security icons denoting pipeda compliance

What small business owners in Canada need to know about staying compliant with Microsoft Office 365.

As Canadian small business owners gear up for another year of e-privacy and data protection regulation, it’s a good time to review Microsoft Office 365’s status in light of PIPEDA compliance.

As you know, the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) has been around long enough to have created a deep impact on the small business (SMB) landscape. Canadian business owners are no strangers to the demands placed upon them to fulfil data-protection obligations set into place back in 2000 when PIPEDA was first enacted. And since 2018, they’ve continued to scramble to ensure they also meet the EU’s General Data Protection Regulation (GDPR).

So why review PIPEDA compliance now?

Because the regulatory landscape never stops evolving – and neither does Microsoft. Cloud adoption is on the rise. And as cloud computing edges its way deeper into the SMB environment, CEOs and CIOs will need guidance and advice as they journey forward into the modern business world. In short, they will need to know how to reap the benefits of cloud adoption while remaining confident that they are still PIPEDA compliant.

A few years ago, a client emailed to ask if Microsoft Office 365 is PIPEDA compliant, along with a few other questions about switching from a Microsoft Exchange Server to Office 365. He wrote:

“I keep reading that Microsoft and their Office 365 services are PIPEDA compliant – but their own compliance page doesn’t indicate this… where do I see they are actually “in writing” compliant??”

We replied:

“Hi M, Microsoft (or any other provider) can’t exactly be “in writing” compliant as the wording of PIPEDA puts the onus on the collector of the information (you) and not the storage mechanism itself (in this case, Microsoft’s Office 365 service).

PIPEDA is a set of guidelines to follow for data handling.

What that means is that Microsoft is capable of being PIPEDA compliant if the end user takes the proper care and precautions in collecting and storing data and information. Here is their exact wording:

“Ultimately, the responsibility and ownership of personal data lies with our business customers, per the Online Services Terms. However, Microsoft contractually commits that Azure and Intune in-scope services have implemented security safeguards to help them protect the privacy of individuals, based on established industry standards such as ISO/IEC 27001 and the SOC framework. We have assessed our practices in risk, security, and incident management; access control; data integrity protection; and other areas relative to the recommendations from the Office of the Privacy Commissioner of Canada, and have determined that the in-scope services are capable of meeting those recommendations.”

So while they can’t provide you with a certificate of any kind, their technology meets the requirements laid out in the PIPEDA specifications.  When you use it according to PIPEDA guidelines, you can be deemed to be compliant.

Let’s unpack that further.


PIPEDA Offers Guidelines, Not Parameters and Configurations

Another reason that PIPEDA compliance is an ongoing effort is that most SMBs find it difficult to clarify precisely what it is they need to do in order to be PIPEDA compliant. That’s because the regulation is very broad. In fact, when compared to other national data protection regulations, PIPEDA is notoriously general, outlining guidelines and principles rather than configurations or specific methods for handling data.

For example, here’s what PIPEDA says about Identifying Purposes, which is Principle #2:

“The purposes for which the personal information is being collected must be identified by the organization before or at the time of collection.”

That’s very vague, making it difficult for busy SMBs to create a clear plan of action for compliance.

This, combined with the complex digital environment of Office 365, and it’s easy to see why keeping tabs on compliance is a process, not a one-time activity. Here’s what you need to know about compliance as you, PIPEDA, and Microsoft enter the new decade ahead.

Why doesn’t Microsoft just come right out and certify their Office 365 as PIPEDA compliant?

In an ideal world, a business owner could simply purchase a service like Office 365 and be assured that their organization was covered as far as cloud security and data protection regulations were concerned. It would be set-it-and-forget-it PIPEDA compliance built right in. But the truth of the matter is, Microsoft’s hands are tied in this regard. While they do publish compliance offerings for some regional and industry-wide requirements governing how data is collected and used, that’s not the case for PIPEDA.

PIPEDA clearly puts responsibility for protecting customer data squarely on the shoulders of the small business owner. As the collector of the information, you have the ultimate responsibility for PIPEDA compliance, not the storage mechanism, which is Microsoft Office 365 in this case. What this means is that Microsoft is capable of being PIPEDA compliant if the end user takes the proper care and precautions in collecting and storing data and information.

So while they can’t provide you with a certificate of any kind, their technology meets the requirements laid out in the PIPEDA specifications. When you use it according to PIPEDA guidelines, you can be deemed to be compliant.

Microsoft provides what they call a “shared responsibility model” for security and data privacy, which cover what’s entailed in PIPEDA.

Microsoft’s ‘Shared Responsibility’ Model

Microsoft and the Canadian SMB share responsibility for securing and protecting personal information. Microsoft does play a role in overall data security and privacy (including that of data not covered by PIPEDA, such as business data and other digital assets). The perimeters are clearly mapped out in the Microsoft Trust Center. Their level of responsibility depends on the cloud service model that you choose but you, as the cloud customer, are never completely free of responsibility for securing and protecting the data of your customers.

As the provider of cloud services, Microsoft is responsible for:

  • Physical Security
  • Host Infrastructure
  • Network Controls
  • Application Level Controls

If you are simply purchasing Office 365 as Software as a Service (SaaS), you still have some shared responsibility with Microsoft in the following areas:

  • Identity and Access Management
  • Client and End-Point Protection

PIPEDA does not dictate any kind of security measures for Canadian business owners. Principle #7, entitled “Safeguards”, is a general statement, leaving much to interpretation:

“Personal information must be protected by appropriate security relative to the sensitivity of the information.”

Again, SMBs without the time or the expertise to interpret this guideline may find it difficult to come up with any sort of road map for compliance. It is up to the organization to continually review their software estate and the technologies that they use in order to maintain PIPEDA compliance. As new threats evolve, the process must be repeated.

Finally you, as the business owner, are completely responsible for data classification and accountability. That’s really where PIPEDA comes in, as it covers the customer data that you collect. In fact, Principle #1 is called “Accountability”:

“An organization is responsible for personal information under its control. It must appoint someone to be accountable for its compliance with these fair information principles.”

Microsoft Office 365’s Built-In Privacy Features

Microsoft does publish some contractual commitments to privacy, which by inference spell PIPEDA compliance. These are:

ISO/IEC 27018:2014. This governs the protection of personal data in the cloud. With the opening of 2 new data centers in Canada in 2016, customers of Office 365 always know where data is being stored.

EU Model Clauses. This governs the transfer of personal data to processors – they are very exacting and ensure that you, as a Canadian SMB, can move data of EEA citizens freely through the Microsoft cloud to Canadian data centers mentioned above.


IT Consulting For Small Business in Toronto: As innovation continues to evolve the SMB environment, advancing Canadian business owners along their digital transformation journeys, the challenges to privacy and data protection will only grow. To address this issue, TUCU is undertaking a series of measures – including this post – to help our business community and partners stay abreast of the changes that affect them. We hope this has helped answer your questions, and if you’d like to learn more about how we can help you secure your own transition, please get in touch today.

TUCU is an IT Consulting Company for small business in Toronto, offering cyber security consulting, needs assessment, and IT services to make everything work for you. Start with a free phone consult to learn how we can help you.