In an age of increasing data breaches, users should confirm that they comply with their data protection obligations and have a plan in place to mitigate the harm that can be done in the event of a data breach.

An organization that plans to use a cloud-based service provider should ensure that it has been transparent about its information handling practices to its customers. Under many of the private sector privacy laws in Canada, a person who collects personal information that will be processed by a cloud based service provider must disclose that fact in its privacy disclosure materials when it obtains consent to collect the personal information. Where the data will be held out of Canada, the best practices are to disclose that fact when collecting the personal information.

The organization should understand that when it engages a service provider to process personal information, the organization remains responsible for that service provider’s compliance with the organization’s privacy obligations. Among other things, that means that the organization is required to use contractual or other means to provide a comparable level of protection while the third party is processing the personal information.

Understanding compliance obligations

A good starting point is for the organization to assess and understand its own compliance obligations.  In addition to the mandatory privacy and security obligations under private sector privacy law, the organization may be subject to other regulatory obligations. For example, certain financial institutions may also be subject to regulatory guidelines established by the Office of the Superintendent of Financial Institutions.

"Proactive steps are to use data encryption shared with the service provider, and also limiting the amount of information collected in the first place."

Once an organization understands the obligations it must meet, it can then do due diligence on the cloud service provider to ensure that the provider’s practices will be sufficient for the organization.  

The organization should also assess its measures for handling a data breach. Proactive steps are to use data encryption shared with the service provider, and also limiting the amount of information collected in the first place. Other proactive steps are for the organization to understand its data breach reporting obligations.  

A well-prepared organization will plan in advance for a data breach by having prepared all of the governance, decision making, and investigative resources needed to quickly respond to an incident.  
Customers and the public see organizations who are ready in advance as more proactive and privacy-savvy. Those prompt reactions to a data breach can enhance the trust that customers and the public place in the organization.