On August 25th, Arbitrator Outhouse held that Dalhousie University did not violate the Personal Information International Disclosure Protection Act by providing e-mail and other IT services via a cloud-based platform. The decision is about compliance with the Nova Scotia statute, though Arbitrator Outhouse does make comment on the interests and risks involved in an outsourcing of this kind.
On January 27th, the federal Privacy Commissioner released a document entitled “Guidelines for Processing Personal Data Across Borders.” The guidelines reflect the OPC’s pragmatic approach to the issue, but seem to put slightly greater emphasis than in prior commentary on the need for organizations to examine local and polictical factors in their due dilligence process:
In the case of outsourcing to another jurisdiction, PIPEDA does not require a measure by measure comparison by organizations of foreign laws with Canadian laws. But it does require organizations to take into consideration all of the elements surrounding the transaction. The result may well be that some transfers are unwise because of the uncertain nature of the foreign regime or that in some cases information is so sensitive that it should not be sent to any foreign jurisdiction.
The Guideline is available here.
This is the title of our just-published university sector client bulletin. It was one of those writing projects I thought I could tackle quickly but led to some significant inquiry and learning, all of which was rewarding. It is written for universities but is relevant to anyone with responsibility for computer use policy in an organization. Click here for more. Hope it is helpful.