Canada privacy laws
Canada privacy laws overview
Canadian privacy laws were established to protect the privacy of individuals and give them the right to access information gathered about them. The laws require organizations to take reasonable steps to safeguard information in their custody or control. They apply to personal information that is held and processed by governments and private organizations.
Federal privacy laws
Canada has two federal privacy laws that are enforced by the Office of the Privacy Commissioner of Canada (OPCC):
- The Privacy Act regulates how federal government organizations collect, use, and disclose personally identifiable information including that of federal employees. It applies only to federal government institutions listed in the Privacy Act Schedule of Institutions.
- The Personal Information Protection and Electronic Documents Act (PIPEDA) governs how private-sector organizations collect, use, and disclose personal information related to business activities of commercial for-profit enterprises and for the employees of federally regulated businesses like banks, airlines, and telecommunications companies.
PIPEDA is founded on 10 fair information principles that businesses must follow if they are to comply with it. For example, the basic principle of consent gives rise to the PIPEDA requirement that organizations must obtain an individual's permission to collect or use their personal information. Individuals have the right both to access that personal information and challenge its accuracy (grounded in the principle of 'individual access'). The principle of 'identifying purposes' leads to the rule that personal information can be used only for the purposes agreed upon.
Provincial privacy laws
In general, PIPEDA applies to commercial activities in all provinces and territories, except those operating entirely within provinces with their own privacy laws that have been declared 'substantially similar' to the federal law. For example, Alberta, British Columbia, and Québec have private sector privacy legislation deemed substantively similar to PIPEDA, and as a result the provincial laws are followed there in place of the federal legislation. Moreover, New Brunswick, Newfoundland and Labrador, Nova Scotia, and Ontario have health-related privacy laws that have been declared substantially similar to PIPEDA with respect to health information. These laws apply to personal health information within the respective provinces.
- Alberta: The Information and Privacy Commissioner of Alberta enforces the Personal Information Protection Act (PIPA), which provides individuals with the right to request access to their own personal information while providing private sector organizations with a framework for conducting the collection, use, and disclosure of personal information.
- British Columbia: The Information & Privacy Commissioner for British Columbia enforces the following legislation:
- Freedom of Information and Protection of Privacy Act (FIPPA) sets out the access and privacy rights of individuals as they relate to the public sector.
- Personal Information Protection Act (PIPA) applies to private-sector organizations that collect, use, and disclose the personal information of individuals in British Columbia.
- Québec: The Commission d’accès à l’information du Québec enforces the Act Respecting the Protection of Personal Information in the Private Sector, which establishes rules for the collection, use, and communication of personal information in the course of business activities.
- New Brunswick: The Personal Health Information Privacy and Access Act (PHIPAA) establishes rules that protects the confidentiality of personal health information and the privacy of the individual to whom that information relates.
- Newfoundland and Labrador: The Personal Health Information Act (PHIA) establishes rules that custodians of personal health information must follow when collecting, using, and disclosing individuals’ confidential personal health information.
- Nova Scotia: The Personal Health Information Act (PHIA) governs the collection, use, disclosure, retention, disposal, and destruction of personal health information.
- Ontario: The Personal Health Information Protection Act (PHIPA) establishes rules for the collection, use, and disclosure of personal health information.
Azure and Canada privacy laws
There is no formal certification that cloud service providers can leverage to comply with Canadian privacy laws. However, Azure provides customers with:
- Strong privacy assurances about controlling your data, where your data is located, securing your data, and defending your data.
- Privacy-related contractual commitments regarding data residency, security, access, breach notification, etc., as stated in the Microsoft Online Services Terms Data Protection Addendum (DPA).
- Ability to maintain ownership of customer data—the content, personal data, and other data you provide for storing and hosting in Azure service. Microsoft will not store or process customer data outside the geography you specify, except for certain non-regional services.
- Relevant formal audits conducted in accordance with established standards such as ISO 27001, ISO 27018, ISO 27701, SOC 2, and others.
- Technical features such as data encryption in transit and at rest, resource monitoring, security alerting, etc., to help customers enable data protection and meet their privacy requirements.
- Guidance documentation, including privacy implications on Microsoft cloud services that covers Canada among many other countries.
