What is PIPEDA and Who Does PIPEDA Apply To?

The Personal Information Protection and Electronic Documents Act (PIPEDA), introduced in April 2000, is a Canadian federal law that governs the collection, use, and disclosure of personal information by the private sector. Similar to the EU’s data protection rules laid out in the General Data Protection Regulation (GDPR), PIPEDA was enacted to ensure the security and privacy of protected data.

Atlantic.Net has a data center presence in Canada, and we already provide compliancy hosting from that location for Healthcare organizations. There are many shared synergies between the rules of PIPEDA and the legislation of Health Insurance Portability and Accountability Act (HIPAA)-Compliance. In this article, we will discuss if HIPAA-Compliant hosting is compatible with the PIPEDA legislature.

What does PIPEDA grant Canadian Citizens?

PIPEDA provides individuals with a right to:

• Access their personal information
• Challenge and correct the accuracy of any personal information
• Understand who is collecting their personal information and why they are doing so

PIPEDA applies to any private sector businesses and organizations across Canada that process or disclose personal information for the purposes of commercial activity. PIPEDA also applies to non-Canadian organizations that collect and utilize personal information on behalf of Canadian citizens.

PIPEDA does not apply in Alberta, British Columbia, and Québec. These provinces have their own privacy legislation in place which is substantially similar to PIPEDA.

What Are the Ten PIPEDA Principles?

Businesses and organizations that are governed by PIPEDA must comply with the legislation’s ten fair information principles:

1. Accountability – an organization must take full responsibility for the personal data that they store and process
2. Identifying Purposes – the organization should confirm its need to collect personal data prior to doing so
3. Consent – the organization should obtain “meaningful consent” from an individual prior to data collection
4. Limit Collection – organizations must collect only the minimum amount of data necessary for their purpose
5. Limit Use, Disclosure, and Retention – data must only be used for its intended and consented purpose
6. Accuracy – all stored data must be up-to-date, complete, and accurate
7. Safeguards – adequate security measures must be put in place to maintain the integrity and security of data
8. Openness – organizations should be transparent about their data collection and handling processes
9. Individual Access – individuals have the right to view, assess and correct any information that is held about them
10. Challenging Compliance – individuals also have the right to challenge an organization’s compliance with the ten fair information principles

How Does PIPEDA Differ From HIPAA?

PIPEDA shares similarities with the United States’ HIPAA regulations. However, there are some key differences between the two legislations:

• HIPAA governs the use and disclosure of patient data within the United States, while PIPEDA relates to Canadian consumer data
• While HIPAA relates only to healthcare data, all forms of consumer data, from any industry, are covered under PIPEDA
• Under PIPEDA law, organizations must obtain consumer consent prior to data collection. HIPAA legislation does not always require a patient’s consent or even their prior knowledge
• HIPAA violations often lead to harsher penalties than PIPEDA breaches

Complying With PIPEDA

As made clear in the first of PIPEDA’s ten fair information principles, each organization must take responsibility for its use of personal information and PIPEDA compliance. Suitable policies and procedures must be established to ensure that consumer data is handled correctly and that all ten PIPEDA principles are adhered to.

While the onus is on an organization to adequately secure data, choosing the right hosting provider will make your compliance journey easier. A good hosting provider will help you to address all ten principles, with their main focus being on implementing the necessary safeguards to protect data.

How Can Atlantic.Net Ensure PIPEDA Compliance?

As a HIPAA-compliant hosting provider, Atlantic.Net can help to ensure that your organization meets, and even exceeds, PIPEDA requirements by providing the necessary technical and physical safeguards for your hosting environment:

Technical Safeguards

Fully Managed Firewall

Offering a combination of hardware and software-managed firewalls, your network will be secured against unauthorized access and intrusion. For the protection of web servers, an organization may also consider introducing a robust Web Application Firewall (WAF) as part of Atlantic.Net’s Network Edge Protection. Additional managed services can be leveraged to create an Intrusion Prevention Service (IPS), perfect for PIPEDA, as this intelligent service scans network traffic already accepted by the firewall, looking for unexpected trends in behavior and automatically logging any incidents. This automated service provides 24×7 protection at the network layer.

Encrypted Offsite Backups

With data protection of utmost importance, Atlantic.Net offers fully automated onsite and offsite backups with additional replication services. These options can be tailored to meet the specific needs of your organization and can be enabled simply by ticking a checkbox on our Cloud Platform.

Disaster Recovery Services

One of the key elements of PIPEDA is to ensure that members of the public have the right to view and amend any personal information held on them, an extra managed service offered by Atlantic.Net is a managed DR Service, production workloads can be failed over to a secondary location in the event of a major outage at the primary location. Only this month, a data center in Strasbourg (Europe) burnt down, emphasizing the importance of disaster recovery capabilities.

Encrypted VPN and Storage

To comply with PIPEDA laws, an organization should employ suitable encryption methods to ensure the integrity of their collected and stored data. Atlantic.Net does this in two ways – we encrypt VPN traffic (either site-to-site or remote access) and we encrypt all of our storage platforms with a minimum of AES256 security ciphers.

Multi-Factor Authentication (MFA)

In today’s climate, protecting data against loss, theft and unauthorized use is paramount. PIPEDA regulations declare that an organization must take “reasonable” measures to protect the integrity of personal data. Implementing MFA into your infrastructure can negate the risk of compromised credentials. MFA is relatively easy to set up, but it is incredibly effective at protecting servers containing data subject to PIPEDA. If a server is compromised, MFA will prevent the hacker from moving sidewards around your network, if indeed they can compromise a server to start with. Providing servers are secured appropriately, this is very unlikely.

SSL Certificates

Ensuring your site is secured with TLS/SSL certificates will ensure that the user experience is exactly as intended and that data is encrypted, so no snooping of confidential data is possible. Any websites must be transitioned from HTTP to the secure HTTPS protocol. This protocol encrypts all data that is in motion between the client device and the server.

Web designers should know how to install SSL certificates, but you can always work with Atlantic.Net on SSL-encrypting your site since it involves a (relatively simple) server installation.

Physical Safeguards

The Physical safeguards refer to how real-life physical controls are implemented to protect servers and end-user devices.

Facility Access Controls

Physical access data centers hosting electronic information systems should be limited. Any access must be properly authorized and should be regularly audited. Data Centers should have 24×7 security personnel on-site and local/remote CCTV cameras, and preferably a nondescript secure compound.

Workstation Use and Security

Workstations typically include electronic computing devices like desktops or laptops, but the definition can also be extended to devices like smartphones and tablets that can function similarly and store electronic media. Workstations should be protected by adequate physical safeguards that restrict access to PIPEDA information to authorized users

Device and Media Controls

This refers to how you control the receipt, removal, and movement of any hardware or electronic media that might hold PIPEDA information out of and within a data center location.

With over 30 years of experience, Atlantic.Net is independently certified and audited by third-party compliance firms. Our fully compliant hosting solutions meet HIPAA, HITECH, PCI, GDPR, and SOC requirements. Get in touch to find out how Atlantic.Net can help you to meet PIPEDA compliance.