Canadian Privacy Acts At A Glance

Canadian Privacy Acts

Canadian Privacy Acts At A Glance

There are many blogs about government privacy acts. However, consumers – people – don’t see the connection between their daily lives and privacy acts.  Here, we will summarize Canadian privacy acts while sparing you the legal language.  

Canadian governments (federal and provincial) set the direction for Canadian organizations and businesses when adopting cloud technologies to protect consumers’ privacy. We can debate governmental restrictions and protections, but all in all, restrictions are imposed on organizations and businesses that collect sensitive information. As a technology company, we take a collaborative approach to complying  with legislation.  

There are two levels of Canadian privacy acts: federal and provincial levels. 

Federal Privacy Acts Regarding Data Residency

Two federal privacy laws are enforced by the Office of the Privacy Commissioner of Canada: 

  • The Privacy Act covers how the federal government handles personal information;
  • The Personal Information Protection and Electronic Documents (PIPEDA) covers how private-sector organizations handle personal information in the course of for-profit, commercial activities across Canada. 
  • Provincial privacy laws cover municipalities, public-sector organizations, crown corporations, and not-for-profit and charity groups. 

The federal government categorizes sensitive data into four protected information levels, Protected A, Protected B, Protected C, and Classified Information. 

For Protected B, Protected C, or Classified information. they must be stored “in a government of Canada approved data centre located within the geographic boundaries of Canada or the premises of a Government of Canada department located abroad such as a diplomatic or consular mission.” 

Refer to Direction for Electronic Data Residency.  

The white paper Data Sovereignty and Public Cloud from the Government of Canada website provides insights about data sovereignty with different cloud deployments, Public cloud, Hybrid Cloud, Private Cloud, and non-cloud. Here is the explanation of the cloud option through Wikipedia if you’d like to know the nitty and gritty details. 

The Treasury Board of Canada has provided valuable and detailed recommendations and use cases published on the Federal government’s website for public and private-sector organizations to follow.  

Provincial Privacy Acts Regarding Data Residency

Provinces either follow the federal PIPEDA or set their own privacy acts to guide public-sector organizations and healthcare providers who manage and process personal data. Provincial privacy acts differ from one to another and are constantly evolving with amendments to provide the best privacy protections while allowing the flexibility of adopting the best and the latest global technologies. Provinces have been debating data residency (whether to keep the data in-province or allow nationwide or outside of Canada storage) for their own public sector organizations, including healthcare providers. 

If any specific organization decides to host those sensitive information outside of Canada, the company must adhere to the provincial privacy acts, conduct a thorough Privacy Impact Assessment (PIA) and must inform individuals, and have their consent. One example is the Ontario Physiotherapy Clinic’s terms of agreement, where they disclose what apps they are using and where your health data is stored.       

Nova Scotia defined the Personal Information International Disclosure Protection Act, PIIDPA. Under PIIDPA, public bodies and municipalities are required to ensure that any personal information held by them (or any service provider acting on their behalf), remains in Canada, is accessed, and is disclosed only in Canada, unless certain circumstances exist. This FAQ provides the context of  data sovereignty under PIIDPA. 

Both the federal and provincial governments have specific legislation concerning data location. We have seen the outline of such legislation. Now, if you are responsible for a lot of your customer’s data, one hopes you will do the due diligence, and select your technology partners responsibly.  

References for Canadian Provincial Privacy Laws

Three provincial privacy acts may supersede PIPEDA:      

Health Related:

Employment Related:

Your Privacy, Not Sharing Is Caring

Your Privacy, Not Sharing is Caring

Your Privacy, Not Sharing Is Caring

Our Canadian business and enterprise customers often ask us: what does “Data Centre” in Canada mean? This sounds like a simple question, but actually it isn’t. Let’s dive into what data location means to you. 

Privacy is the main driving force for using data centres with a determined location.  For financial and medical records, for example, we would like governmental or legal protection of that data.  But inevitably, everybody uses multiple cloud applications for business and  personal purposes: Gmail, Office 365, iCloud, Facebook, etc…. Google Maps keeps the last 10 years of your travel itinerary. Google gives me a map of everywhere I have been in the last month. By data mining, shopping, and whatever other interests you and your family may have, are potentially exposed. My robot vacuum cleaner has my household floor plan.  Without governmental restrictions and law, the Cambridge Analytics scandal will happen over and over. 

