Canadian Privacy Acts At A Glance
There are many blogs about government privacy acts. However, consumers – people – don’t see the connection between their daily lives and privacy acts. Here, we will summarize Canadian privacy acts while sparing you the legal language.
Canadian governments (federal and provincial) set the direction for Canadian organizations and businesses when adopting cloud technologies to protect consumers’ privacy. We can debate governmental restrictions and protections, but all in all, restrictions are imposed on organizations and businesses that collect sensitive information. As a technology company, we take a collaborative approach to complying with legislation.
There are two levels of Canadian privacy acts: federal and provincial levels.
Federal Privacy Acts Regarding Data Residency
Two federal privacy laws are enforced by the Office of the Privacy Commissioner of Canada:
- The Privacy Act covers how the federal government handles personal information;
- The Personal Information Protection and Electronic Documents (PIPEDA) covers how private-sector organizations handle personal information in the course of for-profit, commercial activities across Canada.
- Provincial privacy laws cover municipalities, public-sector organizations, crown corporations, and not-for-profit and charity groups.
The federal government categorizes sensitive data into four protected information levels, Protected A, Protected B, Protected C, and Classified Information.
For Protected B, Protected C, or Classified information. they must be stored “in a government of Canada approved data centre located within the geographic boundaries of Canada or the premises of a Government of Canada department located abroad such as a diplomatic or consular mission.”
Refer to Direction for Electronic Data Residency.
The white paper Data Sovereignty and Public Cloud from the Government of Canada website provides insights about data sovereignty with different cloud deployments, Public cloud, Hybrid Cloud, Private Cloud, and non-cloud. Here is the explanation of the cloud option through Wikipedia if you’d like to know the nitty and gritty details.
The Treasury Board of Canada has provided valuable and detailed recommendations and use cases published on the Federal government’s website for public and private-sector organizations to follow.
Provincial Privacy Acts Regarding Data Residency
Provinces either follow the federal PIPEDA or set their own privacy acts to guide public-sector organizations and healthcare providers who manage and process personal data. Provincial privacy acts differ from one to another and are constantly evolving with amendments to provide the best privacy protections while allowing the flexibility of adopting the best and the latest global technologies. Provinces have been debating data residency (whether to keep the data in-province or allow nationwide or outside of Canada storage) for their own public sector organizations, including healthcare providers.
If any specific organization decides to host those sensitive information outside of Canada, the company must adhere to the provincial privacy acts, conduct a thorough Privacy Impact Assessment (PIA) and must inform individuals, and have their consent. One example is the Ontario Physiotherapy Clinic’s terms of agreement, where they disclose what apps they are using and where your health data is stored.
Nova Scotia defined the Personal Information International Disclosure Protection Act, PIIDPA. Under PIIDPA, public bodies and municipalities are required to ensure that any personal information held by them (or any service provider acting on their behalf), remains in Canada, is accessed, and is disclosed only in Canada, unless certain circumstances exist. This FAQ provides the context of data sovereignty under PIIDPA.
Both the federal and provincial governments have specific legislation concerning data location. We have seen the outline of such legislation. Now, if you are responsible for a lot of your customer’s data, one hopes you will do the due diligence, and select your technology partners responsibly.
References for Canadian Provincial Privacy Laws
Three provincial privacy acts may supersede PIPEDA: