In Canada, finding cloud storage that meets both federal and provincial requirements — requirements for other countries notwithstanding — is a challenge. For both the public and the private sector, overlapping regulations can be confusing.
The good news is that Sync is the easy choice: Sync offers cloud storage that is both PIPEDA and PHIPA compliant, with our datacenter located here in Canada.
The Privacy Act
The Privacy Act, first enacted in 1983, describes how government departments and agencies must handle the personal information of Canadian citizens and foreign nationals alike. While the Privacy Act may not apply precisely to cloud storage, it forms the foundation of privacy law in Canada, and the importance of privacy to a free and open society.
In general, the Privacy Act specifies that a government institution may not collect personal information unless it relates directly to an operating program or activity of that institution. Also, when the government collects an individual’s personal information, it must notify the individual that the collection took place, and it must seek permission from the individual to disclose that information to a third party. Additionally, every Canadian citizen or permanent resident has a right to access the information collected from them, and request changes to that information if anything is incorrect.
For the private sector: Personal Information Protection and Electronic Documents Act (PIPEDA)
For businesses, non-profits, and unions in the private sector, the Personal Information Protection and Electronic Documents Act (PIPEDA) extends the rights of the Privacy Act to individuals exchanging information with business and organizations outside of government. The law gives individuals the right to know why an organization collects, uses, and shares their information. It sets the expectation that organizations will use and protect the data reasonably and appropriately. It also requires that individuals can view and correct the information about them.
PIPEDA, and some provincial acts like the Personal Information Protection Acts (PIPA) in Alberta and British Columbia, describe how private-sector businesses and organizations can collect, use, and disclose personal information. The legislation enacted at the national and provincial level, in many cases, is more-or-less identical. There are four provinces that have enacted legislation that the Governor in Council considers “substantially similar” to PIPEDA.
Of course, it makes sense to use Sync in private-sector applications. Sync goes above and beyond the law to fully encrypt all data transmissions to and from our datacenter. At no point is any data sent as plain text, which not only protects your customers and employees but your business too.
Personal Information Protection Act (PIPA)
What it is: Two provinces have laws named PIPA: Alberta and British Columbia. PIPA protects individual privacy by requiring, in most cases, private-sector organizations to obtain consent for the collection, use and disclosure of personal information and providing individuals with a right of access to their own personal information.
Who it’s for: In both Alberta and British Columbia, PIPA applies to private-sector organizations, such as incorporated or unincorporated businesses, trade unions, partnerships, and individuals running their own businesses, and to persons acting for them, such as agents or contractors. In British Columbia, PIPA also applies to trusts and non-profit organizations. In Alberta’s version, there are special sections of the Act dealing with non-profit organizations and professional regulatory organizations as well.
Personal Health Information Protection Act (PHIPA)
What it is: PHIPA is Ontario legislation that provides a set of rules for the collection, use, and disclosure of personal health information. Chiefly, consent is required for the collection, use and disclosure of personal health information. Health information custodians are required under the act to treat all personal health information as confidential and maintain its security. Also, individuals have a right to access their personal health information, as well as the right to correct errors.
Who it’s for: PHIPA applies to “health information custodians” like doctors, nurses, hospitals, pharmacies and medical laboratories in Ontario.
An Act Respecting the Protection of Personal Information in the Private Sector
What it is: Commonly called the Private Sector Act, it sets forth four main principles governing how private sector businesses in Québec collect, store, and disclose information.
- A person (an individual or corporation) must have a serious, reasonable and legitimate reason for establishing a file of personal information on someone.
- Every individual has the right to access his/her file, unless the rights of third parties are violated, or there is a serious reason to refuse access.
- Every individual has the right to correct an inaccurate, incomplete or obsolete file.
- Every individual or corporation that opens a file about an individual is responsible for maintaining confidentiality.
Who it’s for: The Private Sector Act applies to any person or company carrying on an enterprise in the province of Quebec, who collects, holds, uses or communicates personal information.
Ten Privacy Principles
Generally speaking, under these acts, companies (like Sync) need to adhere to 10 privacy principles to comply with PIPEDA and its provincial siblings.
- Accountability. An organization is responsible for personal information under its control.
- Identifying Purposes: You have a right to know how your information will be used.
- Consent: An organization can collect, use and disclose your personal information only with your knowledge and consent, except where permitted or as required by law.
- Limiting Collection: An organization can collect information by fair and lawful means only, and only in circumstances it explicitly describes.
- Limiting Use, Disclosure, and Retention: An organization cannot use or disclose your personal information other than for the purposes for which it was collected, unless they receive your consent or are required or permitted to by law.
- Accuracy: You have the right to ensure the information an organization collects about you is correct, and you have the right to change it if it’s not.
- Safeguards: An organization must protect the personal information in their possession and control by using security safeguards appropriate to the sensitivity of the information.
- Openness: Should an organization change any of their privacy practices, they must post those changes conspicuously for 30 days before they goes into effect.
- Individual Access: Upon written request, an organization must give you access to the information about you that they have custody of.
- Challenging Compliance. An organization must maintain procedures for addressing and responding to inquiries or complaints from its customers about the handling of personal information.
For organizations and companies abroad
If your company isn’t based in Canada, chances are your country has laws about how personal data should be collected and stored. France, Germany, and the United Kingdom all have stringent regulations about how both government and non-government entities manage personal information.
Perhaps the most well-known privacy legislation in the United States is the Health Insurance Portability and Accountability Act (HIPAA). Specifically, the Privacy Rule regulates the use and disclosure of personal information shared with health insurers, doctors, and hospitals. HIPAA’s Privacy Rule is very similar to PIPEDA in that it restricts how health care providers can use individuals’ personal information, and offers a method for individuals to correct inaccuracies.
Additionally, HIPAA’s Security Rule discusses exactly how to handle an individual’s electronic personal information. It lays out three types of security safeguards required for compliance: administrative, physical, and technical. For each type, there are very specific regulations and recommendations to follow.
Sync is an ideal partner for organizations required to comply with HIPAA. All data stored on our servers is encrypted. The unique zero-knowledge nature of our storage system makes us unable to decrypt any protected health information stored on our servers. Plus, Sync makes it easy to request a Business Associate Agreement and get certified before moving your data to Sync’s servers.
