Data privacy and information protection-related laws are constantly changing throughout the world and differ from country to country.The primary challenge for any country is to use as much data as possible while protecting the individual’s privacy and personal information related to their identity. Countries such as Australia, Switzerland, and Norway have some of the best cloud privacy laws.
National security, privacy, and copyright are prominent debate topics in political circles of every technologically advanced country. The US government, through its Patriot Act can issue a “gag order” which forces cloud providers to refrain from informing users that their information has been accessed.The recent PRISM program gives NSA direct access to the servers of all major cloud providers.
These US government policies directly impact Canada. Programs such as PRISM allow US organizations to track data that Canadian organizations have stored in a US-based cloud server. Infact, even if the information is not stored in a US-based cloud server, but if it has been transferred online, US agencies can still track and gather it.
Fact: At least 90 percent of Canada’s digital activity ( from Twitter to the basic e-mail ) is channeled through the US. [Source: www.thestar.com]
Over the last few years, cloud storage service providers have gained immense popularity. Several companies and individuals are transferring their data to Canadian cloud servers. In November 2004, Canada passed the Personal Health Information Protection Act ( PHIPA ) to secure privacy of all the information regarding a citizen’s health information.
In addition to PHIPA, Canada implemented the Personal Information Protection and Electronic Documents Act (PIPEDA). With this act, the government controls and monitors how private business organizations collect and use personal information of their respective users. Except for charity groups and some nonprofits, every commercial establishment would be held responsible for meeting the requirements of the act.
Since all cloud service providers come under the private sector category, each one of them is expected to meet the terms and conditions of the act.
Listed below are the ten fundamental principles of the PIPED Act for organizations and individuals…
- The purpose of data: Organizations should inform users, guests, and visitors about why and how information is being collected.
- Obtaining approval: The firm should acquire required permissions and overall user consent before gathering data. Even if the user refuses to disclose, the service or product should be provided.
- Authentic data:The organization should make sure that the information collected is consistently free of error. Data should be updated and corrected as required to ensure that accuracy is maintained at all times.
- Safeguarding information: An organization should take necessary precautions to protect the user’s data and privacy, at the appropriate level required, depending upon the sensitivity of the data.
- Personal access for the user: The user should have full access to his/her personal data and should be able to object to any inaccuracies in order to maintain the accuracy of the data.
- Limiting disclosure: An organization should not disclose an individual’s private information without his/her prior permission/knowledge to anyone, except when granted access or as required by the law.
- Restricting collection: Only necessary information which is needed for specific purposes identified by the company should be collected. Data should be acquired in a fair and lawful manner.
- Openness: The company should give a detailed briefing about its policies regarding management and security of the individual’s data. These policies should be made readily available to the user whenever asked.
- Accountability The organization would be held responsible for all personal information under its control. They would be required to appoint a representative who ensures that the firm follows necessary principles.
- Challenging Compliance The individual can question the compliance of the company with fair information principles. The procedure for raising a complaint should be simple, and the representative appointed should be able to address the queries of the challenger.
Know more about PIPEDA by clicking here
Key takeaways for Cloud service providers
Here is a how-to guide for cloud service providers to ensure that they comply with the principles:
- Include reporting methods, non-disclosure and security policies and other restraints
- Share the company’s perspective on the management of data to educate the individual about the purpose of collection of data
- Follow established best practices to ensure maximum security for private information
- Maintain transparency in data management policies and have a copy readily available to share whenever challenged
- Straightforward and fast procedures for handling complaints
Here is a list of top Canadian cloud providers which comply with Canadian regulations
|Cloud Service provider||Services||Operations Base|
|CenturyLink||IaaS, PaaS, SaaS, DBaaS||Vancouver, Toronto and Montreal|
|Bell Business Solutions||IaaS, PaaS, SaaS||Montreal|
|iWeb||OpenStack and SSD storage||Montreal|
|Long View||IaaS, cloud backup and recovery||Calgary, Alberta and Toronto|
|Netelligent||IaaS, PaaS, SaaS||Montreal|
|Asigra Inc.||SaaS and IaaS||Toronto|
|Cloud pockets||Iaas,Saas||British Columbia|
Questions? Insights? Please feel free to share them in comments.