28
security arrangements to prevent unauthorized access, disclosure, use, copying or modification. Retailers are expected to employ physical, technological and organizational security measures to store personal information. Per its privacy policy, the OCS states that it “employs organizational, contractual, technical and physical security measures” to protect to protect personal information under its custody and control. The Guidance also stresses that personal information should only be used for the purpose for which it was originally collected and should only be kept as long as necessary to fulfill the purpose, after which it should be securely destroyed. For example, paper documents should be cross-shredded.
The OPC recommends that technological security measures for computer systems holding personal information include: the use of unique electronic user IDs for each staff member or purchaser; strong passwords; encryption; firewalls and deleting personal information when it is no longer needed. Organizational methods include restricting employee access to personal information they do not need unless required to perform their job duties, implementing mandatory staff training and staff security screening. Retailers are also expected to conduct regular risk assessments and compliance monitoring to ensure that they are meeting PIPEDA requirements, updating program controls if and as necessary.
Store personal information on Canadian servers to minimize cross-border privacy concerns
The OPC astutely acknowledges that the use of certain cloud services or proprietary software to store personal information regarding cannabis purchases may lead to the transfer of such data outside of Canada, thereby increasing the risk of potential access to such data by foreign law enforcement or governments. Thus, the OPC flagged the very real concern that potential access to this data by such foreign governments will be problematic for cannabis users, given the continued illegality of cannabis worldwide.
The guidance notes that it is more “privacy protective” to store personal information regarding cannabis acquisition on servers located in Canada and then more forcefully recommends that customers ask cannabis retailers whether their personal information is stored on servers outside of Canada. The OPC even goes so far as to suggest that purchasers may want to opt to “purchase cannabis from those retailers who keep your personal information in Canada.” Interestingly, the OCS speaks to this concern in its privacy policy, stating that it “stores customer personal information under its custody or control in Canada.”
While some Canadian cannabis retailers may wish to heed such advice by choosing local Canadian cloud vendors, in my view they will also be required to engage in further due diligence to confirm that such so-called Canadian cloud providers actually host and retain all their data on servers located in Canada rather than using third-party service providers, subcontractors and sub-processors or Canadian affiliates of large foreign vendors whose actual networks (or portions thereof) are located in other jurisdictions, which still puts Canadian personal information at risk of third party government or other exposure.
Any such cloud-computing agreements between such Canadian cannabis retailers and cloud vendors should also contain the necessary contractual provisions to specify and lock-down the location of customer personal information held by such cloud vendor and its subcontractors and sub-processors and the servers used to host and store such data.
24