Data Management

Storing Customer Data on Servers Outside Canada: Good or Bad Practice?

Over the past month, I’ve had to review several contractual clauses that organizations must follow under Canadian privacy laws. Research I conducted to verify if it was possible to use the services of third parties to process data. The issue: Can we send contact database files outside of Canada?

I will not give legal advice, but simply expose guideline rules that have helped us to determine if we could use the third party servers located outside of Canada. I invite you to consult your legal counsel for advice that applies to your organization and its territory. And, in the meantime, be immediately reassured, we keep our customers’ data in Canada.

To answer the question, I did some research on this subject.

The general conclusions that I take from my research are found on the website for the Office of the Privacy Commissioner of Canada. They give key recommendations that apply to all organizations in Canada:

The transferring organization is accountable for the information in the hands of the organization to which it has been transferred.

Organizations must protect the personal information in the hands of processors. The primary means by which this is accomplished is through contract.

No contract can override the criminal, national security or any other laws of the country to which the information has been transferred.

It is important for organizations to assess the risks that could jeopardize the integrity, security and confidentiality of customer personal information when it is transferred to third-party service providers operating outside of Canada.

Organizations must be transparent about their personal information handling practices. This includes advising customers that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction it may be accessed by the courts, law enforcement and national security authorities.”

Because we are not able to ensure security and data access procedures, nor to discuss the contract with U.S. suppliers, we rejected the American solutions of cloud computing to prefer the use of data in Canada. Furthermore, even if the law is not formal in this regard, we will not take unnecessary risk of exposing ourselves to other acceptable data use practices, which are not permitted here in Canada at all, such as sharing contact lists.

Finally, to avoid any difficulties and meet the highest standards of safety, we prefer not to send or share any customer data on servers outside Canada. With all the controversy of the use of U.S. data with the Snowden case, I think it is a wise decision. What do you think?