The Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information of Québec requires that personal information cannot be released outside of Québec or entrusted to a body or person outside of Québec to hold, use, or release the information on its behalf until the information is protected at a level that is equivalent to that of provincial law. It is intended to prevent personal data from being exported to other Canadian provinces or other countries that fail to provide the protection that is equivalent to that of Québec law.
Cloud service providers are required to take all reasonable steps to ensure that any information collected is only used for the purposes for which consent was given. That information also cannot be communicated to any third parties without first obtaining consent. If the organization deems the information will not be afforded the appropriate protection as required under the act, it is required by law to refuse communication of the information.
When you are selecting a cloud provider at the provincial private and public sector level in Québec, it is essential that you conduct a thorough evaluation of the provider and their policies. Questions to ask include:
- Is the business’ ownership inside of Canada?
- Where are the business and data centers physically located?
- For businesses located in a province and governed under that province’s laws, is the data center also located within that province?
- Are all contractual provisions aligned with the privacy laws of your province including third party access limitations and requirement to provide notification of a suspected or actual security breach?
- What policies does the cloud company have in place for privacy, security, and access management?
- What are the protocols for infrastructure security including encryption of information when it is stored and transferred?
- What policies does the cloud company have in place regarding subpoenas and warrants that are issued to them from jurisdictions outside of the province or outside of Canada?
For More information on Québec’s privacy laws, visit: