Canada privacy laws
Canada privacy laws overview
Canadian privacy laws were established to protect the privacy of individuals and give them the right to access information gathered about them. The laws require organizations to take reasonable steps to safeguard information in their custody or control. They apply to personal information that is held and processed by governments and private organizations.
Federal privacy laws
Canada has two federal privacy laws that are enforced by the Office of the Privacy Commissioner of Canada (OPCC):
- The Privacy Act regulates how federal government organizations collect, use, and disclose personal information, including personal information of federal employees. It applies only to federal government institutions listed in the Privacy Act Schedule of Institutions.
- The Personal Information Protection and Electronic Documents Act (PIPEDA) governs how private-sector organizations collect, use, and disclose personal information related to business activities of commercial for-profit enterprises and for the employees of federally regulated businesses like banks, airlines, and telecommunications companies.
PIPEDA is founded on 10 fair information principles that businesses must follow if they are to comply with the law. For example, the basic principle of consent gives rise to the PIPEDA requirement that organizations must obtain an individual's permission to collect or use their personal information. Individuals have the right to both access that personal information and challenge its accuracy, grounded in the principle of individual access. The principle of identifying purposes leads to the rule that personal information can be used only for the purposes agreed upon.
Provincial privacy laws
In general, PIPEDA applies to commercial activities in all provinces and territories, except those operating entirely within provinces with their own privacy laws that have been declared substantially similar to the federal law. For example, Alberta, British Columbia, and Québec have private sector privacy legislation deemed substantively similar to PIPEDA, and as a result, the provincial laws are followed there in place of the federal legislation. Moreover, New Brunswick, Newfoundland and Labrador, Nova Scotia, and Ontario have health-related privacy laws that have been declared substantially similar to PIPEDA with respect to health information. These laws apply to personal health information within the respective provinces.
- Alberta: The Information and Privacy Commissioner of Alberta enforces the Personal Information Protection Act (PIPA), which provides individuals with the right to request access to their own personal information while providing private sector organizations with a framework for conducting the collection, use, and disclosure of personal information.
- British Columbia: The Information & Privacy Commissioner for British Columbia enforces the following legislation:
- Freedom of Information and Protection of Privacy Act (FIPPA) sets out the access and privacy rights of individuals as they relate to the public sector.
- Personal Information Protection Act (PIPA) applies to private-sector organizations that collect, use, and disclose the personal information of individuals in British Columbia.
- Québec: The Commission d’accès à l’information du Québec enforces the Act respecting the protection of personal information in the private sector, which establishes rules for the collection, use, and communication of personal information in the course of business activities.
- New Brunswick: The Personal Health Information Privacy and Access Act (PHIPAA) establishes rules that protects the confidentiality of personal health information and the privacy of the individual to whom that information relates.
- Newfoundland and Labrador: The Personal Health Information Act (PHIA) establishes rules that custodians of personal health information must follow when collecting, using, and disclosing individuals’ confidential personal health information.
- Nova Scotia: The Personal Health Information Act (PHIA) governs the collection, use, disclosure, retention, disposal, and destruction of personal health information.
- Ontario: The Freedom of Information and Protection of Privacy Act (FIPPA) establishes a general right of access to recorded information in the custody or control of institutions subject to the legislation and protects the privacy of individuals regarding their personal information in the custody or under control of those institutions. Moreover, the Personal Health Information Protection Act (PHIPA) establishes rules for the collection, use, and disclosure of personal health information.
Azure and Canada privacy laws
There is no formal certification that cloud service providers can use to comply with Canadian privacy laws. However, Azure provides you with:
- Strong privacy assurances about controlling your data, where your data is located, securing your data, and defending your data.
- Privacy-related contractual commitments regarding data residency, security, access, breach notification, and so on, as stated in the Microsoft Products and Services Data Protection Addendum (DPA).
- Ability to maintain ownership of customer data—the content, personal data, and other data you provide for storing and hosting in Azure services. Microsoft won't store or process your customer data outside the geography you specify, except for certain non-regional services.
- Relevant formal audits conducted in accordance with established standards such as ISO 27001, ISO 27018, ISO 27701, SOC 2 Type 2, and others.
- Technical features such as data encryption in transit and at rest, resource monitoring, security alerting, and so on, to help you enable data protection and meet your privacy requirements.
- Guidance documentation, including privacy implications on Microsoft cloud services that covers Canada among many other countries.
