Canadian Data Residency

Canadian Data Residency - Everything You Need to KnowOne of the riskiest moves in shifting to the cloud is choosing a company to provide your managed cloud hosting services.

Depending on what type of cloud hosting and data storage you choose, your data could be stored on servers in another country.

There are several risks in housing your data in an unknown location:

  • The laws of the other country may not provide adequate protection.
  • You may not have any way to recover lost data should the company go out of business.
  • The country may be politically or economically unstable, resulting in the loss of your data.

If you are an Alberta-based business with compliance requirements you must meet, this guide will help you understand Canadian Data Residency and how you can meet residency requirements, move your data to the cloud, and benefit from cost-effective risk mitigation.

Canada Privacy Act

Email encryption, worrying about data storage, or storing data outside of business walls were matters of little or no concern when every company kept paper files in locked cabinets.

Canada has been regulating the management of personal information privacy for almost 35 years, ever since the Government of Canada enacted the Privacy Act in 1983.

This Act applied to departments within the Government of Canada as well as each provincial government system.

Twenty years later, in order to address the privacy issues that accompanied the development of online commerce, the 1983 requirements were broadened to include private sector organizations that electronically maintain personal information.

Data Residency Laws in Canada

Canadian data residency requirements were initially developed to address Canadian government agencies shifting to the cloud as part of the cloud-first adoption strategy.
The government established this cloud-first strategy in recognition that the private industry needs to:

  • Deliver services at the same speed and ease, and
  • Ensure the personal data they processed and stored was as protected as possible.

However, further risks associated with storing data in the cloud outside of the country, even in the US, were identified. Subsequently, the government developed measures to address how and where data could be stored through Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).

Alberta’s and British Columbia’s version of PIPEDA is the Personal Information Protection Act (PIPA). Other regulations addressing data privacy that may impact your business include:

  • PIPA: Personal Information Protection Act (AB)

  • PHIPA: Personal Health Information Protection Act (ON)

  • PHIPAA: Personal Health Information Privacy and Access Act (NB)

  • PHIA: Personal Health Information Act (NS, NL)

What Is PIPEDA?

These new parameters were established in 2004 under the Personal Information Protection and Electronic Documents Act (PIPEDA), requiring providers to alert the OPC and all affected Canadian consumers when there is a data breach.

PIPEDA originally applied only to the federally regulated private sector.

For example, banks, airlines, and telecommunications companies were required to follow the guidelines, but businesses, such as retailers, were not subject to its conditions.

More recently, PIPEDA was amended to include provincially regulated organizations, such as many businesses within the retail sector, service industries, manufacturing, and more.

However, the requirements do not apply to personal employee information; rather, they apply strictly to personal consumer information.

On June 18, 2015, the Canadian Parliament passed the Digital Privacy Act (DPA), thereby amending PIPEDA.

There are numerous additional requirements within the DPA, but we place an emphasis on the stipulation that Canadian citizens’ digital information stored within Canadian borders can only be distributed by means of email encryption systems.

Data Residency Requirements for Canadian Businesses

While PIPEDA does not mandate that companies keep their data within Canadian borders, it does specify how Canadian citizens’ information can be stored.

Businesses are held responsible for the data they collect, process, transfer, and store. Additionally, they are mandated to provide protection of that data at all times.

Because the laws are different in countries outside of Canada, protecting data during transmission and storage to a foreign cloud server puts your business at risk. The rules are even stricter for certain industries, such as the financial sector.

In addition, businesses that have customers in the EU or California may also be subject to additional privacy regulations from the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

Achieving Data Residency in the Cloud

The ITeam can provide email encryption and storage compliance by using Microsoft 365 and Microsoft Azure.

Microsoft Azure includes a strong email encryption system and is now available through local datacenter regions in Toronto and Québec City.

Furthermore, Microsoft 365 has the capability of providing in-country data residency.

Thus, The ITeam can offer a combination of 365 and Azure that meets the encryption and data residency requirements of the DPA.

Azure Data Residency Key Questions and Answers

The following is a brief Q&A regarding some of the central issues involved in DPA cloud compliance:

No. If you use a Canadian billing address for your data, Microsoft 365 and Azure cloud services will be hosted automatically in a Canadian data center.

Yes. Microsoft hosts data based on geographic location, so all information remains in Canada. More specifically, as described above, the data is stored regionally in Toronto and Québec City.

Regulated data is encrypted both while it is “at rest” and while it is being transmitted between a data center and a user. The level and type of encryption used to protect files and emails can be customized by end users and administrators. This allows maximum data security and management flexibility.

Microsoft Azure uses separate security worlds for its data centers in North America, EMEA (Europe, Middle East, and Africa), and Asia, so security keys can be used only in the region of residency.

No. Both Microsoft 365 and Microsoft Azure leave data ownership and control in the hands of individual organizations. Neither data ownership nor data control is ever compromised.

Microsoft Azure provides organizations with a reliable, scalable, and secure infrastructure environment, allowing organizations to improve customer experience, drive innovation, and manage costs. With the availability of Canada-based data cloud services and storage, it is worth considering shifting your organization to the cloud and evaluating solutions like Microsoft Azure.

Do You Know Where Your Data Is?

The days of keeping records in file cabinets where you can simply open a drawer and retrieve what you need are long gone.

Most of that information is now stored electronically. But if you’re storing your data in the cloud, you need to know two things:

  • Where is it being stored?
  • How quickly can you gain access to it if you need it?

When you choose to partner with The ITeam, you not only gain cost-effective, secure cloud storage and hosting but peace of mind. Your data is stored locally, in Alberta, never leaving the country even during transmittal. And when you need it, you can access it quickly. This means:

  • Less downtime
  • Better support for your customers
  • Confidence that you are meeting and exceeding PIPA compliance requirements

Leave the Heavy Lifting to Us.

The ITeam is a Microsoft Certified Partner committed to helping Calgary- and Alberta-based businesses develop proactive IT strategies that keep them competitive.

To learn more about The ITeam’s cloud hosting and how we can help you meet Canada residency and compliance requirements, contact us for a free consultation.

Benefits of Cloud Managed Services Benefits of Cloud Managed Services Privacy Impact Assessment Alberta Privacy Impact Assessment Alberta