PIPEDA Consent in The Canadian Cloud

Server Cloud Canada

October 2016

Note: This submission was contributed by the author to the Office of the Privacy Commissioner of Canada’s Consultation on Consent under PIPEDA.

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.

---

Of the solutions identified in the “Consent and Privacy” discussion paper, which one(s) has/have the most merit and why?

Enhancing Consent: Managing Privacy Preferences Across Services

The way that information is protected is integral to maintaining the privacy of the individual or entity. This is even more important when it comes to cloud computing. Not only does the cloud company need to comply with PIPEDA, its privacy policies should also match a client’s privacy policies or exceed them.

When a business hires a cloud company they are essentially handing over their sensitive data to a third party. The primary objective it to keep the data safe and even though it is handed over to the third party, the organization that owns the data is the one accountable for its safety. This means that a business is responsible for the personal information it collects and uses even when those functions are done in whole or in part by a third party – in this case a cloud company.

Even with the most careful and conscientious businesses there is always the possibility that their data will be accessed by government agencies both foreign and domestic. The US Patriot Act, Prism program is a prime example. Even if a company’s data is stored in Canada, it could be routed via the US. This is actually quite common. It is estimated that around 90% of Canadian traffic is routed via the US. This means that the highest safeguards must be in place in order to protect that information.

Server Cloud Canada recommends the following checklist for companies to use when choosing or switching a cloud service provider, to ensure compliance

1. If the Cloud Service Provider claims to be housed in Canada, is it only located in Canada, is it a Canadian corporation, or is it just operating in Canada?
2. Does the Cloud Service provider’s terms of service contract align with your business’ privacy policies?
3. Does the Cloud Service provider have policies and processes in place to ensure that data in its care is safeguarded at all times and adheres to encryption policies (Can another party intercept the data)?
4. Has the cloud service provider been involved in “Findings under PIPEDA” with the office of the privacy commissioner?
5. What happens to your data when the service is terminated? Is it destroyed? What is the cloud company’s policies for disposing/destroying stored data?
6. Does your organization have the right to audit how the cloud service provider handles the personal data that you collect?
7. Does the cloud service provider have policies and processes in place to train their staff in order to ensure that it manages personal data in a safe and secure way? Are they transparent with these policies?
8. If there is a data breach, what are the cloud service provider’s policies regarding notification? How do they inform your business of a potential or real breach, and what actions with they employ if there is a breach?
9. Does the cloud service provider agree to indemnify the business organization in the event that an unauthorized access to personal information results in legal action against the business organization by an individual?
10. Does the cloud service provider match or exceed your own organization’s policies and outlook on handling personal data?

Unfortunately, data breaches do occur and this should be an area of concern. It is important that both the business and the cloud company have a plan in place to protect the data and manage any breach that may occur. Incorporate this plan into your company’s crisis management plan to ensure a seamless response should the unthinkable occur.

With many large American companies entering the Canadian market, a business must research not only where their data is held but also where it might go, and who controls the data as a third party. When policies and laws are updated, we feel these concerns should be taken into accord when companies collect data and should be noted when asking for consent from the consumer.