The internet has changed the way the world views just about everything, causing the legal system to endure intense scrutiny – particularly privacy laws. As lawmakers have scrambled to keep up with the explosive growth of this technology, an increasing number of Canadian businesses are relying on the internet for the majority of their organizational needs. As they become more and more data driven, they are capitalizing on cloud technology for storage and sharing of information. Many of those that have not yet moved to the cloud are beginning conversations to move in that direction.
The challenges that these companies, and lawmakers, face is securing data that is often very sensitive in nature, whether it contains personally identifiable information (PII), trade secrets, or other material that is personal in nature. Business leaders are exploring ways to manage, leverage, and secure their data on the cloud while understanding and complying with privacy legislation in Canada.
The purpose of this series is to provide information to both current cloud customers and people moving to the cloud, of Canada’s privacy laws, what they need to know to remain compliant, and what they should know about the cloud service provider that they choose for their business.
Overview of PIPEDA
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law that governs how private sectors collect, use, and disclose personal information in commercial activities. All organizations engaged in commercial activity throughout Canada (with some exceptions) are required to comply with this act and are responsible for monitoring their own compliance. When storing their data online (data residency), businesses need to know where it is being stored, who has access to the information or who could gain access to it, and why this act justifies keeping your data in Canada now and in the future.
PIPEDA protects the privacy of internet users and their personal data. It stipulates that organizations are not allowed to use the information that they collect for any purposes other than what was agreed upon at the time of collection. This also means that the information cannot be shared with any third parties unless express consent is obtained. Businesses must be completely transparent regarding how any personal information collected by them will be used and there must be a system in place for obtaining the consent of the users.
Personal information can come in many forms, including but not limited to:
Victims of noncompliance can file a complaint with the Office of the Privacy Commissioner of Canada. This office will attempt to resolve the matter through a variety of methods including investigation, persuasion, mediation, and reconciliation. PIPEDA does have provisions that allow complainants to apply to the Federal Court for a hearing in some cases. When a complaint is taken to this level, the Commissioner may make some information from the case public.
The provinces of British Columbia, Ontario, Quebec, New Brunswick, Nova Scotia, and Newfoundland have laws in place that are similar to PIPEDA. However, when organizations are dealing with federal works, undertakings, or business they still fall under PIPEDA. This is also true for interprovincial and international business.
10 Core Principles Overview
PIPEDA is broken down into 10 core principles. They reflect and evaluate how a business is required to handle personal information and to ensure that best practices are in place and used. Following is an overview of each of these principles as well as one guidance on how they relate to cloud service providers.
Accountability – An organization is required to accept responsibility for any and all personal information that is under its control. This is accomplished by designating a representation who is accountable and responsible for the organization’s compliance. The business is further required to use various means, including contractual, to ensure that it remains compliant with third parties. It also has a responsibility to uphold PIPEDA by developing and implementing relevant policies and procedures.
Cloud service providers should include contractual obligations that uphold PIPEDA including reporting procedures, security policies, non-disclosure, and limitations.
Identifying Purposes – An organization is responsible for identifying and documenting their purpose for collecting personal information. They are required to notify their customers, clients, users, visitors, and guests if they intend to use the information for any purpose that was not identified at the time of collection prior to using that information.
Cloud service providers should share the organization’s outlook on policies and procedures, particularly as it related to the purpose of collecting personal data.
Consent – An organization is responsible for obtaining the informed consent of individuals when it is engaged in the practice of collection of personal information or data, except where such knowledge and consent is inappropriate.
Cloud service providers should share the organization’s policies and outlook regarding how sensitive data is handled.
Limiting Collection – An organization is responsible for limiting the collection of personal information to only what is necessary for purposes identified by the organization. All collection methods should be fair and compliant with all applicable laws.
Cloud service providers should follow the best practices for securing storing personal information on the behalf of the business.
Limiting Use, Disclosure, and Retention – An organization is responsible for never using or disclosing personal information for any purpose other than that for which it was collected. They are to retain any personal information collected for only as long as is necessary to fulfill the intent or purpose of the collection.
Cloud service providers should follow best practices for securely handling the destruction or disposal of data that is no longer needed and storage is no longer required. They should also have policies in place regarding third party disclosure.
Accuracy – An organization is responsible for ensuring that all information is accurate, complete, and up to date. It should be only what is necessary or required for the purpose or intent of use.
Cloud service providers should share the organization’s principles on the accuracy of data that is collected.
Safeguards – An organization is responsible for protecting personal information by ensuring that reliable security safeguards that are appropriate for the level of the information’s sensitivity are in place.
Cloud service providers should have policies in place for safeguarding the data that it is hosting for the organization. Organizations should have access to all security policies regarding how their cloud service provider protects the collected data from loss and theft as well as unauthorized access, copying, modification, disclosure, and use.
Openness – An organization is responsible for complete transparency regarding its policies and management of collected personal information. The policies should be very detailed in explaining how it manages personal information and these policies should be readily available for both employees and clients.
Cloud service providers should be transparent regarding their data management policies. They should be able to provide a copy of these policies to their clients upon request.
Individual Access – An organization is responsible for providing, upon written request, the existence, use, and disclosure of an individual’s personal information. They must also give those individuals access to the information that has been collected and they must be given the opportunity or option to challenge the accuracy of it and have it amended appropriately.
Cloud service providers should have policies in place that are in line with the organization’s policies regarding access to information.
Challenging Compliance – An organization is responsible for providing a platform for individuals to address challenges PIPEDA compliance with the core principles. The designated individual or team that handle’s an organization’s compliance will be the point of contact for individuals who are challenging the compliance issues.
Cloud service providers should have the appropriate policies and procedures to ensure that there are no complaints filed or received regarding the way that an organization’s data is handled.
PIPEDA protects both internet users and businesses that collect personal information. As long as the business is compliant with PIPEDA, it is covered. It is important for business owners, regardless of the size of the organization, to ensure that they are completely compliant with the laws and understand them in order to avoid infractions. This is why it is absolutely integral that not only are their cloud service providers also compliant with PIPEDA, but also on board with policies and procedures that not only support, but strengthen the organization’s existing policies and procedures.
This is the first installment in a series that will educate business owners on PIPEDA, what they need to know to be compliant, and provide information on privacy laws in the provinces. Upcoming segments of this series include:
- PIPEDA and Your Business – An Evaluation
- PIPEDA Compliance in the Canadian Cloud – An Evaluation
- Provincial Privacy Laws in Canada