Cloud applications and personal information

Bill 64 imposes new requirements for the protection of personal information ("PI") for all Quebec organizations and businesses that collect or store personal information about their customers, members, or employees.

Learn more by reading our guide:

  "What is Personal Information"

 

Cloud applications

Many Quebec companies use integrated cloud solutions to manage their activities. If you use integrated solutions (point-of-sale, sales and marketing, HR, payroll and benefits, or others), or if you simply store files containing PI on a cloud platform (Microsoft 365, Amazon, iCloud, Dropbox, etc.), you should pay close attention to new government requirements to protect this data.

The law states that even if you use the services of a cloud provider, your company or organization remains primarily responsible for protecting that data. What does this mean in concrete terms for your organization? Let's use a concrete example:

You own a clothing store and use a cloud-based point-of-sale solution to manage inventory and online and in-store sales. The application provider uses a large cloud platform, such as Amazon Web Services or Microsoft Azure, to make the application available to merchants who use it. This cloud platform is the victim of a cyber-attack resulting in a massive data theft including data from your point-of-sale application.

In such a scenario, the platform provider has an obligation to notify its customers, which includes the POS application provider who, in turn, has the obligation to notify all merchants who use the application. If you are one of these merchants, your obligations are as follows:

1. Report the incident immediately to provincial government authorities
2. Also record the incident in an internal register that you must keep for this purpose
3. Immediately notify all those of your customers whose data has been compromised
4. In conjunction with the application provider, identify the measures to be implemented in order to mitigate this type of incident or to minimize its impact in the future

Note that these obligations also apply to the application provider if it is a Quebec company. The provider may also be subject to similar legislation if it is located elsewhere in Canada (the Personal Information Protection and Electronic Documents Act), or in another country.

It can sometimes take several weeks before a cyber-attack is detected by your provider. It is therefore essential to act quickly.

Accountability and Protection of Personal Information

Quebec law states that the organization that collects PI is responsible for protecting it. These laws also state that, with rare exceptions, you must obtain your customers' consent for each use you make of the personal information they provide to you.

If you use an integrated cloud solution (accounting, POS, HR, etc.), and the provider of the solution or application shares/may share the information you store in their system, you will usually find warnings to this effect in the usage policy that you must accept. You must then in turn notify your customers, members or employees of the possible sharing of their data, and obtain their consent.

What data is collected and shared by the app?

Here are some questions that will help you assess the risk that your website or cloud application poses to the personal information you collect:

• Do you intentionally collect personal information?
  • If so, how is this information stored: on your website? On a separate site? Locally, on a server or computer?
  • How is this personal information protected?

• Does the cloud solution or application provider in some cases share your members' or customers' PI with other IT service providers?
• If you have entrusted the creation of your website to a professional, has he integrated data sharing functions with third parties?
• If you use a design or hosting service for your web presence, do you know exactly what personal information is collected about your visitors, and how this data will be used or shared?
• If you use an online accounting or human resources management service, how is your employees' personal information protected?

How to protect personal information?

• Use antivirus and protection software on all workstations and/or servers that are used to collect or store the personal information of your customers, members or employees;
• Always install the latest software and operating system updates used on all your devices, including mobile devices;
• Use a VPN on your equipment to ensure your communications are encrypted;
• Check with your suppliers that the data stored in their systems is also encrypted;
• Take regular backup copies of your data, even your cloud data, and keep it in a safe place;
• Control the privileges and access rights of your staff;
• Train your staff to make them aware of computer security;
• Ask your suppliers how they handle and protect the personal information provided by your customers, members or employees, and whether it is exposed to third parties.

Contact Nexop today. We will conduct an analysis of your systems and data, and develop a comprehensive list of steps required to ensure your compliance with the new privacy requirements.

CLICK BELOW TO BOOK YOUR FREE CONSULTATION WITH OUR EXPERTS

Nexop may from time to time provide information and resources to users, including, but not limited to, references to legal or legal resources. The provision of such information or references should in no way be construed as the provision of legal advice or guidance. Nexop encourages users to consult a lawyer for legal advice or guidance in connection with content offered by Nexop.