There are two federal privacy laws in Canada i.e. the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA). The Privacy Act covers how personal information is handled within federal government departments and agencies. On the other hand, PIPEDA is about the federal law covering privacy in the private sector.
What is PIPEDA Compliance?
The rules set by PIPEDA govern how the personal information in commercial activities will be collected, disclosed, or used. The rules apply to businesses throughout Canada to all organizations engaging in commercial activity. The rules also include the personal information of employees of federally-regulated businesses, such as banks, telecoms, and airline.
Of the organizations exempted from PIPEDA compliance are the charity and not-for-profit political parties, groups, and associations. The kind of activity matters, for instance, fundraising activity isn’t commercial but others might be.
As long as the personal information stays behind the national and provincial borders, there are other situations where an exemption might be in order. This is true in the cases of provinces that already have legislation substantially similar to the PIPEDA. A few examples of such provinces are Alberta, British Columbia, and Quebec.
What Businesses should be Compliant in Ontario, Canada?
Generally, PIPEDA applies to:
- Organizations within the private sector operating in Ontario are subject to this legislation but not their handling of their employee information
- Organizations within the private sector operating in Ontario that collect, use, and disclose the personal information of their employees across provincial or national borders. However, the way they handle the employee information is exempt.
- Organizations within the federally regulated sector operating in Ontario, such as banks, airlines, telephone companies etc. The handling of information is also included in this case.
What happens if I don’t use a Canadian Data Center and use Cloud or Datacenters out of Canada?
The conditions of PIPEDA at the federal level do not stipulate that all Canadian organizations must keep data in Canada. However, the provinces have other conditions specific to their location, which must be satisfied. The type of industry your business is a part of will also decide if you need to keep data within Canadian borders.
It doesn’t matter where your company stores employee data, PIPEDA is very clear on how it should be treated. If an organization is in the possession of sensitive data, they will be held responsible to keep it protected and secure. Each organization must work to understand the rules fully.
Failure to be in compliance with PIPEDA and its conditions will result in the person responsible for the data breach being punishable on summary conviction. They might also be asked to pay $10,000 or more in fine. If the offense is indictable, then the fine won’t exceed $100,000.
How does Government check if my Business uses Non-Canadian Data Centers?
Through organizational audits. Every organization has to declare the geographic location of their servers.
Since every business uses a web host, the web hosting service providers are also audited for location of their data centers they are using. This way the government agency can retrace where the data is being stored.
In case the business has private data centers, they have to show them as data centers are counted as company assets.
Therefore, it is better to be in possession of the facts before your company starts handling employee information. Failure to do so can cost you in terms of money and a reputation!