- Azure foundational privacy impact assessment (PIA), is available from the Service Trust Portal (STP) Privacy and Data Protection section. The Azure PIA provides a third-party analysis of how Microsoft Azure complies with the Canadian Privacy Act, PIPEDA, FIPPA (Ontario), PHIPA (Ontario), CSA Code (Private Sector), Québec Private Sector Law, and ISO/IEC 27018.
- Additional cloud services privacy documentation is available from the STP Canada regional resources section.
If you're considering outsourcing business functions to the cloud, Microsoft has published the following documents available from the STP Resources for Canada section:
- Navigating your way to the cloud in Canada, which provides step-by-step guidance for cloud adoption.
- Compliance checklist for financial institutions in Canada, which provides an overview of the regulatory landscape, including privacy regulations, and a detailed listing of how Microsoft cloud services can help you meet contractual requirements for material outsourcing arrangements.
To support public and private sector organizations that are concerned about data residency, Microsoft has established two Canadian data centers in Toronto and Québec City. These data centers add in-country data residency, failover, and disaster recovery for your customer data and applications.
According to the Microsoft Product Terms (formerly Online Services Terms) and the Microsoft Products and Services Data Protection Addendum (DPA), the responsibility and ownership of personal data lies with you. However, Microsoft has assessed its practices in risk, security, and incident management; access control; data integrity protection; and other areas relative to the recommendations from the Office of the Privacy Commissioner of Canada. Based on that assessment, we have determined that in-scope Azure services can meet those recommendations and help you meet the requirements of Canadian privacy laws.
How to implement
- Privacy in Microsoft cloud services: Get details on Microsoft privacy principles and standards and on privacy laws specific to Canada.
- Compliance checklist for financial institutions in Canada: Learn more about Azure features that can help you meet Canadian privacy laws.
- Azure foundational privacy impact assessment (PIA) for Canada: Third-party analysis of how Azure complies with the Canadian Privacy Act, PIPEDA, FIPPA (Ontario), PHIPA (Ontario), CSA Code (Private Sector), Québec Private Sector Law, and ISO/IEC 27018.
- Azure data protection: Azure provides you with strong data security, both by default and as customer options.
- Business continuity and disaster recovery: Learn how to use Azure to recover your business services in a timely manner in the case of service disruption or accidental data deletion.
Frequently asked questions
As an Azure customer, how can I comply with PIPEDA and other Canadian privacy laws? Microsoft states in the Microsoft Product Terms (formerly Online Services Terms) that it complies with laws and regulations that apply to its provision of Microsoft online services. However, organizations that use Microsoft online services including Azure are wholly responsible for compliance with all laws and regulations applicable to them, including Canadian privacy laws.
As a result, privacy is a shared responsibility between Microsoft as a cloud service provider and you as the customer using cloud services. At a high level, this requirement means that you must ensure that your solutions implemented on Azure address the 10 PIPEDA fair information principles. For example, you're responsible for getting the consent of individuals to collect their personal data and safeguarding it with adequate security measures. Microsoft doesn't inspect, approve, or monitor your applications deployed on Azure.
What third-party audits validate Azure security controls? Azure undergoes formal audits conducted in accordance with established standards such as ISO 27001, ISO 27018, ISO 27701, SOC 2 Type 2, and others. Compliance with these standards is verified by third-party auditors who provide independent validation that security controls are in place and operating effectively. You can access audit reports and certificates from the Service Trust Portal (STP). You must sign in to access audit reports on the STP. You must have an existing Azure subscription or free Azure trial account to sign in. For more information, see Get started with Microsoft Service Trust Portal.
Will I know the physical location where my data is stored? Yes, you'll always know where you customer data is stored at rest. Microsoft provides strong customer commitments about data residency in the Microsoft Products and Services Data Protection Addendum (DPA), and explains how data residency commitments apply to Azure regional vs. non-regional services. No matter where your customer data is located, Microsoft doesn't control or limit the locations from which you or your end users may access customer data.
PIPEDA doesn’t require Canadian businesses to keep personal information in Canada. However, depending on the province where organizations do business, or their industry, they could be required to keep certain types of data within Canadian borders. To help address these types of requirements, Microsoft has established two Canadian data centers in Toronto and Quebec City. The physical infrastructure at Canadian data centers is in scope for Azure formal third-party audits mentioned previously.
- Azure compliance documentation
- Azure enables a world of compliance
- Microsoft 365 compliance offerings
- Privacy on the Microsoft Trust Center
- Microsoft Product Terms (formerly Online Services Terms)
- Microsoft Products and Services Data Protection Addendum (DPA)
- Privacy at Microsoft
- Privacy in Microsoft cloud services
- Microsoft Privacy Statement
- Privacy considerations in the cloud