Cloud Computing and Privacy

For practitioners, using cloud services must be done with care because there are client confidentiality issues to consider in addition to meeting the obligations of various privacy legislation. 

Practitioners should take several steps before moving to cloud services, such as:

• Assess the risks against the benefits of using cloud services.
• Determine the type of cloud services you are considering (public, community, private, or hybrid).
• Know the service contractor’s agreement terms.
• Find out what the service provider’s processes are should a breach of information occur.
• Find out if periodic audits are performed within the service provider’s organization.
• Determine how your clients’ personal information will be returned to you upon termination of your agreement.
• Determine what the prospective cloud provider will do with your clients’ information.

There are several relevant pieces of privacy legislation that practitioners should be aware of. Summary of the privacy legislation that may be applicable in Canada and the factors which determine which laws apply.

For practitioners and their clients that are established and operate exclusively in British Columbia, one or both of the following legislation likely apply: 

1. BC Personal Information Protection Act (PIPA)- applies to most private businesses in BC;
    
2. BC Freedom of Information and Protection of Privacy Act (BC FOIPPA) - applies to BC public bodies, a defined term that includes BC government ministries, local government bodies, health care bodies, educational bodies, and other bodies designated in, or added by regulation to Schedules 2 and 3 of BC FOIPPA.

Most practitioners operate their firms as private businesses and would be governed under the BC PIPA. However, if practitioners receive or access personal information under the control of a public body in the course of their engagements, they may also need to comply with BC FOIPPA. On November 25, 2021, amendments to the BC FOIPPA were enacted. As a result of these amendments, public bodies must complete an additional assessment when sensitive personal information is disclosed to be stored outside of Canada. For more information, please visit Guidance on Disclosures Outside of Canada - Province of British Columbia

The Office of the Information and Privacy Commissioner (OIPC) provides independent oversight and enforcement of BC's privacy laws. The OIPC has issued resources for private organizations and guidance documents including guidance on developing a privacy policy under PIPA.