Sarah Catterall
In the past ten years, conversations around privacy, data security, and where to store data have dramatically increased and taken on a new sense of importance. This has been heightened by the Covid-19 pandemic, as many organizations suddenly migrated their business processes and tools to the cloud.
As more and more data is stored and transferred through the cloud, you might wonder “does it matter where my data is stored?” The short answer is – yes, it matters. At the end of the day, storing your data on the cloud means storing it on another computer, somewhere else, and where that computer is located matters.
Here are five questions organizations and business owners should ask about whether to store their cloud-based data in Canada.
What Sector Am I Operating In?
Are you running a not-for-profit? Is your department within a federal or provincial organization? Are you working in healthcare or the financial sector? While this might seem like a no-brainer question, different sectors are governed by different legislative requirements. This is the first step in determining whether your data residency should be in Canada.
What Type of Data Am I Storing, and Why?
Are you collecting personal data, such as a person’s name, telephone number, address, SIN number, medical history, financial information, or any personal views or opinions? Personal information data is governed by different legislation from other information, such as business information, anonymized data, or government information. Are you using that data for commercial purposes? Are you using it solely for not-for-profit activities? The type of data your organization collects and the purposes of data collection impact whether your data should be stored in Canada.
What Legislation Governs My Sector?
The Privacy Act of Canada regulates the use and collection of data by federal government organizations, whereas the Personal Information Protection and Electronic Documents Act (PIPEDA) governs how private-sector organizations and federally regulated businesses (like banks or airlines) collect and manage personal information data. Commercial activities in all provinces and territories are subject to PIPEDA, except for those activities which occur within provinces whose own privacy laws are considered “substantially similar” to PIPEDA. Currently, only Alberta, British Columbia, and Quebec meet this standard. Other provinces, such as Ontario, have legislation that pertains to data storage and use in specific sectors, such as healthcare.
While PIPEDA governs what data can be collected, how it is to be stored, how it is to be protected in transit, and rights to disclosure, the legislation does not prohibit the transfer of personal data outside of Canada. Some provinces have different requirements. In British Columbia, public sector data was required to be stored in Canada up until November 2021. However, with the passage of Bill 22, that restriction has been removed and data can now be stored outside of Canada.
If I Store Data Outside of Canada, Are There Risks?
Even if you are not legally required for your data residency to be in Canada, you may want to avoid the potential risks associated with hosting data in a different country. Some of these risks include:
- Violating PIPEDA requirements: you are responsible for ensuring that your data storage, collection, and use is compliant with PIPEDA or other provincial requirements, even if your data is stored outside of Canada in a jurisdiction that does not recognize this legislation. If you cannot guarantee that the host jurisdiction or country abides by these requirements, you are putting your organization at risk of noncompliance.
- Subjecting your data to foreign legislation: your data is subjected to the authority of the jurisdiction or country in which it resides. For example, any data that is stored in the United States is subject to the provisions of the US Patriot Act – which means that data can legally be accessed and surveilled by the US government. This is in direct violation of Canada’s Privacy Information Protection Act, which legislates against improper disclosure of data. Storing your data in Canada ensures that your data is subjected to Canadian law only.
- Physical security of data centres: If your data is stored in a country that experiences unrest, severe natural disaster, or a breakdown in stability, the security of physical data centres that host cloud-based data can be compromised.
Will Storing Data in Canada Provide My Clients and Stakeholders With Peace of Mind?
The last question for you to consider is whether storing your data in Canada will bring critical peace of mind to your stakeholders. It just makes sense. Microsoft has two highly secure data centres in Toronto and Quebec City. Plus, all businesses who sign up for Microsoft 365 with a Canadian billing address automatically have their data stored in Canada (as long as they registered on April 20, 2016 or later). Microsoft was also one of the first global cloud providers to achieve Certification for Protected B data in Canada, which means the federal government trusts and uses the Microsoft cloud to store its most sensitive data.
When you host your data at a Canadian Microsoft data centre, you know that your data is governed by Canadian legislation. You can reassure your customers or stakeholders that their data is securely stored within Canada.
Check out our blog here to find out where your data is currently being stored. If you would like support with migrating your data into a Canadian tenancy, please fill out the form below and our team of specialists will be in touch!
Lauryn Orme
Kayla Whitesel