Resources | Our Blog: Newsledger | White Papers | Budgetary Commentary | FAQS |

Cloud vs Canadian privacy laws compliance

April 11th. 2016

Canadian privacy laws compliance should be studied and considered before any Canadian company considers cloud deployment of their IT infrastructure or processing of accounting and client related data in the cloud.  There are considerable risks inherent in the use of foreign, third party software and servers to process and store your client and financial information.

With respect to the privacy issues, it may be sufficient to make disclosure to your clients, explaining that their information is being stored outside Canada. However, all confidential client data must be protected at all times, through restricted user access, password protection and data encryption where applicable. As data is being processed it goes through three major steps: Transfer, Processing and Storage. All three stages have unique requirements but the overall protection mechanisms should stay linked and unbroken across the entire data flow.


During every outside transfer of personal information for the purpose of processing, data should be encrypted using the SSL (Secure Sockets Layer). SSL is the standard security technology for establishing an encrypted link between two endpoints. This link ensures that all data passed between the endpoints remain private and integral. SSL is a well-known and widely used standard adopted by the banking industry, government websites, as well as the online retail industry.


The data processing solution should include an audit log allowing the entity to monitor and safeguard all records, and to be able detect and alert IT staff of any unauthorized access attempts and potential data breaches. Your company should have policies and processes in place to counteract such situations. At the same time the organization should make sure that adequate personal data handling training is provided to the staff with access to any donor private information.


All donor sensitive private information should be encrypted when stored electronically. Unfortunate cases of computer equipment theft may lead to massive data breaches when not properly protected.

It may come as a surprise to some but depending on the residence there are different privacy laws in Canada. For example, British Columbia and Nova Scotia have laws strictly regulating the export of personal information from Canada by public bodies.

Alberta has enacted legislation that makes it an offense for a public body or a service provider to disclose personal information in response to an order that does not have jurisdiction in Alberta. Similarly in British Columbia and Nova Scotia, Privacy Acts require that information under the custody and control of a public body be stored only in Canada and accessed only in Canada unless the individual has consented to its storage or disclosure outside of Canada or one of a number of narrow exceptions apply.

The public body and any of its service providers are under a legal obligation to report any foreign demands for disclosure. Violating any of these provisions is an offense. In Nova Scotia the head of the public body is obliged to report any such exceptions to the Minister of Justice after the year end in which these decisions are made.

In light of the issues of “data sovereignty”, the easiest way to avoid any issues is to use Canadian servers to host their information.  In that regard, IBM and Oracle currently offer servers based in Canada for cloud based information storage.  Microsoft is another provider, who addressed Canadian clients concerned about data sovereignty by deploying their cloud servers in Canadian datacenters. Microsoft’s Canadian cloud is currently in beta testing with select clients. Microsoft plans to launch their cloud from the Canadian cloud regions into general availability in Q2 2016. 




T1 Checklist T1 Checklist
Community Action 
2005 - 2014 - Past Blog Posts 

At S+C Partners, we take a holistic view of client relationships by providing a full range of services including assurance, tax, advisory and information technology to support our clients’ financial commitments, minimize tax liabilities, optimize profitability and automate business processes.

Home | Legal and Privacy | Sitemap | Contact | Google+
All content © 2018 S+C Partners LLP