PIPEDA and Online Backup White Paper



Similar documents
Cloud Computing: Privacy and Other Risks

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

Taking care of what s important to you

The HR Skinny: Effectively managing international employee data flows

Privacy Law in Canada

Index All entries in the index reference page numbers.

Doing Business. A Practical Guide. casselsbrock.com. Canada. Dispute Resolution. Foreign Investment. Aboriginal. Securities and Corporate Finance

Cloud Computing: Legal Risks and Best Practices

COUNCIL OF THE EUROPEAN UNION. Brussels, 22 November /06 DATAPROTECT 45 EDPS 3

The Cloud and Cross-Border Risks - Singapore

The Use of Cloud Computing for the Storing and Accessing of Client Information: Some Practical and Ethical Considerations

Law Firm Compliance: Key Privacy Considerations for Lawyers and Law Firms in Ontario

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, A Guide for Data Controllers

AN INTRO TO. Privacy Laws. An introductory guide to Canadian Privacy Laws and how to be in compliance. Laura Brown

Taking care of what s important to you

Corporate Communications Policy

Report of the Information & Privacy Commissioner/Ontario. Review of the Canadian Institute for Health Information:

Cloud Computing: Trust But Verify

PERSONAL INFORMATION PROTECTION ACT

CLOUD COMPUTING & THE PATRIOT ACT: A RED HERRING?

South East Asia: Data Protection Update

Privacy Law in Canada

THE PROPOSED CANADIAN SECURITIES ACT: CRIMINALIZING SECURITIES REGULATION IN CANADA. James D.G. Douglas November 22, 2010

British Columbia Personal Information Protection Act. Frequently Asked Questions:

Considerations for Outsourcing Records Storage to the Cloud

Accountable Privacy Management in BC s Public Sector

Best Practices in Data Management - A Guide for Marketers -

Preservation of longstanding, roles and missions of civilian and intelligence agencies

University of Sunderland Business Assurance Information Security Policy

Cloud Computing Contracts. October 11, 2012

Privacy in the Cloud A Microsoft Perspective

Data protection issues on an EU outsourcing

005ASubmission to the Serious Data Breach Notification Consultation

Data Management: Considerations for Integrating Compliance Requirements At Home and Abroad. Toronto, Ontario June 14, 2005

Privacy Risk Assessments

Submission to the Standing Committee on Industry. Bill C-54, Personal Information Protection and Electronic Documents Act. Information and Privacy

FRANCE. Chapter XX OVERVIEW

CANADIAN PRIVACY AND DATA RESIDENCY REQUIREMENTS. White Paper

Privacy Policy. 30 January 2015

Council Policy. Records & Information Management

Taking a Data-Centric Approach to Security in the Cloud

PACIFIC EXPLORATION & PRODUCTION CORPORATION INSIDER TRADING POLICY

The Manitoba Child Care Association PRIVACY POLICY

1. LIMITATIONS ON ACCESS TO, OR DISCLOSURE OF, PERSONALLY IDENTIFIABLE INFORMATION.

National Association of Pharmacy Regulatory Authority s Privacy Policy for Pharmacists' Gateway Canada

Security in Fax: Minimizing Breaches and Compliance Risks

INTERNATIONAL SOS. Data Protection Policy. Version 1.05

Personal Data Act (1998:204);

Freedom of information guidance Exemptions guidance Section 41 Information provided in confidence

(a) the kind of data and the harm that could result if any of those things should occur;

CANADA BUSINESS CORPORATIONS ACT: INSIDER TRADING

Policy Brief: Protecting Privacy in Cloud-Based Genomic Research

Jan Philipp Albrecht Rapporteur, Committee on Civil Liberties, Justice and Home Affairs European Parliament

Government records findings--recognition of public policy.

No. of Freedom of Saint Christopher Information Bill and Nevis. ARRANGEMENT OF SECTIONS

How To Ensure Health Information Is Protected

Chapter RECORDS MANAGEMENT Sections:

Consultation Paper. ESMA Guidelines on Alternative Performance Measures. 13 February 2014 ESMA/2014/175

PROTECTION OF PERSONAL INFORMATION

Data Processing Agreement for Oracle Cloud Services

POLICE RECORD CHECKS IN EMPLOYMENT AND VOLUNTEERING

HIPSSA Project. Support for Harmonization of the ICT Policies in Sub-Sahara Africa, Second Mission -Namibia

Data Privacy in the Cloud: A Dozen Myths & Facts

7.0 Information Security Protections The aggregation and analysis of large collections of data and the development

Memorandum of Understanding ( MOU ) Respecting the Oversight of Certain Clearing and Settlement Systems. among:

CITY UNIVERSITY OF HONG KONG Information Security Incident Management Standard

A Best Practice Guide

Personal Information Protection Act ( PIPA ) Privacy-Proofing Your Retail Business Tips for Protecting Customers Personal Information 1

How To Protect School Data From Harm

The Health Information Protection Act

Client Update Fourth Anti-Money Laundering Directive Comes Into Force

General HIPAA Implementation FAQ

Addressing Information Protection, Privacy & Sovereignty Concerns in Cloud Applications

Guide to Identifying Personal Information Banks

Under European law teleradiology is both a health service and an information society service.

Data, Privacy, Cookies and the FTC in Kevin Stark - ExactTarget Maltie Maraj - ExactTarget Nicholas Merker - Ice Miller

Transcription:

PIPEDA and Online Backup White Paper The cloud computing era has seen a phenomenal growth of the data backup service industry. Backup service providers, by nature of their business, are compelled to collect valuable personal information about their subscribers, and it is critical that this information is kept private, secure and inaccessible to unauthorized individuals at all times. Now this is also legally mandated by the Privacy of Information Protection and Electronic Documents Act (PIPEDA). Service providers who fail to safeguard the personal information entrusted to them by their customers by not complying with the provisions of this act may find themselves facing liability claims and fines, along with the potential of a devastating loss of customer confidence. Contents: 1. Introduction 2. PIPEDA Provisions 3. The Rights of the Individual or Enterprise Under PIPEDA 4. Legal Compulsions Under PIPEDA for Backup Service Providers 5. Exceptional Circumstances for the Disclosure of Information 6. Where PIPEDA Does Not Apply 7. Implementing PIPEDA 8. The Impact of PIPEDA 9. Conclusion

Introduction There is no doubt about it; the modern era of the internet has ushered in a permanent and universal need for constant electronic communication between individuals and businesses. For this reason, legislation has been passed in the European Union, the United States of America, Japan, Hong Kong, Dubai, Australia and New Zealand to make electronic commerce safer and more efficient, with an emphasis on protecting the individual s right to privacy and security of their personal information that they entrust to businesses. PIPEDA was introduced on the 1st of January, 2004 in Canada for this very reason, bringing Canada in alignment with the requirements of the European Union (EU), as well as many other nations around the world where privacy of personal information is mandated by law. In addition to this, PIPEDA was further strengthened by the amending of the Canada Evidence Act, the Statutory Instruments Act and the Statute Revision Act, all of which served to help safeguard the transfer and usage of information between businesses and individuals in Canada. PIPEDA Provisions PIPEDA aims to create a legal framework concerning the individual s right to privacy of his or her personal information and the ways and means in which said information can be used by the data collecting entity for electronic commerce (or any kind of business, for that matter). The enactment of this legislation is consent-based, making it so that backup service providers who are collecting customer information must now clearly state the purpose for which the information in question is being collected, including letting the customer know what the information will be used for and the terms of disclosure. Indeed, obtaining explicit consent of the individual or enterprise entrusting the personal information is now a top priority. It follows that the information collected must be securely processed and remain inaccessible to unauthorized personnel, third parties and those who are not expressly permitted by the individual or enterprise to view the data. The Rights of the Individual or Enterprise under PIPEDA The individual or enterprise consenting to provide personal information to a backup service provider must know: Why the backup service provider is collecting personal information How the personal information collected will be used Who will have access to the personal information entrusted to the backup service provider How the personal information will be protected and secured by the backup service provider How the information will be destroyed when it is no longer required by the backup service provider How the service provider will ensure that the information is accurate, up to date and complete at all times How the individual or enterprise will be able to access, update or request corrections to their personal information What remedy will be available to the individual or enterprise if the privacy rights are not respected by the backup service provider Whether they have the right to ask why they need to provide personal information, or the right to refuse to provide certain types of personal information, if the reasonableness of the request is not clear

Legal Compulsions under PIPEDA for Backup Service Providers Unlike businesses that collect personal information for journalistic, artistic or literary purposes, backup service providers are subject to the provisions of PIPEDA, regardless of the size of the backup service provider in question or whether or not they operate exclusively online. PIPEDA mandates that backup service providers must: Obtain the consent of their customers for all transactions involving the collection, use and disclosure of their personal information Provide backup services to their customers even if they refuse to give consent for the collection of personal information (unless, of course, the information in question is vital to the transaction) Collect the information by lawful means Formulate, implement and display prominently the personal information policies required of the backup service provider in order to encourage customer understanding of these policies Exceptional Circumstances for the Disclosure of Information In the event of an emergency, backup service providers reserve the right to disclose their client s personal information to the police, if indeed they are requested by them to do so, and proceed with such a disclosure without obtaining the consent of the information owner in question. Where PIPEDA Does Not Apply Enterprises within British Columbia, Alberta and Quebec are currently not covered by PIPEDA, but must still operate under similar provincial statutes. In those provinces, PIPEDA still applies to organizations that are under federal jurisdiction.

Implementing PIPEDA Implementing PIPEDA can bring about potential challenges to some backup service providers, with a number of operational difficulties often surfacing that will indeed have to be overcome. The act impacts technology processes, the elements of a business reputation and the nature of governance itself. While implementing the provisions of this act, backup service providers will have to consider information technology risks, operational risks, human resources risks, finance strategies and customer relations. Any non-compliance with PIPEDA will bring about the potential of criminal prosecution, civil action and the possibility of damaging the reputation of the backup service provider in question. In brief, PIPEDA demands that backup service providers comply with the following tenets while collecting, using or disclosing personal information: Backup service providers must: Remain accountable Understand and implement processing limitations responsibly Ensure that the purpose of any exchange of personal information is specified and consented Ensure that the quality of information is optimized and updated by the information owner Ensure transparency and openness Implement security safeguards at all times to the best of their ability The Impact of PIPEDA No backup service provider wants to be perceived as being behind the curve in the implementation of PIPEDA. PIPEDA-aware backup service providers are continuously: Conducting privacy gap analysis to identify and control weaknesses Setting up remediation programs to address such control weaknesses Assessing cross-border data transfers to ensure adequate levels of protection Compiling and updating privacy policies and procedures to meet with compliance mandates Implementing employee and customer information protection awareness programs Auditing third party data processes for compliance to privacy agreements Updating third party contracts

Conclusion PIPEDA is, above all, a human rights enactment and thus a celebration of the liberty and right to privacy of all people living in this increasingly digital age. It serves to draw attention to the risks involved in disclosing personal information without guarantee of security and demands new levels of customer consciousness concerning the risks he or she may be taking when consenting to share personal information with third parties without regard to consequences. Finally, it serves to hold backup service providers to new, higher standards of accountability, responsibility and security when it comes to how they handle the acquisition, storage and dissemination of their customers valuable personal information.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information