In Canada, finding cloud storage that meets both federal and provincial requirements — requirements for other countries notwithstanding — is a challenge. For both the public and the private sector, overlapping regulations can be confusing.
The good news is that Sync is the easy choice: Sync offers cloud storage that is both PIPEDA and PHIPA compliant, with our datacenter located here in Canada.
The Privacy Act, first enacted in 1983, describes how government departments and agencies must handle the personal information of Canadian citizens and foreign nationals alike. While the Privacy Act may not apply precisely to cloud storage, it forms the foundation of privacy law in Canada, and the importance of privacy to a free and open society.
In general, the Privacy Act specifies that a government institution may not collect personal information unless it relates directly to an operating program or activity of that institution. Also, when the government collects an individual’s personal information, it must notify the individual that the collection took place, and it must seek permission from the individual to disclose that information to a third party. Additionally, every Canadian citizen or permanent resident has a right to access the information collected from them, and request changes to that information if anything is incorrect.
For businesses, non-profits, and unions in the private sector, the Personal Information Protection and Electronic Documents Act (PIPEDA) extends the rights of the Privacy Act to individuals exchanging information with business and organizations outside of government. The law gives individuals the right to know why an organization collects, uses, and shares their information. It sets the expectation that organizations will use and protect the data reasonably and appropriately. It also requires that individuals can view and correct the information about them.
PIPEDA, and some provincial acts like the Personal Information Protection Acts (PIPA) in Alberta and British Columbia, describe how private-sector businesses and organizations can collect, use, and disclose personal information. The legislation enacted at the national and provincial level, in many cases, is more-or-less identical. There are four provinces that have enacted legislation that the Governor in Council considers “substantially similar” to PIPEDA.
Of course, it makes sense to use Sync in private-sector applications. Sync goes above and beyond the law to fully encrypt all data transmissions to and from our datacenter. At no point is any data sent as plain text, which not only protects your customers and employees but your business too.
What it is: Two provinces have laws named PIPA: Alberta and British Columbia. PIPA protects individual privacy by requiring, in most cases, private-sector organizations to obtain consent for the collection, use and disclosure of personal information and providing individuals with a right of access to their own personal information.
Who it’s for: In both Alberta and British Columbia, PIPA applies to private-sector organizations, such as incorporated or unincorporated businesses, trade unions, partnerships, and individuals running their own businesses, and to persons acting for them, such as agents or contractors. In British Columbia, PIPA also applies to trusts and non-profit organizations. In Alberta’s version, there are special sections of the Act dealing with non-profit organizations and professional regulatory organizations as well.
What it is: PHIPA is Ontario legislation that provides a set of rules for the collection, use, and disclosure of personal health information. Chiefly, consent is required for the collection, use and disclosure of personal health information. Health information custodians are required under the act to treat all personal health information as confidential and maintain its security. Also, individuals have a right to access their personal health information, as well as the right to correct errors.
Who it’s for: PHIPA applies to “health information custodians” like doctors, nurses, hospitals, pharmacies and medical laboratories in Ontario.
What it is: Commonly called the Private Sector Act, it sets forth four main principles governing how private sector businesses in Québec collect, store, and disclose information.
Who it’s for: The Private Sector Act applies to any person or company carrying on an enterprise in the province of Quebec, who collects, holds, uses or communicates personal information.
If your company isn’t based in Canada, chances are your country has laws about how personal data should be collected and stored. France, Germany, and the United Kingdom all have stringent regulations about how both government and non-government entities manage personal information.
Perhaps the most well-known privacy legislation in the United States is the Health Insurance Portability and Accountability Act (HIPAA). Specifically, the Privacy Rule regulates the use and disclosure of personal information shared with health insurers, doctors, and hospitals. HIPAA’s Privacy Rule is very similar to PIPEDA in that it restricts how health care providers can use individuals’ personal information, and offers a method for individuals to correct inaccuracies.
Additionally, HIPAA’s Security Rule discusses exactly how to handle an individual’s electronic personal information. It lays out three types of security safeguards required for compliance: administrative, physical, and technical. For each type, there are very specific regulations and recommendations to follow.
Sync is an ideal partner for organizations required to comply with HIPAA. All data stored on our servers is encrypted. The unique zero-knowledge nature of our storage system makes us unable to decrypt any protected health information stored on our servers. Plus, Sync makes it easy to request a Business Associate Agreement and get certified before moving your data to Sync’s servers.