Data Residency Outside Canada for Trustees
Trustees often ask our office about the use of an information management service provider (IMSP) to manage personal health information. Some want to know about using IMSPs linked to companies outside Canada.
Once personal health information leaves Canada, it becomes subject to the laws of the country where it resides. If an individual’s personal health information is stored on a server in the United States, for example, it becomes subject to whatever legislation exists in that country. Because of this, an unauthorized disclosure of someone’s personal health information can have greater ramifications for them than if that unauthorized disclosure occurred within Canada.
Section 16 of The Health Information Protection Act (HIPA) places a duty on trustees who have custody or control of personal health information to protect it. Under section 16, trustees must establish policies and procedures to maintain administrative, technical, and physical safeguards. Safeguards must protect the integrity, accuracy, and confidentiality of personal health information. Safeguards must also protect against any threat or hazard, loss, or any unauthorized access, use or disclosure of the personal health information.
If a trustee uses an IMSP to manage personal health information, section 18 of HIPA requires the trustee to enter into a written agreement with the IMSP. The agreement must outline how the IMSP will access, use, disclose, store, archive, modify, and destroy personal health information. The agreement must also outline how the IMSP will protect personal health information, and how the requirements of section 7 of The Health Information Protection Regulations, 2023 (regulations) will be met.
Before using an IMSP linked to a company outside Canada, a trustee should consider factors such as how sensitive the personal health information is, what volume exists, the possibility for an unauthorized use or disclosure and how the unauthorized use or disclosure will affect the individual. Trustees should also consider what foreign laws will come into play.
Because Canadian laws do not apply outside Canada, a trustee should undertake a Privacy Impact Assessment (PIA) if considering an IMSP linked to a company outside Canada. A PIA can help the trustee determine how closely the IMSP complies with HIPA and identify areas where there may be a privacy impact or risk. It can also help identify whether foreign laws can compel the disclosure of personal health information without the subject individual’s consent. In addition to conducting a PIA, trustees should consult with legal experts who specialize in data privacy.
Regardless of the safeguards put in place or outlined in an agreement, disclosure of personal health information outside Canada will always carry greater risks than disclosure of personal health information within Canada. Trustees must keep this in mind when considering the use of IMSPs linked to companies outside Canada, whether it stores data in Canada or not. The preference will always be to not use such companies.
The same considerations for using IMSPs apply to government institutions (under The Freedom of Information and Protection of Privacy Act) and to local authorities (under The Local Authority Freedom of Information and Protection of Privacy Act). Public bodies have a duty to protect personal information and to ensure proper safeguards are in place to manage and store it. They are under the same obligations as trustees to enter into written agreements with an IMSP and should also undertake a PIA to measure the risks of using one. And as with trustees, the preference will always be for public bodies to not use IMSPs linked to companies outside Canada.
For more information on conducting a PIA, see our office’s online resource, Privacy Impact Assessment Guidance and Supporting Documentation.