Email Encryption Systems for Canadian Data Residency Requirements

The History

Email encryption, worrying about where data was stored, was not a concern when every company kept paper files in locked cabinets. Canada has been regulating the management of personal information privacy for almost 35 years, ever since the Government of Canada enacted the Privacy Act in 1983. This Act applied to departments within the Government of Canada as well as each provincial government system. Twenty years later, in order to address the privacy issues that accompanied the development of online commerce, the 1983 requirements were broadened to include private sector organizations that electronically maintain personal information. These new parameters were established in 2004 under the Personal Information Protection and Electronic Documents Act (PIPEDA).

PIPEDA originally applied only to the federally regulated private sector. For example: Banks, airlines, and telecommunications companies were required to follow the guidelines, but businesses, such as retailers, were not subject to its conditions.  More recently, PIPEDA was amended to include provincially regulated organizations, such as many businesses within the retail sector, service industries, manufacturing, and more. However, the requirements do not apply to personal employee information; rather, they apply strictly to personal consumer information.

On June 18, 2015, the Canadian Parliament passed the Digital Privacy Act (DPA), thereby amending PIPEDA. There are numerous additional requirements within the DPA, but we place an emphasis on the stipulation that Canadian citizens’ digital information stored within the Canadian border can only be distributed by means of email encryption systems.

The Issue

In an earlier day, even that of advanced computer storage and information housing, the handling and storing of digital information would not have been a major issue. Information was housed almost universally on computers and networks located in the areas where organizations were headquartered or in regional or local offices. However, advancement of wireless technology, cloud storage (with its tendency to blur data residency lines and fuel fears of hacking) broke down the previous technological barriers and created a critical need for careful, intentional, and proactive implementation of compliance protocols in line with PIPEDA and DPA regulations.

The Solution 

The ITeam can provide email encryption and storage compliance by using Microsoft’s Office 365 and Azure Rights Management (Azure RMS). Azure RMS includes a strong email encryption system and is now available through local datacenter regions in Toronto and Québec City. Furthermore, Office 365 has the capability of providing in-country data residency. Thus, The ITeam can offer a combination of Office 365 and Azure RMS that meets the encryption and data residency requirements of the DPA. 

Key Questions & Answers

The following is a brief Q&A regarding some of the central issues involved in DPA cloud compliance:

Does any encrypted document ever reside on US or foreign soil?

No. If you use a Canadian billing address for your data, the Microsoft Office 365 will be hosted automatically in a Canadian datacenter.

Does all information remain in Canada?

Yes. Microsoft hosts data based on geographic location, so all information remains in Canada. More specifically, as described above, the data is stored regionally in Toronto and Québec City.

What are the most important elements of encryption?

Regulated information is encrypted both while it is “at rest” and while it is being transmitted between a datacenter and a user. The level and type of encryption used to protect files and emails can be customized by end users and administrators. This allows maximum data security and management flexibility.

How is in-country datacenter integrity ensured?

Azure Rights Management uses separate security worlds for its data centers in North America, EMEA (Europe, Middle East, and Africa), and Asia, so security keys can be used only in the region of residency.

Is data ownership and control compromised in any way?

No. Both Microsoft Office 365 and Azure Rights Management leave data ownership and control in the hands of the individual organization. Neither data ownership nor data control are ever compromised.

Microsoft Azure provides organizations with a reliable, scalable, and secure infrastructure environment, allowing organizations to improve customer experience, drive innovation, and manage costs. With the availability of Canada-based data cloud services and storage, it is worth considering shifting your organization to the cloud and evaluating solutions like Microsoft Azure.

The ITeam is a Microsoft Certified Partner committed to helping Calgary- and Alberta-based businesses develop proactive IT strategies that keep them competitive. Contact us to learn more.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *