By Security Features • August 29, 2018

Evaluating Privacy Compliance In The Canadian Cloud


The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s set of privacy laws that pertain to how commercial entities manage the collection, use, and disclosure of personal information. Equip your businesses with the information needed to bring your organization into compliance with the laws.

It is the responsibility of each business to be compliant with PIPEDA. It is crucial to conduct compliance assessments at each change in protocol, processes, or policies, and to fully understand all that is required of businesses in regard to PIPEDA. This is particularly crucial when moving to the cloud or when reviewing their cloud service agreement.


It is vital for Canadian businesses to review each principle and assess the criteria for that principle, ensuring that each is satisfactorily met. Business owners should then identify the ways that they are complying with PIPEDA, how it is being carried out, and any actions required to bring the business into compliance.

This evaluation organized to accommodate the 10 Core Principles of PIPEDA, allow business owners to review current policies and procedures to determine if there are any areas where their company is not compliant, especially in the cloud. The evaluation should be comprehensive in order to adequately assess any potential risk factors regarding non-compliance.

10 Evaluative Questions for Businesses

1 Have I appointed an individual or team to manage all aspects of the company’s PIPEDA compliance to include the collection and management of personal information?
2 Have I identified the types of information it will collect, the purposes for collecting this information, and have documented it in my privacy policies?
3 Have I developed policies and procedures for how my company will collect and manage all personal information, both essential and non-essential, including the process for requesting access or making corrections to that information?
4 Have I distributed copies of privacy policies and procedures to all employees within my company and reviewed the information with them to ensure that they fully understand the process?
5 Have I provided my clients and customers with the necessary information regarding how their personal information is collected and managed, including the process for requesting access or making corrections to that information?
6 Have I put contractual agreements in place and company policies to ensure that personal information shared with third parties is covered by a level of privacy protection that is comparable to my own company’s while the information is in the custody of the third party?
7 Have I implemented a system that allows my customers and clients to consent to or opt out of the collection of their personal information with the form of consent being commensurate to the sensitivity of the information?
8 Have I limited the type and amount of personal information that I collect to what is necessary for the identified purpose and collected information only by fair and lawful means?
9 Have I put a policy in place that specifies when updates are appropriate, based on uses and purposes defined for that information including the individual’s interests and updates are performed only when necessary to fulfill the purposes for which it was collected?
10 Have I ensured that I have in place and have incorporated into my privacy policy all technical, physical, and administrative safeguards I employ for protecting personal information, in all its formats, against theft or loss, and unauthorized activities to include disclosure, modification, access, use, and copying?





Original Source:  Cloud28+