- Azure foundational privacy impact assessment (PIA), is available from the Azure portal audit reports blade (login required). You must have an existing Azure subscription or free Azure trial account to login. The Azure PIA provides a third-party analysis of how Microsoft Azure complies with the Canadian Privacy Act, PIPEDA, FIPPA (Ontario), PHIPA (Ontario), CSA Code (Private Sector), Québec Private Sector Law, and ISO/IEC 27018.
- Additional cloud services privacy documentation is available from the Service Trust Portal Regional Solutions section for Canada.
To assist Canadian customers who are considering outsourcing business functions to the cloud, Microsoft has published Navigating your way to the cloud: A compliance checklist for financial institutions in Canada. This document provides an overview of the regulatory landscape, including privacy regulations, and a detailed listing of how Microsoft business cloud services can help organizations meet contractual requirements for material outsourcing arrangements.
To support public and private sector organizations that are concerned about data residency, Microsoft has established two Canadian data centers in Toronto and Québec City. These data centers add in-country data residency, failover, and disaster recovery for customer data and applications.
Ultimately, the responsibility and ownership of personal data lies with our business customers, per the Microsoft Online Services Terms (OST). However, Microsoft has assessed its practices in risk, security, and incident management; access control; data integrity protection; and other areas relative to the recommendations from the Office of the Privacy Commissioner of Canada, and has determined that in-scope Azure services can meet those recommendations. This support means that Azure can help customers meet the requirements of Canadian privacy laws.
How to implement
- Privacy in Microsoft cloud services: Get details on Microsoft privacy principles and standards and on privacy laws specific to Canada.
- Compliance checklist for Canada: Learn more about Azure features that can help meet Canadian privacy laws.
- Azure foundational privacy impact assessment (PIA) for Canada: Third-party analysis of how Azure complies with the Canadian Privacy Act, PIPEDA, FIPPA (Ontario), PHIPA (Ontario), CSA Code (Private Sector), Québec Private Sector Law, and ISO/IEC 27018.
- Azure data protection: Azure provides customers with strong data security, both by default and as customer options.
- Business continuity and disaster recovery: Learn how to use Azure to recover your business services in a timely manner in the case of service disruption or accidental data deletion.
Frequently asked questions
Can Azure customers comply with PIPEDA and other Canadian privacy laws? Microsoft agrees in its Online Services Terms that it complies with laws and regulations that apply to its provision of Microsoft Online Services. However, organizations that use Microsoft Online Services including Azure are wholly responsible for compliance with all laws and regulations applicable to them, including Canadian privacy laws.
As a result, privacy is a shared responsibility between Microsoft as a cloud service provider and the customer using cloud services. At a high level, this requirement means that customers must ensure that their solutions implemented on Azure address the 10 PIPEDA fair information principles. For example, customers are responsible for getting the consent of individuals to collect their personal data and safeguarding it with adequate security measures.
What third-party audits validate Azure security controls? Azure undergoes formal audits conducted in accordance with established standards such as ISO 27001, ISO 27018, ISO 27701, SOC 2, and others. Compliance with these standards is confirmed by third-party auditors who provide independent validation that security controls are in place and operating effectively. Customers can access audit reports and certificates in the Azure portal by navigating to Home > Security Center > Regulatory compliance > Audit reports or using a direct link to the Azure portal audit reports blade (login required).
Will customers know the physical location where their data is stored? Azure customers will always know where their customer data is stored at rest. Microsoft provides strong customer commitments about data residency in the Online Services Terms Data Protection Addendum (DPA) and explains how data residency commitments apply to Azure regional vs. non-regional services. No matter where customer data is located, Microsoft does not control or limit the locations from which customers or their end users may access their data.
PIPEDA doesn’t require Canadian businesses to keep personal information in Canada. However, depending on the province where organizations do business, or their industry, they could be required to keep certain types of data within Canadian borders. To help address these types of requirements, Microsoft has established two Canadian data centers in Toronto and Quebec City. The physical infrastructure at Canadian data centers is in scope for Azure formal third-party audits mentioned above.
- Azure compliance documentation
- Azure enables a world of compliance
- Microsoft 365 compliance offerings
- Privacy on the Microsoft Trust Center
- Microsoft Online Services Terms (OST)
- Microsoft OST Data Protection Addendum (DPA)
- Privacy at Microsoft
- Privacy in Microsoft cloud services
- Microsoft Privacy Statement
- Privacy considerations in the cloud