Privacy & Compliance

Don’t Overlook Data Sovereignty and Data Privacy With Cloud Based VoIP

The number of Canadian businesses and organizations that are getting rid of their traditional desktop phones in favour of cloud-based and Voice over Internet Protocol (VoIP) services is growing every day. Research shows that it is also more financially feasible for organizations to run all of their communications through one interface that makes data more accessible and faster to their employees and clients. Especially so is this the case in 2020. The world of business communications has changed dramatically with the COVID-19 pandemic. Businesses had to quickly adapt to facilitate the need for employees to work from home and stay in touch with their co-workers and clients over voice and video calls. But what about data sovereignty?

VoIP and cloud communications is especially useful for essential services like healthcare; doctors can hold remote consultations with patients who are housebound because of the pandemic. Not only are healthcare providers able to make and take audio or video calls on multiple types of devices, those in the legal, financial, educational, and other government bodies are also taking advantage of the technology to stay connected.

Don’t Overlook Data Sovereignty & Data Privacy

One thing that all of the aforementioned industries have in common are privacy and data security laws that govern their individual organizations. In fact, every Canadian business must meet a certain level of privacy compliance when it comes to personal data and information. This asks an important question; if voice is converted to data over the internet, where is my data going and who can or could access it?

It should be noted that many countries, including Canada, have laws that allow them to subpoena private organizations or obtain a warrant for information from such organizations to support legal investigations. The biggest risk to data privacy and the greatest cause for ensuring data sovereignty is the US Foreign Intelligence Surveillance Act (FISA) and the US government’s ability to compel an organization subject to US law to turn over data under its control, regardless of the data’s location and without notifying Canada.

Simply put, even if your data is hosted in Canada by an American company, it can be accessed by their government!

It is important to note that there are long-standing information-sharing agreements between security and law enforcement agencies in Canada and the US. Those long-standing agreements, as well as mutual legal assistance treaties, are other methods for the US to obtain access to information held in Canada. There are a number of recommendations that the lawmakers including the Federal Canadian Government have made to reduce the risk of unauthorized access to sensitive information.

Choosing a 100% Owned and Operated Provider

By choosing a provider that not only locates its data centres in Canada, but is owned and operated on Canadian soil is an important first step. Very few are aware that in 2018 the U.S. Government passed an omnibus law called “The CLOUD Act” (Clarifying Lawful Overseas Use of Data Act). This law was introduced following difficulties that the Federal Bureau of Investigations (FBI) had with obtaining remote data through service providers through SCA (Stored Communications Act) warrants, as the SCA was written before cloud computing was a viable technology. Principally, it states that U.S. data and communication companies must provide stored data (this could include voicemails, video and audio recordings, and call logs) for a customer or subscriber on any server they own and operate in any country when requested by warrant. By choosing a Canadian owned and operated solution provider the US Government in this case would have to go through the Canadian authorities first to acquire any data sensitive or not.

Encrypt Your Data From End-to-End

When using cloud communication services, encryption provides a high degree of security to protect personal and other sensitive information. Data that is encrypted using a strong cryptographic algorithm is protected from anyone who does not have the decryption key. All data both in transit and at rest needs to be encrypted from when you pick up your phone, transmitted to the server, and out into the world via SIP technology. Some providers may preach that they have encrypted your phone calls, but are in fact only encrypting the signal from the desk phone to the cloud based PBX server. After it enters the cloud it is often decrypted and then carries on its path unencrypted. A secure communications provider who is partnered closely with the SIP provider, cloud infrastructure provider, internet provider, and phone manufacturer can take extra steps to ensure data is always encrypted until it reaches its final destination.

Other Related Topics:

Do You Know Where Your Data Resides?

Know when your data should stay in Canada.

Start a conversation with us!