For practitioners, using cloud services must be done with care because there are client confidentiality issues to consider in addition to meeting the obligations of various privacy legislation.
Practitioners should take several steps before moving to cloud services, such as:
- Assess the risks against the benefits of using cloud services.
- Determine the type of cloud services you are considering (public, community, private, or hybrid).
- Know the service contractor’s agreement terms.
- Find out what the service provider’s processes are should a breach of information occur.
- Find out if periodic audits are performed within the service provider’s organization.
- Determine how your clients’ personal information will be returned to you upon termination of your agreement.
- Determine what the prospective cloud provider will do with your clients’ information.
There are several relevant pieces of privacy legislation that practitioners should be aware of. Summary of the privacy legislation that may be applicable in Canada and the factors which determine which laws apply.
For practitioners and their clients that are established and operate exclusively in British Columbia, one or both of the following legislation likely apply:
- BC Personal Information Protection Act (PIPA)- applies to most private businesses in BC;
- BC Freedom of Information and Protection of Privacy Act (BC FOIPPA) - applies to BC public bodies, a defined term that includes BC government ministries, local government bodies, health care bodies, educational bodies, and other bodies designated in, or added by regulation to Schedules 2 and 3 of BC FOIPPA.
Most practitioners operate their firms as private businesses and would be governed under the BC PIPA. However, if practitioners receive or access personal information under the control of a public body in the course of their engagements, they may also need to comply with BC FOIPPA. Under BC FOIPPA, personal information must be stored and accessed in Canada, unless documented consent in prescribed form has been put in place. Where such consent is not in place, practitioners will need to make arrangements for any personal information held in the cloud to be stored on servers located in Canada.
The Office of the Information and Privacy Commissioner (OIPC) provides independent oversight and enforcement of BC's privacy laws. The OIPC has issued additional resources and guidance for small businesses: