“Hey, You, Get off of my Cloud!” Are You Complying with PIPEDA?

cloud in your hand(Editor’s note: contributed blogs like this are part of ChannelBuzz.ca’s annual sponsorship program. Find out more here.)

In today’s digital age, cloud computing has now become established as a viable, even essential element in how organizations use technology to achieve their business goals. With growing opportunities in the cloud including hybrid cloud and colocation, many organizations are reaping the benefits of transferring their workloads to outsourced, high-tech realty data center space, at a small fraction of the price – and adoption rates are soaring. Although, in Canada, this expansion of cloud computing and cloud services has opened up a deeper discussion around the security, privacy and protection of data and how it fits in with Canadian privacy laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA).

The Personal Information Protection and Electronic Documents Act, called “PIPEDA” for short, sets ground rules for how private and public sector organizations can collect, use or disclose personal information in the course of commercial activities. To abide by federal regulation, under PIPEDA, organizations doing business in Canada must make sure that the personal information collected is for appropriate purposes and that these purposes are made clear by the individuals. Not only this, but according to the Act, organizations must be transparent about their privacy practices, collection of personal information must be limited to those purposes, the information must be protected, and consent must also be obtained.

Most importantly to those doing cloud business in Canada, according to PIPEDA, when an organization transfers personal information to a third party for processing, it remains accountable for that information and must ensure that it is appropriately protected. In other words, an organization that is considering using a cloud service will remain accountable for the personal information that it transfers to the cloud service, and it must ensure that the personal information remain protected in the hands of that cloud service provider.1

So does this mean my organization has to keep its data inside of Canada?

At the federal level, PIPEDA does not require all Canadian organizations to keep data in Canada. However, depending on which province your business is located in, if you operate in the private or public sector, and in which industry your organization does business (for example, the banking industry), you could potentially be required to keep data within Canadian borders.2

Reinforced in a recent white paper created by McMillan, which outlines the legal risks associated with the outsourcing of organizational data storage to cloud systems and a focus on Canadian privacy law, it is also important to remember that information that is uploaded to the cloud may be sent from one jurisdiction, processed in a second jurisdiction, and stored in yet a third jurisdiction. Depending on the application of the data protection laws and relevant approaches, the data may be accessed in a way that does not comply with the governing Canadian privacy legislation. Therefore, the organization responsible for the data must be concerned with both the protection of the information in each jurisdiction that it is transferred through as well as the safeguards used to protect the data while it resides in the cloud.3

How does this affect selection of cloud providers?

Today, as customer knowledge of the benefits of cloud grows, more workloads are being deployed outside the customer’s data center and the sophistication of the hybrid data center deployment model has accelerated. Organizations need to carefully review the terms of service of the cloud provider and ensure that the personal information it entrusts to it will be treated in a manner consistent with PIPEDA.

For more information on transferring of personal information to third parties, please visit Guidelines for Processing Personal Data Across Borders. This article provides only an overview of PIPEDA and some of the considerations regarding cloud applications. Readers are cautioned against making any decisions based on this material alone as it does not serve as legal advice.

Footnotes:

1 Introduction to Cloud Computing. Office of the Privacy Commissioner of Canada.

2 Canadian Privacy Laws and the Canadian Cloud: A Primer for Canadian Businesses. Server Cloud Canada.

3 Canada: Cloud Computing: Privacy and Other Risks. Mondaq. December 5 2013.