PIPEDA, PHIPA, and LSO Cloud Storage Guidance
December 2024 · 13 min read
Ontario lawyers operate under both the Law Society of Ontario's duty of confidentiality (Rules of Professional Conduct r.3.3) and federal privacy legislation. PIPEDA(and Bill C-27 / CPPA when in force) governs how law firms handle personal information of clients, employees, and third parties. PHIPA applies in specific health information contexts. The Law Society has issued practical guidance on cloud storage, AI tools, and data breach obligations. This guide covers the intersection of privacy law and legal professional obligations for Ontario solo and small law firms.
PIPEDA's ten Fair Information Principles apply to law firms as commercial organizations. These are how each principle applies in a law firm context.
| Principle | Requirement | Law Firm Application |
|---|---|---|
| Accountability | Designate a Privacy Officer; implement policies; train staff | Appoint a partner or staff member as Privacy Officer; maintain written privacy policy; annual privacy training |
| Identifying purposes | Identify why personal information is collected before or at time of collection | Retainer agreements should identify purposes of collection (file management, billing, conflict checks, court filings) |
| Consent | Meaningful consent for collection, use, and disclosure; implied consent for obvious purposes | Client retainer agreement or engagement letter is the primary consent mechanism; implied consent for use within the file |
| Limiting collection | Collect only what is necessary for identified purposes | Do not collect unnecessary personal information; intake forms should be limited to what is needed |
| Limiting use, disclosure, and retention | Use personal information only for identified purposes; retain only as long as necessary | File retention policies (7-10 years common for legal files); destruction of files after retention period |
| Accuracy | Keep personal information accurate, complete, and up-to-date | Update contact information; correct errors on request; accurate billing records |
| Safeguards | Protect personal information with appropriate security | Encrypted email; secure cloud storage; access controls; physical security for paper files; vendor due diligence |
| Openness | Make privacy policies and practices available | Publish privacy policy on firm website; include privacy practices in retainer letter |
| Individual access | Individuals may request access to their personal information; respond within 30 days | Client may request their own file; law firm may charge reasonable fee; solicitor-client privilege may limit access to some records |
| Challenging compliance | Process for handling complaints and challenges to compliance | Privacy Officer handles complaints; escalate to Privacy Commissioner if unresolved |
The Personal Health Information Protection Act (PHIPA) applies to health information custodians (physicians, hospitals, clinics, pharmacies) and their agents. Most Ontario law firms are not health information custodians. However, lawyers frequently handle personal health information (PHI) in the course of files:
Key obligations when handling PHI: Use only for the identified purpose; do not disclose beyond what is necessary; protect with appropriate safeguards; return or destroy after the file concludes; comply with any undertakings given regarding PHI; obtain appropriate consent or rely on legal authority for collection.
Bill C-27 / Consumer Privacy Protection Act (CPPA): Federal privacy law reform currently before Parliament will replace PIPEDA. CPPA introduces higher penalties ($10M or 3% of global revenue), enhanced individual rights (portability, disposal), algorithmic transparency requirements, and stricter consent rules. Ontario lawyers should monitor this legislation as it progresses.
The Law Society of Ontario has issued practice management guidance addressing cloud storage of client files. The LSO does not prohibit cloud storage but places the duty of confidentiality squarely on the lawyer — the lawyer is responsible for the vendor's security and data practices.
| Area | LSO Guidance | Practical Step |
|---|---|---|
| Data location and jurisdiction | LSO does not prohibit non-Canadian cloud storage; lawyer must understand where data is stored and governing law; foreign government compelled disclosure is a breach of duty of confidentiality | Review vendor terms for data location; prefer Canadian or EU data centres; document your decision in your privacy policy |
| Vendor due diligence | Lawyer must exercise professional judgment about cloud vendor security and terms; responsible for vendor selection | Review vendor SOC 2 reports, ISO 27001 certification, data processing agreements; confirm breach notification obligations |
| Access controls | Duty of confidentiality requires protecting client information from unauthorized access; vendor employees with administrative access must be addressed | Enable MFA; use role-based access; review vendor policies on employee access to customer data; use client-side encryption where possible |
| Breach notification | A security breach involving client confidential information likely breaches the duty of confidentiality; LSO may require reporting | Maintain written data breach response plan; know your PIPEDA reporting obligations; include breach response steps in firm policies |
| Subcontractors and AI tools | LSO Guidance on AI (2024) requires lawyers using AI tools with client data to assess confidentiality risk; confirm AI provider data use policies | Review AI vendor data use policies; opt out of model training using client data where possible; disclose AI use to clients if materially affecting the matter |
Yes. PIPEDA (Personal Information Protection and Electronic Documents Act) applies to law firms as commercial organizations collecting, using, or disclosing personal information in the course of commercial activities. Law firms must obtain consent, limit collection to identified purposes, protect personal information with appropriate safeguards, and respond to access requests within 30 days. PIPEDA applies to client personal information held by the firm, employee information, and third-party personal information collected in the course of files.
The LSO permits lawyers to store client files in cloud storage services (including outside Canada) provided the lawyer: (1) exercises professional judgment about appropriate security; (2) ensures client confidentiality is protected; (3) understands where data is stored and who can access it; (4) conducts due diligence on the cloud service provider; and (5) has a data breach response plan. The LSO does not prohibit offshore data storage but emphasizes the duty of confidentiality — a foreign government compelled disclosure would be a breach.
Under PIPEDA (as amended by Bill S-4, 2015), law firms must report a breach of security safeguards to the Privacy Commissioner of Canada if it is reasonable in the circumstances to believe the breach creates a real risk of significant harm to an individual. The firm must also notify affected individuals. Records of all breaches must be maintained for 24 months. The LSO Professional Responsibility team may also need to be notified if the breach involves client confidential information.
PHIPA (Personal Health Information Protection Act) applies to health information custodians and agents. Ontario law firms are not typically health information custodians, but a firm representing a health information custodian (hospital, clinic) or handling personal health information as agent may have PHIPA obligations. Lawyers receiving personal health information about parties in litigation (medical records, expert reports) must protect that information under both their duty of confidentiality and applicable privacy legislation.
Atticus stores all client data on Canadian servers by default — aligned with Law Society of Ontario guidance on cloud storage. Canadian legal AI, LSO-compliant trust accounting, and privacy-first infrastructure for Ontario law firms.
Try Atticus Free for 14 Days