I had the occasion this week to do some work for a few clients pertaining to the issue of transborder data flows. It became apparent that restrictions on the flow of data have emerged in fields other than the privacy industry. By this, I mean that while British Columbia and Nova Scotia have their restrictions on the flow of personal information outside of the country in certain circumstances, other regulatory regimes have started imposing data residency requirements on all sorts of data, as well — not just personal information.
For example, the CRA imposes an obligation on taxpayers to retain their electronic tax records within Canada. This is found in their information circular from 2010 called IC05-1R1 Electronic Record Keeping. I wonder how many taxpayers realize that the CRA has taken this position. It ostensibly results in the absurd situation when every taxpayer who is storing their electronic records on Google Docs is in violation of the CRA policy.
Another example pertains to financial records of entities that are overseen by the Office of the Superintendent of Financial Institutions. That regulator has a number of guidelines that suggests certain financial records must be stored in Canada.
In today’s day and age, it makes me wonder if these data residency requirements make any sense. After all, is it not the real issue that these regulators simply want to have unhindered access to the information they need to do their jobs? It matters not where the information is, so long as the regulator can immediately access it when it is needed. Does storing the data on Google somehow impede the work of the regulator?
In any event, I hope this little tidbit on data residency is of some interest to a few of you. It is, I suppose, just another aspect that privacy pros have to be aware of as we try to navigate this new world where data is quite fluid.
If you want to comment on this post, you need to login.