Canadian Privacy Laws: PIPEDA Compliance in the Canadian Cloud – An Evaluation

The way that commercial organizations manage the disclosure, use, and collection of personal information is a major concern among businesses and their customers as well as the public at large. Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) is a set of laws that direct companies in this practice. This multi-part series will introduce Canadian businesses to the laws and guide them through the process of becoming compliant and applying them to their own organizations.

The first segment, Canadian Privacy Laws: PIPEDA and its core Principles in the Cloud, provided an introduction to PIPEDA and highlighted several concerns that businesses may encounter regarding their policies that govern how they manage personal information.

The second segment, Canadian Privacy Laws: PIPEDA and Your Business – an Evaluation provided businesses with a set of guidelines that allowed them to determine if their organization is compliant with the Act and help them become compliant.

In this third segment, businesses will learn how to evaluate their cloud company to ensure that they are keeping with the laws. It is the responsibility of the business to maintain its own compliance with PIPEDA. This includes any third party businesses it uses to support its operations such as a cloud company. Whether moving to or already in the cloud, businesses need to know the policies and compliance of the cloud service provider. This post will provide business owners with a checklist of questions that will allow them to evaluate their potential or existing cloud service provider.

Privacy and The Cloud

Simply protecting personal information is not enough. The way that information is protected is integral to maintaining the privacy of the individual or entity. This is even more important when it comes to cloud computing. Not only does the cloud company need to comply with the PIPEDA, its privacy policies should also match the company’s privacy policies or exceed them.

Your cloud service providers privacy policies should match or exceed your own.

When a business hires a cloud company they are essentially handing over their sensitive data to a third party. The primary objective it to keep the data safe and even though it is handed over to the third party, the organization that owns the data is the one accountable for its safety. This means that a business is responsible for the personal information it collects and uses even when those functions are done in whole or in part by a third part – in this case a cloud company.

Even with the most careful and conscientious businesses there is always the possibility that their data will be accessed by government agencies both foreign and domestic. The US Patriot Act, Prism program is a prime example. Even if a company’s data is stored in Canada, it could be routed via the US. This is actually quite common. It is estimated that around 90% of Canadian traffic is routed via the US. This means that the highest safeguards must be in place in order to protect that information.

Moving To The Cloud

Many smaller and growing businesses can benefit greatly from cloud computing. It’s flexible and scalable environment allows costs to remain controllable and low because they only pay for what they need. The primary advantage of cloud service providers is their ability to offer infrastructure, platforms that small businesses or even mid-size companies do not have the money, time, or expertise to develop.

It is important for a business to analyze every aspect of their cloud company’s privacy policies to ensure they line up with their own.

In Canada, many companies are moving to the cloud. This checklist will help businesses determine what service provider is right for their organization and evaluate their policies. While the company’s compliance through the cloud service provider is important, ultimately it is the customer’s information that is being protected – and they would want to ensure that the cloud service provider handling their personal information is doing so in a manner that is consistent with PIPEDA.

Currently Using The Cloud

Many businesses and organizations have already made the move to the cloud. However, they may have done so with little or no thought regarding privacy laws. They may have simply assumed that the company was compliant or they may have assumed that since their provider calls it a Canadian Cloud, it may not be 100% Canadian.
This checklist can help businesses evaluate their current provider. It is absolutely vital that an organization review its provider’s current terms of service and policies. After all, the business is responsible for the cloud company it chooses and if that company is subpar regarding its privacy policies, the business that hired it is liable.

Checklist

Conclusion

It is important for a business to analyze every aspect of their cloud company’s privacy policies to ensure they line up with their own. Don’t be afraid to ask questions. Have them walk you through the process, step by step and look for any weak areas or practices that could compromise the integrity or privacy of the data collected. Unfortunately, data breaches do occur and this should be an area of concern. It is important that both you and the cloud company have a plan in place to protect the data and manage any breach that may occur. Incorporate this plan into your company’s crisis management plan to ensure a seamless response should the unthinkable occur.

The next part of our series will focus on Provincial Privacy Laws. Different provinces may have different privacy laws in addition to the PIPEDA. If you are located in any of these provinces it is vital that you understand these laws and know how to apply them to your business and your cloud company. We will look at each province’s privacy laws individually and in depth, providing clear guidance on best practices and ensuring compliance.