Data center security and privacy guidelines 101

Data center regulations for Canada

Data sovereignty, data residency, and security are important terms when it comes to data privacy in Canada. Emphasis on cloud-first business options, and provisions for data center establishments by the government is aimed at holding citizens' data within the nation's boundaries.

In 2018, the Canadian Federal Government demonstrated its cloud-first strategy making the cloud its preferred option for delivering IT services. Prioritizing the public cloud, this legislation also demonstrates that certain sensitive information remains within its boundaries. For this, the Canadian government emphasizes the availability of major public cloud services within the country. This is why setting up data centers in Canada is important. The Office of the Privacy Commissioner of Canada is responsible for governing the storage and use of personally identifiable information (PII). Every federal, provincial, and territorial jurisdiction in Canada has an independent Information and Privacy Commissioner who manages the data protection laws under their jurisdiction.

Checklist for setting up a data center in Canada

To set up a data center and run your business uninterruptedly, make sure you comply with the following:

  • The Personal Information Protection and Electronic Documents Act (PIPEDA)
  • The data privacy laws specific to the province in which you wish to set up your data center
  • The National Institute of Standards and Technology (NIST) and Uptime Institute's tier certifications
  • Quality standards from the International Organization for Standardization (ISO)
  • Security standards for System and Organization Control (SOC) compliance
  • Environmental management standards like ISO 140001
  • Energy efficient data center designs

PIPEDA

Like other major privacy laws, PIPEDA insists that organizations obtain an individual's consent when they collect, use, or disclose that individual's personal information. Personal information can only be used for the purpose it was collected for. If an organization is going to use it for another purpose, it must obtain consent again.

All businesses that operate in Canada and handle personal information that crosses provincial or national borders in the course of commercial activities are subject to PIPEDA, regardless of the province or territory in which they are based. This includes provinces that have enacted similar legislation.

PIPEDA lists 10 fair information principles that form the basis for the collection, use, and disclosure of personal information, as well as for providing access to personal information. In PIPEDA's words:

  • Accountability: An organization is responsible for personal information under its control. It must appoint someone to be accountable for its compliance with these fair information principles.
  • Identifying purposes: The purposes for which the personal information is being collected must be identified by the organization before, or at the time of collection.
  • Consent: The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
  • Limiting collection: The collection of personal information must be limited to that which is needed for the purposes identified by the organization. The information must be collected by fair and lawful means.
  • Limiting use, disclosure, and retention: Unless the individual consents otherwise or it is required by law, personal information can only be used or disclosed for the purposes for which it was collected. Personal information must only be kept as long as required to serve those purposes.
  • Accuracy: Personal information must be as accurate, complete, and up-to-date as possible to properly satisfy the purposes for which it is to be used.
  • Safeguards: Personal information must be protected by the appropriate security measures relative to the sensitivity of the information.
  • Openness: An organization must make detailed information about its policies and practices relating to the management of personal information publicly and readily available.
  • Individual access: Upon request, an individual must be informed of the existence, use, and disclosure of their personal information, and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information, and have it amended as appropriate.
  • Challenging compliance: An individual shall be able to challenge an organization’s compliance with the above principles. Their challenge should be addressed to the person accountable for the organization’s compliance with PIPEDA, usually its Chief Privacy Officer.

Canada has also implemented the Privacy Act of 1983 which covers how the federal government handles personal information.

Provincial privacy laws

Alberta, British Columbia, and Quebec have their own private-sector privacy laws that are similar to PIPEDA. Organizations that are subject to the provincial privacy laws are generally exempt from the PIPEDA with respect to the collection, use, or disclosure of personal information that occurs within that province.

Alberta's PIPA

The Personal Information Protection Act (PIPA) is Alberta’s private sector privacy law. It protects personal information collected and processed by private sector organizations, businesses, and in some cases, non-profit organizations.

British Columbia's data protection laws

The Province of British Columbia comprises various federal and provincial laws that govern the way personal information is handled. Provincially, the PIPA and federally, the PIPEDA regulate private organizations that collect, use, and disclose personal information. The Freedom of Information and Protection of Privacy Act (FIPPA) regulates the personal information handled by public bodies.

Quebec's Private Sector Act

Quebec enforces its data privacy rights through the Private Sector Act, inspired by the General Data Protection and Regulation (GDPR).

Other data center standards

Similar to the United States, data centers in Canada are expected to comply with common data center standards, like NIST and ISO 27001.

Conclusion

There are different types of data centers, like traditional and hybrid, that each come with their own pros and cons. It's the choice of the individual organization to choose the type that fits their needs, and successfully incorporate all elements of privacy, safety, security, and other environmental standards. With so many controls, standards, audits, and reports, it's always recommended to adhere to and maintain compliance with all region-specific laws.

References

  • https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/
  • https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-privacy-act/
Plans, Pricing and Sign Up30-Day Free Trial, sign up in 30 seconds