Skip to content

Data Residency Requirements Canada: Does Canadian Data Need to be Stored in Canada Only?

No. Neither PHIPA nor PIPEDA makes it mandatory for the private sector to store Canadian data in only Canada under any of its data residency requirements.

However, for government entities, there are data residency or data localization requirements which require them to make sure data is not leaving the country.

Though there is no data residency requirement for the private sector in Canada, PHIPA and PIPEDA laws require entities to make sure there are adequate numbers of technical and physical security measures to secure the data – no matter where they are storing it.

Here is what the Information and Privacy Commissioner of Ontario have to say about it:

“PHIPA does not require that personal health information be retained and stored in Ontario or Canada. There is no legislative prohibition on storing and accessing personal health information outside of Ontario. For example, a custodian may decide to outsource the storage of personal health information to a service provider in another jurisdiction. However, the custodian is ultimately accountable for the actions of its agent and must be satisfied that appropriate administrative, physical and technical safeguards are in place, for example, through contractual arrangements.” [Source]

 

The data privacy laws structure in Canada:

In Canada, there is one federal-level data privacy law called PIPEDA and multiple provincial-level laws such as,

  • PIPA: Personal Information Protection Act (AB)
  • PHIPA: Personal Health Information Protection Act (ON) (Healthcare-specific)
  • PHIPAA: Personal Health Information Privacy and Access Act (NB)
  • PHIA: Personal Health Information Act (NS, NL)
  • Quebec Privacy Act (QB)

So, if you are practicing a business (for example: a healthcare business in Ontario), PHIPA surely applies to you. But, PIPEDA also applies to your business practice.

Majorly, the requirements of both federal and provincial data protection laws in Canada are the same, but there are some differences.

For instance, PHIPA does apply to you during both commercial and non-commercial healthcare activities. Whereas, PIPEDA applies when you are collecting, using and sharing data during commercial activities only, regardless of the industries.

What are your responsibilities when you are storing data outside of Canada?

You can store data outside of Canada if you belong to the private sector.

However, the major catch here is that you are very responsible for ensuring that data is stored in a very secure manner.

Unlike HIPAA, none of the Canadian data privacy laws outline the list of technical and physical safeguards to keep data private and secure – before, during and after the data transfer between different entities across or within the borders.

But PIPEDA does ask entities to use contractual or other means to ensure a high level of protection while the third party is processing the information.

Not only this, but PIPEDA makes it compulsory for both you and the data storage service you are using to inform the privacy commissioner in the case of a data breach.

Moreover, PIPEDA suggests that organizations must validate the privacy policies and procedures data storage service providers have in place, including training for its staff.

The difference between Canadian and European data residency requirements:

The global economy highly depends on the cross-border transfer of data. But at the same time, it also holds significant privacy and security risks.

Thus, to keep privacy risks at the minimum level while the data is being stored, transferred and used across borders, different countries have imposed different data residency requirements.

For example, the European Commission restricts the data transfer with jurisdiction that they find offering not “adequate” protection for personal information.

This is called the state-to-state approach.

But in Canada, “PIPEDA does not prohibit organizations in Canada from transferring personal information to an organization in another jurisdiction for processing.”

However, PIPEDA unquestionably asks one organization to validate the privacy and security measures of another organization that it is dealing with.

Thus, it is called to have an organization-to-organization approach in Canada.

Major highlights or summary of the blog:

  • If you belong to the private sector, you are allowed to store data outside of your province and even Canada.
  • However, it is your responsibility to make sure that your data storage service provider (or any cloud services) has strong data privacy and security policies in place.
  • Because you are accountable for the secure transfer of the data that you own.
Are you finding Canadian data privacy laws complex to navigate? We can help you with our data privacy and security expertise. We generally deal with the healthcare industry only. But if you are really stuck and we are in the position to help you, we will certainly guide you through!