fall outside the portal-without-consent rule for T4s. Always verify a current personal contact method before sending.
• Skipping encryption for “internal” transfers. A T4 sent from payroll to an internal manager for review still contains a SIN. Internal does not mean safe.
• Forgetting about backups. Email backups, archived chat logs, and shared drive snapshots all preserve copies of T4 slips long after you think they have been deleted. Audit your backup retention to match your privacy posture.

Where SureSend Fits In

This is where SureSend comes into the picture. SureSend is a Canadian encrypted file transfer service built specifically for the moments when email is not safe enough — payroll documents, T4 slips, contracts, medical records, and anything else where the cost of a mistake is real. The moment a file leaves your device, it is already encrypted with zero-knowledge architecture, which means not even SureSend can read it. Your recipient verifies their identity, downloads the file, and the link expires.

For payroll teams sending T4 slips, this turns a stressful annual ritual into a quick, auditable workflow. Sign in, add your recipient, upload the slip, and SureSend it. No couriers, no delays, no risk of an attachment landing in the wrong inbox.

If a T4 Lands in the Wrong Inbox

Mistakes happen. If a T4 reaches the wrong recipient, act quickly and document everything.

1. Contact the unintended recipient immediately and ask them to delete the file. Get their confirmation in writing.
2. Notify the affected employee as soon as you have the facts. Be honest about what happened and what steps you are taking.
3. Assess whether the breach meets PIPEDA’s “real risk of significant harm” threshold. If it does, you must report it to the Office of the Privacy Commissioner of Canada and notify the affected individual. Whether or not it meets the threshold, PIPEDA requires you to keep an internal record of the breach.
4. Offer practical support. This typically means recommending the employee place a fraud alert with the credit bureaus and monitor their CRA “My Account” for unusual activity.
5. Investigate the root cause and update your process so it cannot happen the same way again.

An honest, prompt response will not erase the breach, but it is the difference between a manageable incident and a damaged employee relationship.

Frequently Asked Questions

Can I email a password-protected T4 PDF?

It is better than an unprotected attachment, but it is not considered secure delivery under PIPEDA. PDF passwords are weak, easily shared in the same channel, and do not protect the email metadata. Even where the CRA permits email delivery with the employee’s consent, an encrypted file transfer service or a payroll portal is the appropriate channel for a document containing a SIN.

Do I need written consent before delivering T4 slips electronically?

It depends on the channel. As of the CRA’s 2024 update, you do not need prior written or electronic consent to distribute T4 slips through a secure employer or payer portal. You do need the employee’s consent — in writing or in electronic format, before sending — if you deliver by email. Paper remains mandatory on request, and for T4 slips specifically, paper is also required for employees on extended leave and former employees. Keep all consent records on file in case of an audit.

How long should I keep records of how T4 slips were delivered?

The CRA requires payroll records to be kept for six years. Delivery confirmations, secure transfer receipts, and consent records should match that retention period.

What about contractors who receive a T4A instead?

The same principles apply. T4A slips contain identifying information and income data, and the CRA’s distribution rules — including the no-consent-required rule for secure portal delivery — apply to T4A slips as well. Send them through the same secure channels you use for T4 slips.

Is faxing a T4 slip secure?

Generally no. Modern fax often routes through email-to-fax gateways, which means the file briefly travels as an unencrypted email. Even traditional fax can sit on a shared receiving machine where anyone in the office can read it. Treat fax with the same caution as email.

Sending T4 slips is one of those routine year-end tasks that quietly carries serious risk. Treat it with the care it deserves, document your process, and use tools built for the job — and a stressful annual ritual becomes a quiet, professional one.

Sources

• Canada Revenue Agency — Distribute the slips (current rules on portal, email, and paper distribution; consent requirements; exceptions for paper-on-request, no electronic access, extended leave, and former employees).
• Canada Revenue Agency — Employers’ Guide – Filing the T4 Slip and Summary (RC4120) (February deadline, employer obligations, late-filing penalties).
• Canada Revenue Agency — Keeping records (six-year retention requirement for payroll and supporting records).
• Office of the Privacy Commissioner of Canada — What you need to know about mandatory reporting of breaches of security safeguards (real risk of significant harm threshold, reporting and record-keeping obligations).
• Office of the Privacy Commissioner of Canada — Social Insurance Numbers (SIN sensitivity guidance under PIPEDA).