Many Canadian companies want to transition to the cloud for business data hosting, yet worry about data access and privacy. Both public and private sector organizations must follow government laws affecting the storage and use of personal information. Provincial governments also have privacy laws to protect customer data, particularly in health care. Storing data outside of Canada brings additional challenges, namely a new set of rules and regulations. Find out what affects data leaving the country, and how this impacts your organization.
What Data Must Stay In Canada?
PIPEDA, the Personal Information Protection and Electronic Documents Act, protects consumer data across the country. Canadian provinces have additional regulations that sectors must follow. PIPEDA holds private organizations accountable for protecting information during transit and outsourcing. While information can cross borders, the Canadian business remains liable for any problems.
Federal government institutions are subject to the country’s Privacy Act, which outlines how personal information is stored and collected. At present, there is a proposal that would prohibit 
classified data from leaving the country.
Alberta and Quebec restrict the transfer of public sector personal data outside of the nation, and sometimes outside of the province. British Columbia and Nova Scotia prohibit government institutions, Crown agents, and their service providers from moving personal data outside Canada, with limited exceptions.
Ontario prohibits the disclosure of health-related information without the individual’s expressed consent in PHIPA, the Personal Health Information Protection Act. While health data can move outside of the province, health care companies must adhere to PHIPA when transferring data outside of the province and this can pose a hardship.
Depending on where your company is located and what type of business you operate, you may be unable to transfer data outside of Canada.
Rules That Affect Data Leaving Canada
PIPEDA mandates that organizations are responsible for personal information they’ve collected even when it’s being transferred to a third party. The company is required to use “contractual or other means to provide a comparable level of protection while the information is being processed by a third party.”
To ensure your business complies with PIPEDA, let’s look at what this regulation really means:
- Transfer: When information is transferred for processing, it must only be used for the original purpose of collection (for instance, marketing).
- Comparable Level of Protection: The third party processor must provide an equivalent level of protection the data would have received if it remained with the Canadian company.
- Transparency: The organization must be transparent about their practices handling personal information. Organizations must tell customers that their data is sent elsewhere for processing, and state that personal information sent to another jurisdiction may still be accessed by Canadian law enforcement, courts, or national security personnel.
Considerations for Data Storage and Transfer
If you are thinking of transferring personal information outside your jurisdiction for processing, you must follow PIPEDA’s transfer rules. Your organization remains accountable for the information, even when the other organization takes possession of it and begins to process it. A contract is the primary means for protecting information once you’ve transferred it.
You must also be forthright with your customers about how their data will be handled, including the chance you may send it to another jurisdiction.
Since you will be held liable for anything that happens to your data outside your jurisdiction, you must assess any risks that could jeopardize the confidentiality and security of personal information once it’s transferred to an international service provider.
Once your data is transferred outside of Canada, it becomes subject to the laws of the country where the data is stored. For instance, if you send data to the U.S. for processing — or if you worked with a cloud vendor located in the U.S. — customers personal data would then be subject to U.S. law, and law enforcement agents in the U.S. could gain access to search data held by American service providers. As you can imagine, this places a larger burden on you.
By keeping your data on Canadian servers, you simplify things. Rather than follow provincial, federal, and international laws, you must only adhere to Canadian and provincial privacy laws for data security. Canadian cloud providers have the best knowledge of the country’s privacy laws, so they’re in the best position to securely store data from public and private companies.
Before you move your business data to the cloud, think through the implications of doing so — and consider whether you could afford to recover from a customer data breach. Ask any third-party provider you’re considering questions about their data storage, data security, and cyber security, to make sure they can accommodate the level of security that’s required by provincial data storage laws and Canadian privacy laws.
While it takes time to understand how PIPEDA and provincial regulations affect your business, it is ultimately in your best interests to understand these concepts. When you know the law, you can make smart decisions to mitigate your risk. You’ll also keep documents and personal information safe and secure in the cloud, which protects your reputation and instills customer confidence.
This article is dated Oct 2017 yet the PATRIOT Act was superseded in 2015 by the USA FREEDOM Act. In bulk most of the powers were retained but Section 215 was not. Whether this makes a tangible difference in the privacy afforded the data of non-US citizens on data held in the US or by US parented companies is arguable but it should be up to date.
Thank you for your comment. We have updated the wording in the article and plan to release a similar article in the near future with more information.
Would a law enforcement agency in Canada, BC, be able to purchase a software solution hosted in the US?
Thanks, it is quite informative
Thanks for the excellent guide
Thanks to the terrific manual
Hey very nice blog!
” British Columbia and Nova Scotia prohibit government institutions, Crown agents, and their service providers from moving personal data outside Canada, with limited exceptions.”
can you point me to where this is located please
Great Article it its really informative and innovative keep us posted with new updates. its was really valuable. thanks a lot.
Thanks For Sharing Such beautiful information with us.
I don’t expect all data to stay in Canada. We use internet infrastructure south of the border because it works well – it helps data flow quickly and technology giants like Apple, Microsoft and Google are based in the U.S. Also, not all of our data is meant to stay in Canada.
Great article, what about the banks moving to the cloud? Doing business with Us cloud providers? What about the cloud act even of the banks store their data on datacenters located in Canada…
I blog frequently and I seriously appreciate your content.
Your article has truly peaked my interest. I’m going to take a note of
your site and keep checking for new details about once a week.
I opted in for your Feed too.
Wow I have not heard about this before your writing is truly superb and i just love it. Your article has been enlightening and fun to read and I am grateful so thank you for sharing.
Hi! I simply want to offer you a big thumbs up for
the excellent information you’ve got here on this post.
I will be coming back to your blog for more soon.
I know this if off topic but I’m looking
into starting my own weblog and was curious what all is required to get setup?
I’m assuming having a blog like yours would cost a pretty penny?
I’m not very web smart so I’m not 100% sure. Any tips or advice would be greatly appreciated.
Kudos
Thank you, is very informative.
Thanks in support of sharing such a nice opinion, post is nice, thats why i have read it fully
Organizations are concerned about security in moving to the cloud. Proper cloud adoption (public/private/hybrid) must be done by expert advice; And, most importantly, efficient & proactive support must be ensured by a technically adept team.
Awesome post.
The organization must be transparent about their practices handling personal information. Organizations must tell customers that their data is sent elsewhere for processing, and state that personal information sent to another jurisdiction may still be accessed by Canadian law enforcement, courts, or national security personnel.
Thanks
There are many things to learn, so much info on it.
King regards,
Lunding Hessellund
Нello! Someone in my Facebook group shared thiѕ site ԝith us so I came to take a look. I’m definitely enjoying the information. I’m book-marking and will be tweetіng this to my follower’s!
Terrific blog and outstanding design.
I read a lot of posts. But the topic you covered in this is the most comprehensive & helpful.