Personal client data stored in the cloud? Who’s going to get sued when it’s compromised? I admit it; I was wrong (except in BC and Nova Scotia that is). I started this article with a belief I formed years ago when I first became a technology consultant; that the Personal Information Protection and Electronic Documents Act (PIPEDA) requires companies handling sensitive personal data, such as Personal Health Information (PHI), to maintain that data within Canada. Based on this belief I started out to document the differences between Canada’s PIPEDA and the HIPAA (Health Insurance Portability and Accountability Act) in the United States. I expected that this would be relatively easy, finding research articles and documents to support my belief. Unfortunately, I couldn’t find any. What I did find is a long list of government documents that I had to sift through to get to the bottom of this now mistaken idea.
Liability in the Time of Cloud Storage
The main contradiction to my belief is located in the Alberta Personal Information Protection Act (PIPA), 60 pages of blinding narrow script. There on page 11, Part 2 – Protection of Personal Information, Division 1 – Compliance and Policies, Section 6 – Policies and practices, is the enlightening reference: “organizations that use service providers that are located outside of Canada to collect, use, disclose or store personal information for or on behalf of the organization”. There was a policy for storing data outside of Canada; it is a legitimate practice.
Upon further reading into this section, I found the real culprit of my misunderstanding. The Act continues to add a big “BUT” to the permission of non-Canadian storage: it sets forth that when an organization (a business) collects sensitive data, the organization (the business) is now fully accountable and responsible for that data, otherwise known as the custodian. Wait; so that means you can put that sensitive data you collected wherever you want, but in the end, you’re responsible for that data and what happens to it, not the company that stores the data for you?
Patriot vs. Privacy
Remember the United State’s PATRIOT ACT? Corporations that adhere to this act do not adhere to PIPEDA. Why? A single thing really: the PATRIOT ACT allows the US government the right to access data without consent, directly contradicting PIPEDA.
Thinking of what this means, I pictured many of the recent data breaches I am sure you’ve heard of as well. Some of the breached companies didn’t own the data; did they own the responsibility? Could they be held accountable? Would they ultimately make it right? I guess the courts will decide in the end if you can legally hold a company in another country responsible. Meanwhile, the damage is done, and people’s lives are changed forever.
My understanding of the law has changed however my message has not. I have consistently steered companies working with sensitive data towards a Canadian Data centre or alternate solution on Canadian soil, with policies and procedures in line with PIPEDA and PIPA. I care about the organization that I work for, and we are accountable to the organizations we in turn support. Can you say the same for the solution providers that you have chosen?
Questions to Ask About HIPAA or PIPEDA
Before you commit your client, customer, or patient data to storage in the cloud, here are some questions to ask potential providers:
- Where specifically will the personal information be stored? Remember you’re responsible for it.
- If it is in a different province or country are they able to maintain compliance: do they follow PIPEDA and your province-specific act?
- Have they been involved in an investigation by the office of the Privacy Commissioner?
- Are they certified for data security and compliance? What type of certification is it? Are they regularly audited to maintain the certification? By whom?
- Who will have access to the data?
- When the contract is terminated or voided: what happens to the data?
Oh, and for you, people in BC and Nova Scotia, keep your data in Canada. Your province-specific acts require you to. If you hang on a moment I’ll dig up the references for you; just let me rest my eyes a bit.
Learn more about F12 Cloud and how we address compliance needs for the Medical sector and other businesses that deal with sensitive data.
Wade Bayntun
F12.net, Inc.
Manager, Red Deer