Government of Canada prohibits e-mail storage outside Canada

Government of Canada prohibits e-mail storage outside Canada

Due to the broad data/information collection, review, and retention provisions of the USA Patriot Act, RIM professionals have expressed concern about the risks to privacy rights and confidentiality when Canadian organizations store e-mails (and other cloud-based data) on servers in the United States. Recent developments suggest the Government of Canada (GoC) shares their concern when it comes to the government’s e-mails.

As reported by Michael Geist in the Toronto Star (article available for purchase here), the GoC’s Email Transformation Initiative will consolidate “more than 100 different email systems used by more than 300,000 employees into a single, outsourced email system”. When defining the system requirements, the government invoked a national security exception to require secure storage of the e-mails on servers in Canada.

A Request for Proposal (RFP) was issued to four pre-qualified vendors: Bell Canada, Dell Canada, HP Canada, and IBM Canada. In June 2013, the $350+M contract was awarded to Bell Canada, in partnership with CGI Information Systems And Management Consultants Inc.

Documents recently obtained by the B.C. Freedom of Information and Privacy Association  reveal that US companies who were shut out of this procurement urged US government officials to launch a trade complaint. As Mr. Geist reports, “While the companies explored several alternatives that might address Canadian concerns, including encrypting all data and retaining the encryption key in Canada (thereby making it difficult to access the actual data outside the country, the government insisted on Canadian-based storage” and “pointed to privacy concerns stemming from the USA Patriot Act” regarding that requirement.

This situation is interesting on a number of levels.

First, it reinforces the concerns RIM professionals have expressed for many years about the potential privacy risks that may arise from the provision in the USA Patriot Act to gather and disclose data/information to law enforcement without appropriate oversight or disclosure and to retain that data/information indefinitely.

Second, it illustrates the GoC’s commitment to protect its e-mails by ensuring their storage on Canadian servers despite the risk of upsetting its largest trade partner.

Third, and perhaps of most interest, it demonstrates that the GoC has secured a protection not available to the average consumer or to most organizations operating in Canada. As Mr. Geist reports, “. . . the majority of Canadian dot-ca domain name websites are hosted outside the country, with Canada ranking among the lowest countries in the developed world for domestic website hosting. Moreover, Canadian Internet providers such as Bell exchange their Internet traffic in the U.S., ensuring that even simple domestic emails frequently enter the U.S. network before returning to Canada.”

Leave a Comment

Your email address will not be published. Required fields are marked *

Related Posts

records disposition

How not to dispose of confidential documents

Police are investigating after some of the confetti at last week’s Macy’s Thanksgiving Parade in New York City was apparently produced from the confidential records of the Nassau County Police Department (NCPD).

Parade spectators reported seeing confidential information such as Social Security and license plate numbers, names of NCPD officers, information from arrest records, and even information about a motorcade for Mitt Romney when he was the Republican presidential candidate in the confetti that littered the streets after the parade.  From photos in the many, many news reports on this topic, it appears the confidential confetti was in the form of paper shreds from a strip-cut shredder instead of the more secure paper particles that a cross-cut shredder would produce.

Read More »

Privacy rights in the workplace

If you’re like me, you’ve read many e-mail and other records management policies stating that an employee should not expect any privacy when using a workplace computer (i.e. a computer owned by his/her employer). Many organizations are

Read More »
  • About the Author

  • Sheila Portrait
    Sheila Taylor
  • Sheila Taylor is a well known consultant, educator, speaker and writer with more than 25 years of experience in the information management (IM) field.

  • Recent Tweets

  • Company News

  • Search Site

  • Archives By Date

  •  Telephone


    (905) 702-8756




    Request A Call

    Case in Point

    That's A Lot of Records!
    Often the requirement for a needs assessment is driven by a specific initiative being considered or an immediate problem to be solved, rather than a general desire to establish a corporate (or organization-wide) IM program. We had a client wanting to improve its management of a specific group of critical records – thousands of member files in paper, microform and digital formats containing hundreds of unique document types.
    Assess, Plan and Schedule
    Ergo reviewed the organization’s current practices for managing those records, compared those practices to best practices, and identified risks and areas for improvement. From there we developed a strategic plan with a focus on records storage and retention. The plan identified the operational, financial and technological requirements for implementing the recommended changes, improvements and enhancements in the lifecycle management of the member records. Activities in the plan were classified as short term (next 6-12 months), medium term (next 12-24 months) and longer term (next 25+ months).
    Step by Step Success
    Implementation of the strategic plan enabled this organization to ensure its member records are properly identified, organized, accessible, protected and retained as long as necessary to meet operational and other requirements.
    Previous slide
    Next slide