Many Canadian companies want to transition to the cloud for business data hosting, yet worry about data access and privacy. Both public and private sector organizations must follow government laws affecting the storage and use of personal information. Provincial governments also have privacy laws to protect customer data, particularly in health care. Storing data outside of Canada brings additional challenges, namely a new set of rules and regulations. Find out what affects data leaving the country, and how this impacts your organization.
What Data Must Stay In Canada?
PIPEDA, the Personal Information Protection and Electronic Documents Act, protects consumer data across the country. Canadian provinces have additional regulations that sectors must follow. PIPEDA holds private organizations accountable for protecting information during transit and outsourcing. While information can cross borders, the Canadian business remains liable for any problems.
Federal government institutions are subject to the country’s Privacy Act, which outlines how personal information is stored and collected. At present, there is a proposal that would prohibit classified data from leaving the country.
Alberta and Quebec restrict the transfer of public sector personal data outside of the nation, and sometimes outside of the province. British Columbia and Nova Scotia prohibit government institutions, Crown agents, and their service providers from moving personal data outside Canada, with limited exceptions.
Ontario prohibits the disclosure of health-related information without the individual’s expressed consent in PHIPA, the Personal Health Information Protection Act. While health data can move outside of the province, health care companies must adhere to PHIPA when transferring data outside of the province and this can pose a hardship.
Depending on where your company is located and what type of business you operate, you may be unable to transfer data outside of Canada.
Rules That Affect Data Leaving Canada
PIPEDA mandates that organizations are responsible for personal information they’ve collected even when it’s being transferred to a third party. The company is required to use “contractual or other means to provide a comparable level of protection while the information is being processed by a third party.”
To ensure your business complies with PIPEDA, let’s look at what this regulation really means:
- Transfer: When information is transferred for processing, it must only be used for the original purpose of collection (for instance, marketing).
- Comparable Level of Protection: The third party processor must provide an equivalent level of protection the data would have received if it remained with the Canadian company.
- Transparency: The organization must be transparent about their practices handling personal information. Organizations must tell customers that their data is sent elsewhere for processing, and state that personal information sent to another jurisdiction may still be accessed by Canadian law enforcement, courts, or national security personnel.
Considerations for Data Storage and Transfer
If you are thinking of transferring personal information outside your jurisdiction for processing, you must follow PIPEDA’s transfer rules. Your organization remains accountable for the information, even when the other organization takes possession of it and begins to process it. A contract is the primary means for protecting information once you’ve transferred it.
You must also be forthright with your customers about how their data will be handled, including the chance you may send it to another jurisdiction.
Since you will be held liable for anything that happens to your data outside your jurisdiction, you must assess any risks that could jeopardize the confidentiality and security of personal information once it’s transferred to an international service provider.
Once your data is transferred outside of Canada, it becomes subject to the laws of the country where the data is stored. For instance, if you send data to the U.S. for processing — or if you worked with a cloud vendor located in the U.S. — customer personal data would then be subject to the U.S. Patriot Act. Under the U.S. Patriot Act, law enforcement agents can search data held by service providers. As you can imagine, this places a larger burden on you.
By keeping your data on Canadian servers, you simplify things. Rather than follow provincial, federal, and international laws, you must only adhere to Canadian and provincial privacy laws for data security. Canadian cloud providers have the best knowledge of the country’s privacy laws, so they’re in the best position to securely store data from public and private companies.
Before you move your business data to the cloud, think through the implications of doing so — and consider whether you could afford to recover from a customer data breach. Ask any third-party provider you’re considering questions about their data storage, data security, and cyber security, to make sure they can accommodate the level of security that’s required by provincial data storage laws and Canadian privacy laws.
While it takes time to understand how PIPEDA and provincial regulations affect your business, it is ultimately in your best interests to understand these concepts. When you know the law, you can make smart decisions to mitigate your risk. You’ll also keep documents and personal information safe and secure in the cloud, which protects your reputation and instills customer confidence.