Government of Canada prohibits e-mail storage outside Canada

Government of Canada prohibits e-mail storage outside Canada

Due to the broad data/information collection, review, and retention provisions of the USA Patriot Act, RIM professionals have expressed concern about the risks to privacy rights and confidentiality when Canadian organizations store e-mails (and other cloud-based data) on servers in the United States. Recent developments suggest the Government of Canada (GoC) shares their concern when it comes to the government’s e-mails.

As reported by Michael Geist in the Toronto Star (article available for purchase here), the GoC’s Email Transformation Initiative will consolidate “more than 100 different email systems used by more than 300,000 employees into a single, outsourced email system”. When defining the system requirements, the government invoked a national security exception to require secure storage of the e-mails on servers in Canada.

A Request for Proposal (RFP) was issued to four pre-qualified vendors: Bell Canada, Dell Canada, HP Canada, and IBM Canada. In June 2013, the $350+M contract was awarded to Bell Canada, in partnership with CGI Information Systems And Management Consultants Inc.

Documents recently obtained by the B.C. Freedom of Information and Privacy Association  reveal that US companies who were shut out of this procurement urged US government officials to launch a trade complaint. As Mr. Geist reports, “While the companies explored several alternatives that might address Canadian concerns, including encrypting all data and retaining the encryption key in Canada (thereby making it difficult to access the actual data outside the country, the government insisted on Canadian-based storage” and “pointed to privacy concerns stemming from the USA Patriot Act” regarding that requirement.

This situation is interesting on a number of levels.

First, it reinforces the concerns RIM professionals have expressed for many years about the potential privacy risks that may arise from the provision in the USA Patriot Act to gather and disclose data/information to law enforcement without appropriate oversight or disclosure and to retain that data/information indefinitely.

Second, it illustrates the GoC’s commitment to protect its e-mails by ensuring their storage on Canadian servers despite the risk of upsetting its largest trade partner.

Third, and perhaps of most interest, it demonstrates that the GoC has secured a protection not available to the average consumer or to most organizations operating in Canada. As Mr. Geist reports, “. . . the majority of Canadian dot-ca domain name websites are hosted outside the country, with Canada ranking among the lowest countries in the developed world for domestic website hosting. Moreover, Canadian Internet providers such as Bell exchange their Internet traffic in the U.S., ensuring that even simple domestic emails frequently enter the U.S. network before returning to Canada.”

Leave a Comment

Your email address will not be published. Required fields are marked *

Related Posts

admissibility

“Received. Thanks, Mike” – 3 simple words with big consequences

Most Canadian records and information management (RIM) professionals have heard about the Zubulake v. UBS Warburg litigation presided over by Judge Shira Scheindlin in the United States District Court for the Southern District of New York.  But what you may not know is how a simple e-mail that would typically be considered a transitory record (or perhaps a non-record) provided a key piece of evidence for establishing the timeline critical to Ms. Zubulake’s victory.

Read More »
  • About the Author

  • Sheila Portrait
    Sheila Taylor
  • Sheila Taylor is a well known consultant, educator, speaker and writer with more than 25 years of experience in the information management (IM) field.

  • Recent Tweets

  • Company News

  • Search Site

  • Archives By Date

  •  Telephone

     

    (905) 702-8756
    1-877-857-7111

     

    Email

     

    info@eimc.ca

    Request A Call

    Case in Point

    That's A Lot of Records!
    Often the requirement for a needs assessment is driven by a specific initiative being considered or an immediate problem to be solved, rather than a general desire to establish a corporate (or organization-wide) IM program. We had a client wanting to improve its management of a specific group of critical records – thousands of member files in paper, microform and digital formats containing hundreds of unique document types.
    Assess, Plan and Schedule
    Ergo reviewed the organization’s current practices for managing those records, compared those practices to best practices, and identified risks and areas for improvement. From there we developed a strategic plan with a focus on records storage and retention. The plan identified the operational, financial and technological requirements for implementing the recommended changes, improvements and enhancements in the lifecycle management of the member records. Activities in the plan were classified as short term (next 6-12 months), medium term (next 12-24 months) and longer term (next 25+ months).
    Step by Step Success
    Implementation of the strategic plan enabled this organization to ensure its member records are properly identified, organized, accessible, protected and retained as long as necessary to meet operational and other requirements.
    Previous slide
    Next slide