Data Privacy in Canada

Personal information kept safe and, when necessary, on shore

Mature woman DocuSign

Privacy is a fundamental right in Canada. We even have a privacy commissioner. The job of the Office of the Privacy Commissioner of Canada is to ensure that any organization that collects your personal information – whether a government agency or private institution – does so with care and respect for your privacy. 

What is data privacy?

In this country, as in many others, individuals have the right to control how their personal information is collected and used. When we talk about data privacy, we’re addressing whether information is being used for its intended, legitimate purposes. When personal information is being processed, careful handling must promise confidentiality for things like consent, proper storage and disposal, notice, and compliance with applicable privacy regulations. 

For a business or entity processing personal information, data privacy has two goals. Adhering to the first helps achieve the second.

  1. Comply with regulatory and contractual requirements
  2. Build customer trust

Trust is built through transparency, so it’s important to demonstrate publicly that regulatory requirements are being met and systems are in place to remain compliant. Privacy policies* must be accessible and simple to understand. Disclosures of security policies, alerts and updates* are key to maintaining that trusted relationship.

There are two levels of data privacy laws in Canada, and when more than one law applies, you must comply with both.

Federal Privacy Laws

  • The Privacy Act upholds privacy regulations for the federal public sector together with provincial privacy legislation. 

The government collects information from its citizens in order to deliver services and set policy (eg: employment benefits, taxation, pension payments). The Privacy Act dictates how this information is collected, used, and retained. It also covers citizens’ rights to access their personal information. 

Provincial Privacy Laws

Provinces maintain their own privacy laws and each has its own privacy commissioner or ombudsman that is responsible for overseeing and enforcing information access and the various privacy regulations that may differ by province. 

Here are a few variations in Canada’s provincial privacy laws:

  • Alberta and Quebec restrict the transfer of public sector personal information outside of the country, and sometimes outside the province
  • Ontario requires health-related information to remain in Canada
  • British Columbia and Nova Scotia prohibit government institutions, Crown agents, and their service providers from moving personal information outside Canada

Canada’s provincial and territorial privacy laws can be found here.

What is data residency?

When regulations obligate us to keep certain types of data within our borders, that’s what is meant by data residency. Such is the case with health-related information in Ontario. PHIPA is the Ontario legislation governing personal healthcare information, it’s collection, storage, transfer and personal access. It requires that data to be kept ‘on shore’ in Canada.

Docusign is a good example of a company that allows its customers to safeguard Canadian data in this country and enables them to easily comply with Canadian data residency regulations. For data residency requirements, Docusign maintains two datacentres in Canada, one in Toronto and one in Quebec City. 

Cross-border data storage in the U.S.

As long as Canadian privacy or other regulations do not prohibit it, Canadian companies may generally use cloud solutions that are based in the United States. Under PIPEDA, organizations that are otherwise compliant with the law may freely move personal information across the border if it makes business sense to do so. Canadian companies, including financial institutions, may transfer data to the U.S. without obtaining any special consent from customers for such transfer, so long as they provide notice to customers about their information security and protection practices, and keep the information secure.

PIPEDA, the federal privacy regulation that governs how personal information is collected and protected, also regulates the movement of such data across borders. In cases when data is transferred outside of Canada, PIPEDA holds the originating Canadian business liable for any problems during cross-border transfer. Any third party that processes Canadian data must provide a comparable level of protection that the data would have received if it remained with the Canadian company initiating the transfer.

What’s new in privacy protection?

With an increased focus on data protection, new privacy laws are being introduced around the globe that have implications in those regions, as well as anyone doing business with them. GDPR, Europe’s rigourous data privacy regulation, and the California Consumer Privacy Act (CCPA), are recent examples of stricter data handling rules.

Privacy obligations globally in general cover several important aspects of data stewardship:

  1. Lawfulness, fairness and transparency
  2. Accuracy
  3. Accountability
  4. Purpose limitation
  5. Data minimization
  6. Storage limitation
  7. Integrity and confidentiality (security)

As of the date of this publication, Canada has been granted “adequacy status” by the EU, which means Canada’s data privacy framework is generally sufficient to meet the GDPR safeguards required for any European data transferred here from Europe. Canadian data protected under PIPEDA is understood to offer a level of protection in alignment with GDPR, making it easier for Canadian companies to do business with EU countries. 

It’s hard to fathom that 90% of the world’s data has been collected in the last two years alone – and is expected to double every two years. Much of that data is personal, so it’s no wonder the subject of data privacy is top of mind and under constant review and scrutiny.  

* For an example of a comprehensive privacy policy, see the Docusign Privacy Policy
* Visit the Docusign Trust Center for information about the company’s data security and protection practices


Related Topics