Canada privacy laws

Canada privacy laws overview

Canadian privacy laws were established to protect the privacy of individuals and give them the right to access information gathered about them. The laws require organizations to take reasonable steps to safeguard information in their custody or control. They apply to personal information that is held and processed by governments and private organizations.

Federal privacy laws

Canada has two federal privacy laws that are enforced by the Office of the Privacy Commissioner of Canada (OPCC):

  • The Privacy Act regulates how federal government organizations collect, use, and disclose personally identifiable information including that of federal employees. It applies only to federal government institutions listed in the Privacy Act Schedule of Institutions.
  • The Personal Information Protection and Electronic Documents Act (PIPEDA) governs how private-sector organizations collect, use, and disclose personal information related to business activities of commercial for-profit enterprises and for the employees of federally regulated businesses like banks, airlines, and telecommunications companies.

PIPEDA is founded on 10 fair information principles that businesses must follow if they are to comply with it. For example, the basic principle of consent gives rise to the PIPEDA requirement that organizations must obtain an individual's permission to collect or use their personal information. Individuals have the right both to access that personal information and challenge its accuracy (grounded in the principle of 'individual access'). The principle of 'identifying purposes' leads to the rule that personal information can be used only for the purposes agreed upon.

Provincial privacy laws

In general, PIPEDA applies to commercial activities in all provinces and territories, except those operating entirely within provinces with their own privacy laws that have been declared 'substantially similar' to the federal law. For example, Alberta, British Columbia, and Québec have private sector privacy legislation deemed substantively similar to PIPEDA, and as a result the provincial laws are followed there in place of the federal legislation. Moreover, New Brunswick, Newfoundland and Labrador, Nova Scotia, and Ontario have health-related privacy laws that have been declared substantially similar to PIPEDA with respect to health information. These laws apply to personal health information within the respective provinces.

Azure and Canada privacy laws

There is no formal certification that cloud service providers can leverage to comply with Canadian privacy laws. However, Azure provides customers with:

To assist Canadian customers who are considering outsourcing business functions to the cloud, Microsoft has published Navigating your way to the cloud: A compliance checklist for financial institutions in Canada. This document provides an overview of the regulatory landscape, including privacy regulations, and a detailed listing of how Microsoft business cloud services can help organizations meet contractual requirements for material outsourcing arrangements.

To support public and private sector organizations that are concerned about data residency, Microsoft has established two Canadian data centers in Toronto and Québec City. These data centers add in-country data residency, failover, and disaster recovery for customer data and applications.

Ultimately, the responsibility and ownership of personal data lies with our business customers, per the Microsoft Online Services Terms (OST). However, Microsoft has assessed its practices in risk, security, and incident management; access control; data integrity protection; and other areas relative to the recommendations from the Office of the Privacy Commissioner of Canada, and has determined that in-scope Azure services can meet those recommendations. This support means that Azure can help customers meet the requirements of Canadian privacy laws.

Applicability

  • Azure

How to implement

Frequently asked questions

Can Azure customers comply with PIPEDA and other Canadian privacy laws?
Microsoft agrees in its Online Services Terms that it complies with laws and regulations that apply to its provision of Microsoft Online Services. However, organizations that use Microsoft Online Services including Azure are wholly responsible for compliance with all laws and regulations applicable to them, including Canadian privacy laws.

As a result, privacy is a shared responsibility between Microsoft as a cloud service provider and the customer using cloud services. At a high level, this requirement means that customers must ensure that their solutions implemented on Azure address the 10 PIPEDA fair information principles. For example, customers are responsible for getting the consent of individuals to collect their personal data and safeguarding it with adequate security measures.

What third-party audits validate Azure security controls?
Azure undergoes formal audits conducted in accordance with established standards such as ISO 27001, ISO 27018, ISO 27701, SOC 2, and others. Compliance with these standards is confirmed by third-party auditors who provide independent validation that security controls are in place and operating effectively. Customers can access audit reports and certificates in the Azure portal by navigating to Home > Security Center > Regulatory compliance > Audit reports or using a direct link to the Azure portal audit reports blade (login required).

Will customers know the physical location where their data is stored?
Azure customers will always know where their customer data is stored at rest. Microsoft provides strong customer commitments about data residency in the Online Services Terms Data Protection Addendum (DPA) and explains how data residency commitments apply to Azure regional vs. non-regional services. No matter where customer data is located, Microsoft does not control or limit the locations from which customers or their end users may access their data.

PIPEDA doesn’t require Canadian businesses to keep personal information in Canada. However, depending on the province where organizations do business, or their industry, they could be required to keep certain types of data within Canadian borders. To help address these types of requirements, Microsoft has established two Canadian data centers in Toronto and Quebec City. The physical infrastructure at Canadian data centers is in scope for Azure formal third-party audits mentioned above.

Resources