On Privacy Policies
(This one goes back a bit, but it is an issue I am very interested in.)
Although I have dealt with issues around the Freedom of Information and Privacy Act (“FIPPA”) working with clients involved with public bodies, Klassen’s paper demonstrated to me that the same kinds of problems were being faced by public institutions across BC, and that solutions were mixed in the education sector. I decided to further explore the status of privacy protection as it relates to cloud computing in both public and private institutions.
In BC and Nova Scotia, the public privacy regimes include a requirement for Canadian data storage, unless certain conditions of consent are met. I was intrigued to find out that the Regulations of FIPPA require that consent to store personal information be in writing (S.11). In fact, in a 2012, the Privacy Commission of British Columbia explained more precisely what “personal information” means:
If a student emails her teacher about her parents’ divorce, that email contains recorded information about the student and her parents. If the student and her parents are identifiable from the email (whether they are named or not), then that information is personal information (2).
It further goes on to explain that if a public body wants to store that student’s email on a server outside of Canada, it would need the consent of each of the parents. If she sent a further email with identifiable information about what she and her friends did on spring break, it would need their consent as well (4). That seems far more onerous than I would have thought. Moreover, I had not signed anything on commencing this course, but rather gave tacit permission for information to be stored elsewhere.
On checking the Office of the University Counsel Privacy Fact Sheet: Disclosing Information Outside Canada, I found that UBC’s policy allows for instructors to obtain consent by providing a description of the cloud-based service being used in the course description or other written communication so long as there is an way for students to opt-out. It isn’t within the scope of this comment, but I have to wonder if that has been legally tested. If I for some reason used an identifiable picture or other information about my husband in a project, the university would not have any form of consent from him. The implications for liability are very interesting.
What, then, of the private sector? Many vocational schools, career colleges, and English language schools are privately owned and financed. They operate outside FIPPA’s boundaries, yet they collect much the same information as any public institution. The Personal Information Protection Act governs private entities in BC, while the federal statute Personal Information and Electronic Documents Act (“PIPEDA”) covers federal organizations and provinces without their own similar legislation.
Jacob argues that the main reason governments in Canada enacted privacy legislation in Canada was to promote domestic and international trade (18). In short, the aim was to encourage the flow of personal information – a valuable resource in an information economy– while still providing some safeguards for that information. Given that suggestion, it is not surprising that there are no data residency requirements for the private sector, and that the data flows quite freely. For example, at a 2008 hearing before Federal Privacy Commission, it was observed that PIPEDA did not stop organizations from outsourcing their information across international borders. Consent from consumers is not even necessarily required, depending on the circumstances.
Thus, beyond their own governing bylaws, private institutions have very little restriction on the storage of data and the use of cloud-computing tools. I have to wonder, as eventually universities and private institutions will be under one regulatory umbrella, if there will be a push to have private schools conform more to FIPPA, or will the public bodies push for exceptions from the statute in order to more freely access the tools available in “the cloud.”
References:
Cloud Computing Guidelines for Public Bodies. Office of the Information and Privacy Commissioner for British Columbia, 2012. Web. 18 September 2015
Freedom of Information and Protection of Privacy Act [RSBC 1996] Ch. 165
Freedom of Information and Protection of Privacy Regulation. BC Reg. 155/2012
Jacobs, Lesley A. Privacy Rights in the Global Digital Economy: Legal Problems and Paths to Justice. Toronto, ON: Irwin Law, 2014. ProQuest ebrary. Web. 17 September 2015.
Klassen, V. Privacy and Cloud-Based Educational Technology in British Columbia. Vancouver, BC: BC Campus. 2011. Web. 10 September, 2015
Outsourcing of Canada.com e-mail services to US-based firm raises questions for subscribers, 2008 Can LII 58164 (PCC) Web. 18 September 2015
Privacy Fact Sheet: Disclosing Information Outside Canada. Office of the University Counsel, May 2015. Web. 24 September, 2015.