British Columbia’s Personal Information Protection Act (PIPA) is similar to PIPEDA in that it protects personal data collection within the private sector. Organizations considered to be public bodies, as well as the public sector, must comply with the Freedom of Information and Protection of Privacy Act (FIPPA). FIPPA requires that public bodies store any personal information that is under its control or custody exclusively in Canada and it can only be accessed in Canada. There are exceptions but they are few.
Under the FIPPA, information on backup tapes or drives, computer logs, cloud servers and other personal information cannot be accessed or stored outside of Canada. It also governs service providers, volunteers, and employees of public bodies. This is important for businesses to know when hiring a cloud service provider to backup, access, and store data.
When you are selecting a cloud provider at the provincial private and public sector level in British Columbia, it is essential that you conduct a thorough evaluation of the provider and their policies. Questions to ask include:
- Is the business’ ownership inside of Canada?
- Where are the business and data centers physically located?
- For businesses located in a province and governed under that province’s laws, is the data center also located within that province?
- Are all contractual provisions aligned with the privacy laws of your province including third party access limitations and requirement to provide notification of a suspected or actual security breach?
- What policies does the cloud company have in place for privacy, security, and access management?
- What are the protocols for infrastructure security including encryption of information when it is stored and transferred?
- What policies does the cloud company have in place regarding subpoenas and warrants that are issued to them from jurisdictions outside of the province or outside of Canada?
For More information on British Columbia’s privacy laws, visit: