Canadian Flag

PIPEDA Compliance in AWS: What You Need To Know

Data compliance has been an increasing area of concern in the wake of several high-profile data breaches and unethical use of digital consumers' personal data in recent years. Data compliance has emerged as a practice to ensure that consumer information is safe and secure on the internet and that it is used in the way it's intended.

The trouble comes from the fact that there's an array of different standards and regulations. This can be confusing when it comes time to ensure your digital assets comply with the latest security standards.

PIPEDA stands for the Personal Information Protection and Electronic Documents Act, and is the Canadian standard for digital security. PIPEDA's been around for a while, as it was initially unveiled in 2000, but it's been revised significantly to keep up with recent technological innovations.

Cloud-based technology wasn't as prevalent as it now is when PIPEDA was created. So how does PIPEDA compliance impact cloud-based services like Amazon Web Services (AWS)? We're going to take a look at AWS PIPEDA and how to ensure your Canadian cloud-based digital assets adhere to the latest security standards and regulations.

What Is PIPEDA Compliance?

Virtually every industry on Earth has been adopting cloud-based technology over the last ten years. The government, of course, is no exception. While there's no denying its effectiveness and efficiency, it does raise questions around data governance and compliance.

Say, for instance, that a government agency in Alberta is using a cloud-based service. Now imagine that the server's in upstate New York, which isn't that much of a reach considering that's part of the point of using the cloud. That means that data could be privy to the Patriot Act, meaning the United States government could gain access to sensitive information.

It also means that Canadian laws that guarantee privacy, such as the Personal Information Protection Act, would not have jurisdiction.

Things get even trickier when you realize that almost every country has protocols around data security and privacy. These protocols raise significant logistical issues around moving data across national borders.

Interestingly, Canada has no single standard for preserving data privacy for all organizations across the country. Provincially regulated organizations are subject first to provincial legislation in many cases. For example, Alberta and British Columbia have their own legislation similar to PIPEDA called Personal Information Protection Act (PIPA).

So who does PIPEDA apply to? PIPEDA is enforced for any federally regulated company that handles customer's personal, private information if it's in the course of inter-provincial and international commercial transactions and there aren't any exemptions.

As is always the case with legal definitions, each of these terms has a specific meaning. The text for PIPEDA itself defines "personal information" as "information about a private individual." The Office of the Privacy Commissioner goes into even greater detail, outlining a number of specific cases and examples.

According to the Office of the Privacy Commissioner, personal information doesn't have to include details about the individual's personal life. It could pertain to shopping preferences or employment information.

Handling refers to collecting, disclosing, or using the information in any way. Data doesn't have to be stored for it to count as handling.

The definition of commercial activity is even more precise. The data doesn't have to be financial in nature to be considered commercial data. It's the way the data is used that makes it count as commercial.

PIPEDA defines commercial activity as "Any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists."

The definition around commercial activity was further expounded upon by the Assistant Privacy Commissioner. They specify that an organization disclose every organization that collects data from its users state how data is going to be used if it's intended for a commercial purpose. This includes any website intended to generate revenue.

PIPEDA Exemptions

PIPEDA also details any organizations that are exempt from PIPEDA compliance. These include a number of Federal government organizations, such as provincial and territorial governments as well as any agents working on their behalf. It also includes not-for-profit groups, charity groups, political parties, and political associations where commercial activity isn't central to their purpose.

Hospitals, schools, and universities are also exempt from PIPEDA compliance as they're under the jurisdiction of regional laws.

Specific provinces have their own rules around data compliance and governance. If your organization is in Alberta, British Columbia, or Quebec, you'll need to consult the legalities around PIPEDA compliance for your particular area.

The law also takes into consideration how you intend to use the data collected. Individuals can be exempt from PIPEDA compliance if they're collecting data strictly for personal use. Organizations can sometimes be exempt as well if they're collecting data for journalistic, artistic, or literary purposes.

PIPEDA Requirements

There are a few steps you must to take to ensure your organization complies with PIPEDA guidelines.

Consent must be obtained for the specific intended use of the data, so the first step is obtaining that consent before gathering the data. This is usually done using an "opt-in" process. If you're going to use that data for reasons other than those for which consent was originally given, you need to obtain additional consent.

It's important also to allow consumers to be able to see what data is being gathered. You must correct the data if they can prove the personal information you have may be inaccurate.

The third step is to ensure that all information is adequately safeguarded.

Finally, PIPEDA lays out 10 principles an organization can follow to ensure they're meeting PIPEDA guidelines. These are:

  • Accountability
  • Identify Purposes
  • Obtain Consent
  • Limit Data Collecting
  • Limit Use, Disclosure, and Retention
  • Accuracy
  • Appropriate Safeguards
  • Openness
  • Consumer Access
  • Address Complaints

PIPEDA Compliance For AWS

Now we finally come to AWS. The public cloud raises even more questions around data security, as there are many factors outside of end-users' control. Some contrarians theorize that it's impossible to secure the public cloud sufficiently for it to be trusted. They advocate solely for on-premises cloud servers.

But don't give up on the public cloud just yet, though, as Amazon is taking steps to ensure that their public cloud services comply with PIPEDA and the Personal Information Protection Act. They've recently built two availability zones (data centres) in Montreal, meaning that most of their core cloud-based data services operate on native soil.

How To Ensure Your AWS Data Meets Pipeda Compliance

There are steps you can take to ensure that your data meets Pipeda compliance.

The first thing you should consider to make sure your data meets Pipeda compliance in Canada is how you connect to the cloud. If you're using a public network, the odds are good that your data is going to leave the country at some point. This transit would result in your data being unprotected and no longer beholden to national privacy laws.

To avoid this and make sure your data remains secure and compliant, you can set up a private network from your location directly to your AWS VPC and ensure your VPC and other resources are provisioned in the Canada Central (Montreal) region.

The next thing you need to consider with your cloud-based services is how to ensure reliability. You need to make sure your apps and services remain available even if an availability zone goes down. Luckily, this isn't that difficult to achieve. You can split your services across two availability zones to ensure that you have a backup in case of emergency.

You also need to consider your data backup location. Check to make sure that the backup location is also a Canadian availability zone to verify that it will remain Pipeda compliant. You might want to source a different data backup, apart from the AWS availability zones in Montreal, however. This is in case of some emergency occurring in Montreal, which could affect both data centres.

There's no going back in today's data-driven world. Businesses and organizations IT needs are growing increasingly complex in the wake of decentralized workplaces and a global marketplace. Data is powerful, and can be used for good as well as ill.

PIPEDA compliance is one step towards ensuring these powerful new tools and technologies are used in a way that keeps private data safe. Making sure your organization complies with the provisions laid out by PIPEDA will help you weather the storm and healthfully adapt to this new world.

Want To Make Sure Your AWS Services Are Secure?

The rules and laws surrounding technology and personal data change frequently. It is our passion to help companies adapt to these changing paradigms, ensuring your data, digital assets, and AWS cloud-based applications comply with relevant data protection laws.

If you're ready to make sure your organization follows PIPEDA compliance, contact us today and let us know how we can help!