As Canadians, two separate federal privacy laws protect our privacy. These laws govern the information that businesses can collect on other Canadians, as well as how organizations must manage and protect that data.
As of January 1, 2004, PIPEDA applies to every organization that collects, uses or discloses personal information in the course of commercial activities. However, the federal government may offer an exemption organizations and/or activities in provinces deemed to have adopted substantially similar privacy legislation (more on this later).
What is the ‘Personal Information Protection and Electronic Documents Act’?
The Personal Information Protection and Electronic Documents Act is a Canadian law that relates to data privacy. PIPEDA governs how private and public sector organizations collect, use and disclose personal information in the course of commercial business.
PIPEDA stipulates that Personally Identifiable Information (or PII) must be:
- collected with consent and for a reasonable purpose
- used and disclosed for the limited purpose for which it was collected
- accessible for inspection and correction
- stored securely
PIPEDA, in plain english, states that once an organization collects data, regardless of the province, industry, or the type, that the organization is now fully accountable and responsible for the protection of said data.
Is my organization required to keep our data in Canada?
PIPEDA, at the federal level, does not require all Canadian organizations to keep data in Canada. However, depending on which province your business is located in, if your business operates in the private or public sector and which industry your business works in, you could potentially be required to keep data within Canadian borders.
For example, a public sector commercial medical research company in Nova Scotia will almost certainly be required to keep Personally Identifiable Information (PII) data in Canada (under the NS Personal Information International Disclosure Act ), while a real estate agent in Manitoba would be free to store their data across borders.
Regardless of where your data might be stored, at the end of the day, each federal and provincial privacy act is very clear. Once an organization collects sensitive data, that organization is then 100% responsible for the protection and security of that data, and it is up to the each individual organization to fully understand the rules.
What specific data is protected under PIPEDA?
Under PIPEDA, the following is considered sensitive or Personally Identifiable Information (PII) and is explicitly protected under the law:
- Age, name, ID numbers, income, ethnic origin, or blood type
- Opinions, evaluations, comments, social status, or disciplinary actions
- Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs)
Are the privacy laws the same in every province?
PIPEDA is a federal act; however, the federal government may exempt organizations and/or activities in specific provinces deemed to have adopted substantially similar privacy legislation.
For example, the province of Nova Scotia has ruled that
“Public bodies ensure that personal information in its custody or under its control … is stored only in Canada and accessed only in Canada.”
Here are the individual acts for each province:
British Columbia’s Personal Information Protection Act.
Alberta’s Personal Information Protection Act
Ontario’s Personal Health Information Protection Act, with respect to health information custodians.
Nova Scotia’s Personal Information International Disclosure Act
New Brunswick’s Personal Health Information Privacy and Access Act, with respect to personal health information custodians.
Newfoundland and Labrador’s Personal Health Information Act, with respect to health information custodians.
“The British Columbia Legislative Assembly responded by adopting Bill 73—the Freedom of Information and Protection of Privacy Amendment Act, 2004. The law requires public bodies to ensure that “personal information in its custody or under its control is stored only in Canada and accessed only in Canada.”
Nova Scotia followed British Columbia in 2006 with its Personal Information International Disclosure Protection Act, which includes similar requirements.
In 2006, Québec amended its Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information. It now requires public bodies to ensure that information receives protection “equivalent” to that afforded under provincial law before “releasing personal information outside Québec or entrusting a person or a body outside Québec with the task of holding, using or releasing such information on its behalf.”
How will Privacy Laws affect my decision on cloud providers?
“Organizations need to make it plain to individuals that their information may be processed in a foreign country and that it may be accessible to law enforcement and national security authorities of that jurisdiction.”
PIPEDA sets forth that when an organization collects sensitive data, that organization is now fully accountable and responsible for that data.
Therefore, it is up to you, the organization, to be certain that the cloud provider you choose meets stringent criteria and allows your organization to be privacy compliant.
Questions to ask potential cloud providers:
Where, geographically, will the data be stored?
- If the data is hosted outside of Canada, does it now fall under that government’s laws and regulations?
- If the data is stored outside of your Canada, am I still in compliance?
Has the potential cloud provider been involved in “Findings under PIPEDA” by the office of the Privacy Commissioner?
- If so, what did the commission find
What security measures are in place to protect data – both physically and digitally?
- Security cameras on site at the data centers, secured access, etc.
- Data encryption etc.
Who will have access to the data?
- Will any cloud employees potentially have access to my data?
- Do they have the proper government clearance?
What happens to the data once the contract with the cloud provider is terminated / void?
- Is the data destroyed? How is it destroyed?
Is the cloud provider a Canadian Corporation?
- American corporations operating in foreign countries still fall under the PATRIOT ACT and don’t necessarily adhere to PIPEDA
Can the cloud provider provide written proof that all data resides in Canada?
PIPEDA Quick Cloud F.A.Q
Can a cloud provider or data center be PIPEDA certified?
At this time, no, a cloud provider cannot be PIPEDA certified. However – A Canadian data center might help your company stay within PIPEDA compliance.
What are the risks/potential punishments of not staying PIPEDA compliant?
28. Every person who knowingly contravenes subsection 8(8) or 27.1(1) or who obstructs the Commissioner or the Commissioner’s delegate in the investigation of a complaint or in conducting an audit is guilty of(a) an offence punishable on summary conviction and liable to a fine not exceeding $10,000; or(b) an indictable offence and liable to a fine not exceeding $100,000.
I belong to industry X in province X, where can I safely and legally store my data?
For specific answers on acceptable data locations, please contact either:
- The Office of the Privacy Commissioner
- Server Cloud Canada Sales
Reaching for the Cloud(s): Privacy Issues related to Cloud Computing. Office of the Privacy Commissioner of Canada, March 2010: http://www.priv.gc.ca/information/research-recherche/2010/cc_201003_e.asp
Provincial Canadian Geographic Restrictions on Personal Data in the Public Sector – The Center for Information Policy Leadership – Hunton & Williams LLP, 2008 –
Privacy Legislation in Canada – http://www.priv.gc.ca/resource/fs-fi/02_05_d_15_e.asp