Storing Data Outside of Canada - What You Need to Know
September 21, 2020
"Is it safe to store data outside of Canada?" is a question being asked more and more as many organizations move to the cloud

As a nonprofit or private organization in British Columbia, you are subject to the Personal Information Privacy Act (PIPA). PIPA does not prohibit personal information storage outside of Canada; however, you must still take measures to protect the information, even when it’s not in your custody. Please note – if your organization holds personal information that is under BC Housing’s control, you cannot store it outside of Canada.

If you decide to enter into an agreement or contract with a service provider that will store personal information outside of Canada, let’s say in the United States of America, that information will be in the custody of a US company, stored on US soil and subject to US law.

What it all comes down to is risk assessment, understanding the data (sensitivity) that is being stored, how the data is used, how it is secured and deciding how much oversight you need over the data. In order to help make your assessment, the following should be considered/actioned:

  • Assess the security measures of the provider to determine whether they are reasonable based on the sensitivity of the information. Consult an IT Security expert if possible.
  • Look closely at the provisions of PIPA to make sure you are in compliance.
  • Review your contracts and agreements with funders to understand in what ways they limit what you can do.
  • Establish with certainty that the provider/program or their subcontractors do not access or use information for any purpose other than providing the service.
  • Put in place a contract that ensures the service provider complies with PIPA.
  • Determine what type of cloud the information will be stored in. Not all clouds are created equally so please do your research.
  • Have a repatriation strategy in case you need to pull your information from the service.
  • Determine what steps are to be taken if there is a personal information breach or security incident. Make sure you will be notified by the provider in the event of a breach.
  • Ensure periodic audits are performed.
  • Document due diligence in a privacy impact assessment and an NCS risk assessment

Understanding the data is key.

Remember that no matter where your data is stored, you are responsible for its protection, and cloud storage in Canada needs to be assessed closely, too.

Freedom of Information and Protection of Privacy Act (FOIPPA)

a. Public bodies are not permitted to store, disclose or access personal information outside Canada, except in the limited circumstances authorized in FOIPPA. This precludes the use of many cloud services. If you hold data that is under the control of a public body, you will need to consult with the public body before storing or disclosing their data outside Canada. Review your contracts/agreements carefully.

The Housing Provider Technology Support team is always available to help with questions and concerns. Reach out to us through our Contact page.


Resources:

Canadian Privacy Law, Cloud Computing and How it Applies to Nonprofits 

Canada’s Federal and Provincial Privacy Law for Non Profits and Charities

Cloud Computing for Small and Medium-sized Enterprises document

Cloud Computing and Privacy

Frequently Asked Questions About Cloud Computing

Cloud Computing in the BC Government


Please help us improve our website by providing your feedback

Please help us improve our website by providing your feedback