As a Canadians business owner you need to be compliant of both federal & provincial privacy laws to protect the privacy of your customers.
In Canada as of January 1, 2004, The Personal Information Protection and Electronic Documents Act called PIPEDA, applies to every organization that collects, uses or discloses personal information in the course of commercial activities. The law governs the information that businesses can collect on other Canadians, as well as how organizations must manage and protect that data.
PIPEDA is applicable to both private and public sector organizations & stipulates that Personally Identifiable Information (or PII) must be accessible for inspection and correction, and be stored securely. PIPEDA states that once an organization collects data, regardless of the province, industry, or the type, that the organization is now fully accountable and responsible for the protection of said data.
Once an organization collects sensitive data like name, age, SIN, income, employee files, credit records, loan records, business intentions to acquire goods or services, or change jobs etc., that organization is then 100% responsible for the protection and security of that data, and it is up to the each individual organization to fully understand the rules.
American corporations operating in foreign countries still fall under the PATRIOT ACT and don’t necessarily adhere to PIPEDA.
Your business might be required to keep your data in Canada.
You could potentially be required to keep data within Canadian borders depending on your province, sector and industry your business operates in, For example, the province of Nova Scotia clearly states that “Public bodies ensure that personal information in its custody or under its control … is stored only in Canada and accessed only in Canada.”
Bill No. 19—the Nova Scotia Personal Information International Disclosure Protection Act, 2006, 5(1).
British Columbia in 2006 enacted its Personal Information International Disclosure Protection Act which includes similar requirements. Bill 73 defines the Freedom of Information and Protection of Privacy Amendment Act in BC. The law requires public bodies to ensure that “personal information in its custody or under its control is stored only in Canada and accessed only in Canada.”
Canadian privacy laws also require that organizations need to make it clear to other businesses or individuals that their information may be processed in a foreign country and that it may be accessible to law enforcement and national security authorities of that jurisdiction. PIPEDA sets forth that when an organization collects sensitive data, that organization is now fully accountable and responsible for that data.
At Welcome Networks, we keep data of all Canadian clients in Canada. All our backup servers are also in Canada and data of Canadian clients never leave the shores of Canada. To learn about individual acts in detail, please the resources below.
The Office of the Privacy Commissioner https://www.priv.gc.ca/index_e.asp
Alberta’s Personal Information Protection Act
British Columbia’s Personal Information Protection Act.
New Brunswick’s Personal Health Information Privacy and Access Act, with respect to personal health information custodians.
Newfoundland and Labrador’s Personal Health Information Act, with respect to health information custodians.
Nova Scotia’s Personal Information International Disclosure Act
Ontario’s Personal Health Information Protection Act, with respect to health information custodians.
Privacy Legislation in Canada – http://www.priv.gc.ca/resource/fs-fi/02_05_d_15_e.asp
Reaching for the Cloud(s): Privacy Issues related to Cloud Computing. Office of the Privacy Commissioner of Canada, March 2010: http://www.priv.gc.ca/information/research-recherche/2010/cc_201003_e.asp
Provincial Canadian Geographic Restrictions on Personal Data in the Public Sector – The Center for Information Policy Leadership – Hunton & Williams LLP, 2008 –