Canada's Protected B Regulation: What It Is and Why It Matters for Your Organization
If your organization handles sensitive Canadian government information—or wants to—you need to understand Protected B. This isn’t just another regulatory compliance checkbox. It’s a security classification that determines whether you can bid on government contracts, how you must handle certain data, and what happens if something goes wrong.
Protected B covers a broad range of information: personnel records, medical data, financial details, and anything else where unauthorized disclosure could cause serious harm to individuals or organizations. In this post, you’ll learn exactly what Protected B means, which security controls apply, and what’s at stake if you fall short.
Executive Summary
Main idea: Protected B is a Canadian government security classification for sensitive information that, if disclosed without authorization, could cause serious injury to individuals, organizations, or the government—but not to national security interests. Organizations handling Protected B data must implement specific security controls outlined in ITSG-33 and meet personnel screening requirements through the Contract Security Program.
Why you should care: If your organization processes, stores, or transmits Protected B information, non-compliance can disqualify you from federal procurement opportunities, expose you to breach notification requirements under PIPEDA, and damage your reputation with government clients. The security controls required for Protected B also align with NIST SP 800-53 and FedRAMP, meaning compliance investments often satisfy multiple regulatory requirements simultaneously.
5 Key Takeaways
- Protected B applies to sensitive information that could cause “serious injury” outside national security contexts. This includes personal information like medical records, financial data, and personnel files where unauthorized disclosure could harm individuals or organizations.
- ITSG-33 defines the security control baseline for Protected B compliance. Published by the Canadian Centre for Cyber Security, ITSG-33 provides technical, operational, and management controls aligned with NIST SP 800-53.
- Private sector organizations must obtain security clearances to handle Protected B data. The Contract Security Program screens organizations and personnel before granting access to Protected B information on government contracts.
- Cloud services require specific assessment before processing Protected B workloads. Only services assessed by the Canadian Centre for Cyber Security against the PBMM profile can be used, with data localization in Canada as the default.
- Breaches involving Protected B personal information trigger mandatory notification requirements. Under PIPEDA, penalties can reach $100,000 CAD per violation, plus reputational damage and potential contract termination.
Understanding Canada’s Protected Information Classification
The Government of Canada classifies sensitive information into two main categories: Classified (for national security matters) and Protected (for everything else requiring safeguarding).
Classified information relates to military operations, intelligence activities, and diplomatic communications. Protected information covers sensitive data where unauthorized disclosure could cause injury outside national security contexts—personal information, proprietary business data, or government operational information.
| Classification | Potential Harm from Disclosure | Examples |
|---|---|---|
| Protected A | Limited or moderate injury | Individual salary figures, basic contact information |
| Protected B | Serious injury | Medical records, personnel evaluations, financial account details, Social Insurance Numbers |
| Protected C | Extremely grave injury | Information that could endanger life |
Protected B is the most commonly encountered level in government contracting. Most personal information collected by federal programs—tax records, health information, immigration files, personnel records—falls into this category. Proper data classification is essential. If you want to bid on federal contracts involving PII/PHI or sensitive government data, you’ll almost certainly need to demonstrate Protected B compliance.
ITSG-33: The Security Control Framework
The security controls required for Protected B are defined in ITSG-33, published by the Canadian Centre for Cyber Security. This framework aligns closely with NIST 800-53—the same foundation used by FedRAMP—meaning organizations already compliant with U.S. federal requirements have a head start.
For Protected B, the relevant profile is Protected B/Medium Integrity/Medium Availability (PBMM). Key security control categories include:
- Access Control: Role-based access control (RBAC), least-privilege principles, multi-factor authentication
- Audit and Accountability: Comprehensive audit logging of all access to Protected B data, protected from tampering
- System and Communications Protection: AES 256 encryption for data in transit and at rest, network segmentation
- Identification and Authentication: Unique user identification and credential management through identity and access management (IAM)
- Incident Response: Documented incident response plans for detecting, reporting, and responding to security incidents
Cloud Requirements for Protected B
Since 2017, Protected B data can be hosted in public cloud environments under specific conditions. Cloud service providers must be assessed by the Canadian Centre for Cyber Security against the PBMM security control profile. Major providers including Microsoft Azure, Google Cloud, and IBM Cloud have completed assessments for specific services.
Canadian data residency is the default requirement. Organizations must also consider data sovereignty implications. While departmental CIOs can approve exceptions, organizations should plan for Canadian data centers unless they have specific approval otherwise.
Contract Security Program Requirements
If your organization wants to work on government contracts involving Protected B information, you’ll need to navigate the Contract Security Program (CSP) administered by Public Services and Procurement Canada.
Organization and Personnel Screening
Before accessing Protected B information, your company needs an appropriate security clearance—typically a Designated Organization Screening (DOS) or Facility Security Clearance (FSC). The screening evaluates ownership, physical security measures, IT security controls, and requires designating a company security officer.
Individual employees accessing Protected B information must hold valid Reliability Status, obtained through identity verification, criminal records checks, credit checks, and reference checks.
Ongoing Compliance
Security screening isn’t one-time. Organizations must maintain compliance throughout contracts, including reporting security incidents, maintaining physical and IT security standards, participating in inspections, and updating the CSP when organizational changes affect security. Non-compliance can result in clearance suspension or revocation.