Using cloud applications (also referred as (Software-as-a-Service), consumers, for the most part, interact with the service provider directly.  Major service providers leverage at least one or several infrastructure providers (also referred as (Infrastructure-as-a-Service) for data hosting, email notifications, or SMS messaging. Infrastructure companies are transparent to end-users: what server, where, and what type of infrastructure hosts the cloud application uses, is not visible to the end-user. 

"As an end- user, reading the “Term of Service” may be boring, but it's the responsible thing to do before you hit the “I Agree” button. "

"... reading the “Term of Service” may be boring, but it's the responsible thing to do..."

For privacy, a commitment from  the entire chain, from the application on your phone, to the cloud application, and the infrastructure is required.  While your service provider may not set out to violate your privacy, infrastructure companies  may not care so much about your data sovereignty. The end-user has no control over the complexity of the multiple layers involved in using that app.  

As an end- user, reading the “Term of Service” may be boring, but it’s the responsible thing to do before you hit the “I Agree” button. Personal information is at risk, and it’s good to know your exposures. The convenience of cloud applications is great, but reading the “Terms of Service” is a habit that must be adopted.

Signority seeks to protect the end-user. Our customers demand it. Signority has been offering  eSignature applications for over 10 years. We make a point of having the Canadian data handled by our Canadian customers stay in Canada.

Canadian governmental organizations, not-for-profits, and private companies, enjoy using Signority services, from Canadian servers,  to serve  Canadian residents. Information such as insurance forms, finances, medical data, HR data such as employee social insurance numbers, pay rates, job offers, even a primary school’s field trip waivers with health card numbers, are all located in Canadian servers for Canadian residents. For Signority, the end customer is the owner of the data, and we protect that by data colocation. We do not allow 3rd parties to mine our customers’ data, nor do we allow “metadata” analysis. Signority avoids  the ramifications of cross-border storage of data by simply not crossing the border.       

When considering your eSignature provider, consider your customers privacy and security. This applies to both the public and private sector. Signority offers a private cloud with a complete data localization solution that alleviates the worry of where your customer data is anywhere complying with global legislations. For privacy, Signority is your technological partner. Read our blog about Signority’s data localization solution.

Your Privacy Is In The Details

Your Privacy is in the Details

Your Privacy is in the Details

A few years ago, we received a postal letter from one of the investment funds to which we subscribe: a privacy policy change notice with many pages, small font on paper,  thick legal jargon seemingly designed to discourage people from reading through them.  It was a bank letter designed by lawyers. 

There was a ‘deny’ form at the end: only mail the letter back if we disagreed with the financial institution moving the data centre outside of Canada. We read the entire document and strongly disagreed with the international data centre proposal. As Canadians, our data is not as protected on foreign soil as is in Canada. This was definitely not acceptable. This would change the Data Location, where our bank stores our personal information,  from Canada to outside of Canada.

“Data location” is also called “data residency”. In principle, everybody should have the ownership of their own personal data: we should have “Data Sovereignty”. But in practice, we are far from there. If you have accounts on Facebook, Google, or Microsoft, then you know your data is very likely in the United States (U.S.). 

But what about your financial, and medical data? Once upon a time, your records were on paper, locked up somewhere nearby. Turns out that the Internet is a more convenient place to store those records. 

Data Location can Affect Data Privacy

Here is another real life example from a friend. 

My friend had a recent encounter with an Ontario psychologist. The psychologist used a free Gmail account.  Right off, my friend was put off by the unprofessionalism. Their services were  $250/hour, the clinic should at least use a professional domain name.

I had a chance encounter with my friend. After some discussion, it turns out that more clinics use Gmail accounts. My friend decided to go with the flow and sign a contract, book appointments, get invoices to/from the Gmail account. But here is something that my friend, and the clinics, should know:

Fact: in Ontario, healthcare organizations must comply with the Ontario government’s Personal Health Information Protection Act, PHIPA. Under the PHIPA, healthcare professionals must disclose and receive consent if they would store your medical information outside of Canada.

The contract that my friend received had lots of legal jargon, she didn’t read it, but signed it anyway. Reviewing the contract, it does mention a couple of specialized apps that could be introduced to the patient. But there is no mention of Gmail, nor consent to Gmail.

Then the assessment reports started coming in. Medical information was now being sent via Gmail. Now clearly in violation of PHIPA rules, with medical information being sent. 

