The province of Alberta has a law similar to PIPEDA that protects personal data collection within the private sector called the Personal Information Protection Act (PIPA). The Freedom of Information and Protection of Privacy (FOIP) governs the public sector.
While FOIP does not limit or restrict the use of third parties outside of Alberta, it does limit the public body as well as its service provider. Personal information can only be disclosed when there is a warrant order or subpoena that has been issued from a jurisdiction within Alberta. Storing data outside of Alberta presents certain risks such as making it susceptible to jurisdictions outside of Alberta.
When you are selecting a cloud provider at the provincial private and public sector level in Alberta, it is essential that you conduct a thorough evaluation of the provider and their policies. Questions to ask include:
- Is the business’ ownership inside of Canada?
- Where are the business and data centers physically located?
- For businesses located in a province and governed under that province’s laws, is the data center also located within that province?
- Are all contractual provisions aligned with the privacy laws of your province including third party access limitations and requirement to provide notification of a suspected or actual security breach?
- What policies does the cloud company have in place for privacy, security, and access management?
- What are the protocols for infrastructure security including encryption of information when it is stored and transferred?
- What policies does the cloud company have in place regarding subpoenas and warrants that are issued to them from jurisdictions outside of the province or outside of Canada?
For More information on Alberta’s privacy laws, visit: