Many Canadian businesses are turning to the cloud for their data hosting needs, but it’s important to remember that “the cloud” is made possible by a data center - and the physical location of that data center has important implications.
An Overview to Canadian Privacy Laws & Cloud
In Canada, both public and private sector organizations are held accountable to government laws and regulations that cover the storage and use of personal information. Changes to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) were recently put into effect on November 21, 2018 – and a major key takeaway is that private organizations are accountable for protecting information during transit and outsourcing.
This means that businesses are responsible for the personal information they’ve collected, even when they transfer it to a third party (i.e. a cloud services provider).
In this post, we’ll cover some of the rules that affect data leaving Canada, and some key considerations surrounding data storage and transfer when you are looking into cloud services, colocation or virtualization.
Data Centers & Rules That Affect Data Leaving Canada
Because Canadian organizations and data centers are responsible for the personal information they’ve collected, they are required to provide a comparable level of protection through contractual or other means while the information is being processed by a third party.
But what does that actually mean essentially for data centers? Let’s break it down:
- Transfer of Information: The entire information which is transferred for processing should only be used for the original purpose of collection.
- Equivalent Protection: The third-parties such as data center when receiving the information ought to provide an equivalent level of data protection that any Canadian organization required.
- Transparency in Data Handling: Organization need to maintain transparency in data handling and practices pertaining to personal information. If the sensitive data is sent elsewhere for processing, organizations need to give all details to their customers. Moreover, they need to clarify if the personal information is being sent to another jurisdiction. In any case, data may still be accessed by Canadian law enforcement, courts, or national security personnel.
The Considerations and Risks of Out-of-Country Data Storage
While PIPEDA does not necessarily prohibit the transfer of personal information out-of-country, it’s important to remember two key things:
- Once your data leaves Canada, it becomes subject to the laws of the country in which it is stored. As a common example, if you use a cloud vendor who stores your data in a US data center, the personal data entrusted to your organization is now subject to US laws – which means it could be subject to unwanted (but technically legal) access by government agencies.
- While a contract with a third-party provider is intended to ensure information is protected when entrusted to a third party, your organization will still be held liable for anything that happens to the data outside of Canada. This requires you to dedicate additional resources to evaluate risks and plan for additional data breach possibilities and how to deal with them at arms-length.
Simplify Compliance and Privacy by Choosing a Canadian Cloud Provider
While many businesses might get caught up in the possibilities of cloud computing and colocation, it’s important to be aware of the complex responsibilities that surround how (and where) your data is stored and transferred.
In most cases, you can greatly simplify things by keeping your data on Canadian servers, removing all the additional work, risks, and uncertainties associated with sending confidential data across international borders.
Canadian cloud providers can also offer the best knowledge of the Canada’s privacy laws – including at the federal and provincial levels – and are in the best position to safeguard your data.
GRIP I.T. is proud to operate a 100% Canadian, Tier 3, SSAE 16 compliant data center featuring built-in redundancy measures including back-up power generators to ensure 99.99% uptime. We keep your data secure and available by employing additional backup sites across Canada, ensuring your data never crosses an international border.
We are equipped to offer a variety of cloud services, including web hosting, hosted exchange, business continuity, hosted phone solutions, and cloud computing – as well as a full suite of comprehensive managed IT Solutions for business.
If you would like to learn more about our services or data hosting solutions, we would be happy to schedule a consultation.