M asks: “I keep reading that Microsoft and their Office 365 services are PIPEDA compliant – but their own compliance page doesn’t indicate this… where do I see they are actually “in writing” compliant??”
TUCU answers: “Hi M, Microsoft (or any other provider) can’t exactly be “in writing” compliant as the wording of PIPEDA puts the onus on the collector of the information (you) and not the storage mechanism itself (in this case, Microsoft’s Office 365 service).
PIPEDA is a set of guidelines to follow for data handling.
What that means is that Microsoft is capable of being PIPEDA compliant if the end user takes the proper care and precautions in collecting and storing data and information. Here is their exact wording:
“Ultimately, the responsibility and ownership of personal data lies with our business customers, per the Online Services Terms. However, Microsoft contractually commits that Azure and Intune in-scope services have implemented security safeguards to help them protect the privacy of individuals, based on established industry standards such as ISO/IEC 27001 and the SOC framework. We have assessed our practices in risk, security, and incident management; access control; data integrity protection; and other areas relative to the recommendations from the Office of the Privacy Commissioner of Canada, and have determined that the in-scope services are capable of meeting those recommendations.”
So while they can’t provide you with a certificate of any kind, their technology meets the requirements laid out in the PIPEDA specifications. When you use it according to PIPEDA guidelines, you can be deemed to be compliant.
I hope that helps!