CmB magazIne cmba-achc.ca spring 2018 | 13
letters to the editor
n
"Cloud Computing for Small- and Medium-
Sized Enterprises" at www.priv.gc.ca/en/
privacy-topics/technology-and-privacy/online-
privacy/cloud-computing/gd_cc_201206/
n
"Getting Accountability Right with a Privacy
Management Program" at www.priv.gc.ca/
en/privacy-topics/privacy-laws-in-canada/
the-personal-information-protection-and-
electronic-documents-act-pipeda/pipeda-
compliance-help/pipeda-compliance-and-
training-tools/gl_acc_201204/.
Cloud Computing – Transborder
Canadian organizations in the private sector
are permitted to transfer personal information
to an organization in another jurisdiction for
processing. However, doing so can pose several
issues including:
n
the cloud provider's backup servers could
be in a different physical location than the
primary servers;
n
the data that is outsourced may be
physically located in several jurisdictions;
n
the data in another jurisdiction is subject to
the laws of that jurisdiction;
n
the laws of the jurisdiction where the
data is located may allow access in broader
circumstances than would be allowed in
Canada; and
n
it may be difficult to obtain and enforce
judgments in other jurisdictions.
e sensitivity of the information is a
major factor in determining whether it is
appropriate to send it to cloud computing. A
person's financial information is considered
one of the more sensitive types of information
and so is subject to greater protection. A
foreign jurisdiction storing and allowing
access to a client's information may very well
contravene the Registrar's bulletin, as the
disclosure would be neither authorized by the
client nor required by law (we are concluding
that access or disclosure required by foreign
law is not to be considered as required by law
for our purposes). It could also be concluded
that the broker did not take reasonable steps to
ensure the safety of the client information from
access by persons who are not authorized by
the client to have the information.
For additional guidance on transborder
data flows, see Guidelines for Processing
Personal Data Across Borders at www.priv.
gc.ca/media/1992/gl_dab_090127_e.pdf.
Although these Guidelines relate to the federal
legislation, the principles would as well be
valuable in determining compliance with
the provincial legislation.
Further Information
More complete information is available on the
B.C. Information and Privacy Commissioner's
site at www.oipc.bc.ca/ and at the sites of
the Canadian and other provincial privacy
commissioners.
We hope you find this of assistance and
thank you for your question.
Please send letters to the editor to
info@cmba-achc.ca