"Under the PHIPA, healthcare professionals must disclose and receive consent if they would store your medical information outside of Canada."

Personal Information (PI) is information that can identify you unequivocally as an individual. An email address by itself is not personal information, but when that email contains a name and street address, that is “Personal Information” as far as the PHIPA rules go. Furthermore, her  Personal Health Information (PHI) is being sent via Gmail.

Cybersecurity and privacy concerns simply did not exist in the past. Your doctor, for example, would simply lock away your records in the filing cabinet. But now, we must look out for our own privacy. You can make some assumptions: a big hospital in Ontario is very likely to be following PHIPA rules, but smaller clinics may not be. 

You can ask the clinic if they follow PHIPA rules, or maybe where they store their patient’s data. In the case of my friend’s psychologist, we have taken the time to inform him of the rules, the PHIPA rules specifically, that he should be following. Ultimately, that psychologist could have been reported to the College of Psychologists of Ontario, but that would have been an extreme measure.

Bottom line: vigilance is required every day for all interactions on the Internet. Your privacy is always at risk. The more private information you give, the more you have to think about your own cybersecurity. If the information is important to you, then you must consider the location of your information. 

How Signority Secures Your Data

How Signority Secures Your Data

How Signority Secures Your Data

My last blog, Three Stages of Data; In Transit, At Rest, & In Use described each of the three data stages and touched on how each stage requires a different approach to security and privacy. Today we are going to talk about:

  1. when your data enters each of the three stages during the workflow, and
  2. how Signority secures your data. 
Three Stages of Data
Three Stages of Data

If you’ve used Signority you know that every document has a workflow.  The workflow begins at the creation of the document and ends when it’s been stored after it has been signed by all participants.

During the it’s workflow your document and any data related to it, enters all three stages of data at various times. Here is each of the data stages and when your document enters that stage during the workflow.

In Transit: Your information related to your document is in transit (or in motion) when:

  1. someone registers for a new account
  2. you send the email notifications to the signers that there is a document ready for signing, and,
  3. when the document has completed the workflow, meaning it has been signed by everyone, and a copy of the document is sent to each of the document participants (senders and recipients).

At Rest: All information related to the document and the document itself is at rest:

  1. when it is waiting for the next person in the workflow to sign the document
  2. it is stored on our servers once the workflow has been completed.

In Use: Your document and any related data, i.e.: the audit trail, are ‘in use’:

  1. when a recipient or user are editing the document by adding the required information and/or signatures
  2. the Signority platform is updating the audit trail with any actions, i.e.: signed, id verification, etc.

Signority starts our security process with our employees. All employees and sub-contractors must be security cleared with the federal government security clearance program. And they must complete a minimum amount of security and compliance training each year.

For In Transit and In Use data Signority eSignature Platform services using strongly encrypted extended validation (EV) Transport Layer Security (TLS) certificates to encrypt the data in transit between users and the Signority eSignature Platform. We only allow the highest security TLS 1.2 and 1.3 protocols, and do not allow weaker TLS or SSL.  The article linked above explains in detail what EV and TLS certificates are, what they do, and why we use them. 

If you would like to know our rating, here is the most current certificate for Signority at the time of this blog post.

We also do not allow the use of older browser versions. Older versions are not updated with the latest security features and updates to ensure a secure browsing connection.

Data at rest data at rest is encrypted by using state-of-the-art AWS encryption technology and we salt usernames & passwords. 

What is a ‘salted’ username and password?  A salted username and password is a process where they are converted through a ‘hashing algorithm’ into an unintelligible series of numbers and letters. You can read a more detailed breakdown here at Okta.com.

Plus, we offer masked tags for end users to encrypt their sensitive information on documents.

If you are not a technical person, think of it this way:

  1. Your information is locked in a box that requires a key.
  2. That key is locked in another box that requires another key to open it.
  3. And that box, with your box, is in a box that is password protected. 

So your data is guarded with multiple layers of protection ensuring your data is secure and private.

If you would like to know more about how Signority protects customers data and privacy I encourage you to go to our Trust Centre. In Signority’s Trust Centre you can review our approach to Security, Privacy, Compliance, and Legislation (Legal).

Have questions? 

Contact us by:

  • calling at 833-222-1088,
  • using the chat icon on the bottom right of your screen,
  • or through our contact form.

Look for my next blog, ‘What is Data Residency? And Does it Matter?