Business Risks of Non-Compliance
The consequences of failing to protect Protected B information extend beyond regulatory penalties. Effective security risk management is essential.
Loss of Government Contracting Opportunities
Without proper clearances and demonstrated compliance, your organization cannot compete for contracts involving Protected B information. The CSP can suspend or revoke clearances for security violations, and regaining cleared status means starting over.
Breach Notification and Penalties
When Protected B information includes personal data, breaches trigger PIPEDA notification requirements. Organizations must report breaches posing real risk of significant harm to the Privacy Commissioner, notify affected individuals, and maintain breach records for at least 24 months. Penalties can reach $100,000 CAD per violation.
Contract Termination and Reputational Damage
Government contracts typically allow termination for cause if contractors fail to maintain security standards, potentially including payment clawbacks and debarment from future contracts. In my experience, the reputational impact often outlasts direct financial consequences—government procurement officials remember which contractors had security problems.
Best Practices for Protected B Compliance
Start with Data Classification and Inventory
You can’t protect what you don’t know you have. Inventory the Protected B information your organization handles: what data, where it’s stored, who accesses it, and how it moves. Pay particular attention to data flows through secure email, secure file sharing, and managed file transfer processes.
Implement Defense in Depth
Layer multiple controls: encryption for data at rest and in transit, multi-factor authentication, role-based access with least-privilege principles, network segmentation, data loss prevention (DLP), and continuous monitoring. If one control fails, others continue protecting the information.
Centralize File Sharing
One of the biggest compliance gaps involves fragmented file sharing. When different departments use different tools, organizations lose visibility into how Protected B information moves. Standardizing on an enterprise-grade secure file sharing platform solves multiple problems: consistent security controls, centralized audit logging, and reduced data leakage risk.
Build Compliance into Vendor Management
If you share Protected B information with subcontractors or use cloud services, those third parties must also meet security requirements. Strong third-party risk management (TPRM) is critical. For cloud services, verify the provider has completed Canadian Centre for Cyber Security assessment for the specific services you’ll use.
How Kiteworks Supports Protected B Compliance
Protected B compliance isn’t optional for organizations handling sensitive Canadian government information. The classification applies broadly, and security requirements are substantial. Non-compliance can disqualify organizations from government contracts, trigger regulatory penalties, and damage reputations.
But compliance is achievable with the right approach. The Kiteworks Private Data Network enables organizations to demonstrate Protected B compliance by unifying sensitive content communications—email, file sharing, managed file transfer, and web forms—under a single platform with consistent security controls and centralized data governance.
Kiteworks addresses core ITSG-33 requirements through AES-256 encryption for data at rest and in transit, granular role-based access controls enforcing least-privilege principles, and multi-factor authentication to verify user identities. Every file action generates immutable audit logs that document who accessed what, when, and from where—providing the evidence auditors and the Contract Security Program require.
For organizations concerned about data residency, Kiteworks offers flexible deployment options including on-premises, private cloud, and hybrid configurations that keep Protected B data within Canadian borders. The platform integrates with existing security investments—DLP, ATP, SIEM, and SOAR systems—extending protection across the content communication lifecycle without requiring organizations to replace their current infrastructure.
By consolidating sensitive data exchanges through Kiteworks, organizations gain the visibility, control, and documented compliance evidence needed to pursue government contracts confidently while protecting the information Canadians entrust to them.
To learn more about how Kiteworks can help your organization achieve Protected B compliance, schedule a custom demo today.
Frequently Asked Questions
Healthcare providers handling Canadian government-related patient records must classify medical information, treatment histories, and personal health data as Protected B when unauthorized disclosure could cause serious injury to individuals. Protected B applies because exposure could harm reputation, relationships, employment, or financial standing. Healthcare organizations working with federal programs must implement ITSG-33 security controls including encryption, access controls, and comprehensive audit logging.
Technology companies must register with the Contract Security Program administered by Public Services and Procurement Canada. The process requires obtaining a Designated Organization Screening or Facility Security Clearance through assessment of corporate structure, physical security, and IT controls. Employees accessing Protected B information need valid Reliability Status from background and credit checks. Companies sign security agreements committing to ongoing compliance, similar to requirements for FedRAMP compliance.
Protected B information requires AES-256 encryption for data at rest and TLS 1.2 or higher for data in transit. Cloud providers must complete Canadian Centre for Cyber Security assessment against the PBMM security control profile before hosting Protected B workloads. Canadian data residency is default, though departmental CIOs can approve exceptions.
Organizations face multiple consequences for Protected B breaches. PIPEDA requires notification to the Privacy Commissioner and affected individuals when there’s real risk of significant harm, with penalties up to $100,000 CAD per violation. Government contracts include termination-for-cause provisions with potential payment clawbacks. Contract Security Program sanctions can include clearance revocation, disqualifying organizations from future government work.
Companies demonstrate compliance through documented security controls matching the PBMM profile: policies covering access control, audit logging, incident response, and configuration management; technical documentation of encryption, authentication, and network security; and evidence of ongoing monitoring. Organizations should maintain comprehensive audit logs and prepare for Contract Security Program inspections.
Additional Resources
Blog Post:
What the Investigation on the Supreme Court Leak Tells Us About Sensitive Content Governance
Blog Post:
