In the clouds and beyond! Navigating access and storage outside of Canada

Are you tempted by the potential benefits of cloud-computing? The option can be appealing, as the service often cuts costs and removes obstacles for users looking to reduce IT infrastructure and maintenance. Before you reach for the clouds, make sure you know the legal requirements that apply when processing and storing personal information outside of Canada.

Public Bodies

First, let’s take a look at BC’s public sector legislation. All public bodies in BC (e.g. the government of British Columbia, universities, local governments) are subject to the Freedom of Information and Protection of Privacy Act (FIPPA), which prohibits the disclosure, storage or access of personal information outside of Canada. There are a few exceptions, such as if an individual consents, but the general rule is to keep personal information within Canadian borders.

Organizations

Now let’s move on to BC’s private sector legislation. Organizations in BC (e.g. non-profits, businesses, trade unions, etc.) are subject to the Personal Information Protection Act (PIPA). Unlike FIPPA, PIPA does not restrict storage and access to personal information outside of Canada.

• For more detailed information, read our guidance document Cloud Computing for Small and Medium-sized Enterprises.

But before you hit upload, make sure there is a process in place to let individuals know about their privacy rights, including how the organization protects personal information and if the information will be transferred out of Canada.

The best place for this information is in a privacy policy. A detailed, user-friendly privacy policy is the best way to establish a trusting relationship between organization and individual. The privacy policy should be easily accessible, such as on your website, and include a contact person to address questions or concerns. 

• For more detailed information, read our guidance document Practical Suggestions for your Organization’s Website’s Privacy Policy. 

Security

Okay, so you’ve decided the cloud is the best option for your organization… now what? You still have the issue of security to deal with. In BC, public bodies and organizations are legally required to ensure reasonable security measures are in place to protect personal information from unauthorized access, collection, use, disclosure or disposal.

Therefore, it is your responsibility to make sure the cloud provider has robust security practices in place to protect personal information. The level of security should be proportional to the sensitivity of the stored information.

Encryption is one of the simplest ways to add an extra level of security to stored data. Encryption uses an algorithm to transform plain text information into a non-readable form, and requires an algorithm and an encryption key to return it to a readable format. The act of encryption doesn’t change the sensitivity of the information – it is still personal information, after all – but it does add an extra level of security.

Is cloud-computing right for my organization?

If your organization is considering cloud-computing, make sure you consider the privacy implications first. Complete a privacy impact assessment to determine if the service is right for you, if personal information will be collected, and to document any potential privacy concerns.

• For more detailed information, read our guidance document IT Security and Employee Privacy: Tips and Guidance

And of course, our office is here to help. If you have any questions, or need help identifying potential privacy concerns with cloud-computing, please contact us and we will be glad to talk to you in more detail.