This information is intended to guide BCIT faculty and staff in the use of third-party cloud services during the COVID-19 outbreak. We will continue to update this page as new information becomes available.
Update June 15, 2020
Order extended to Dec. 31, 2020 for use of technologies during COVID-19
The Freedom of Information and Protection of Privacy Act (“FIPPA”) contains standing provisions which prohibit the storage or access of personal information outside of Canada (s. 30.1) except with consent or as expressly permitted under the Act. On March 26, 2020, the Minister for Labour and Citizens’ Services passed Ministerial Order MO85 under the FIPPA to support the use of third-party cloud-based applications or services to help facilitate remote working arrangements and service delivery during the COVID-19 pandemic. Order MO85 temporarily permits BCIT to use cloud- service tools that store or permit access of personal information outside Canada without consent under specific conditions as described below. On June 5, 2020, the Province extended this temporary ministerial order to remain in effect until December 31, 2020 to continue to allow the use of cloud-based applications and services during the COVID-19 state of emergency.
The Order does not remove or relax BCIT’s ongoing obligation to ensure that the personal information about students, employees and others is secure against risks such as loss, theft, unauthorized collection or disclosure. Even when cloud-based tools or services are used in reliance on the Order, BCIT must still ensure that these tools are properly vetted to ensure that third party providers have appropriate data security practices and there are appropriate contractual safeguards in place.
Q. What rules ordinarily apply to the use of cloud service providers based outside of Canada?
The Freedom of Information and Protection of Privacy Act contains standing provisions which prohibit the storage or access of personal information outside of Canada (s. 30.1) except with consent or as expressly permitted under the Act. This provision was originally enacted in 2004 to address concerns about government outsourcing of services that involved the processing of personal information about British Columbians outside of Canada. In order to ensure compliance, public bodies, including educational institutions, have had to make careful choices about their cloud services providers and avoid those that are based outside of Canada, except with consent or unless they can provide assurances regarding the domestic storage of personal information.
Q. How have territorial restrictions changed to address the COVID-19 Outbreak?
The COVID-19 Outbreak and public health guidance that individuals should engage in social distancing has led to significant disruption in many workplaces and at educational institutions where physical in-class instruction is no longer possible. This has imposed pressures on organizations to find new ways to facilitate operations and the delivery of services using remote access tools.
In order to support public bodies in these efforts, the Minister of Citizens’ Services has issued a Ministerial Order under section 33.1(3) of the Act relaxing the territorial restrictions on the foreign access to and storage of personal information. The effect of this Order is to allow employees, students, patients or other consumers of public sector services to access and/or deliver those service using cloud-based third-party tools and applications.
Q. What does the Order apply to?
The Order only applies to a public body’s ordinary use of personal information for operational purposes. In other words, it does not expand the ability of public bodies to collect use and disclose personal information. It applies to the internal or external sharing of personal information generally for the purposes for which the information was ordinarily collected or for purposes that are directly related to or “consistent” with those purposes. For example, an educational institution can rely on the Order to implement cloud-based tools in order to provide educational services or to communicate with employees for management employment programs.
The Order also applies only when the following conditions are met:
- The third-party tools or applications are being used to support and maintain the public body’s programs or activities
- The tools or applications are supportive of public health recommendations and requirements to minimize the transmission of COVID-19; and
- Any disclosure of personal information is limited to the minimum amount of personal information reasonably necessary for the performance of the duties of the public body’s employees and officers.
Q. How long is the Order in effect?
The Order extends only until December 31, 2020, and was enacted only for the purposes of supporting public bodies in their efforts to facilitate remote working and service delivery arrangements. Faculty and staff should clearly understand that the Order will not form the basis of any permanent working arrangements. This should be carefully factored into any decision about purchasing or implementing these tools into operations on a longer-term basis.
Q. How does this change BCIT’s due diligence obligations in using cloud-based tools?
The Order does not remove or relax BCIT’s ongoing obligation to ensure that the personal information about students, employees and others is secure against risks such as loss, theft, unauthorized collection or disclosure. Accordingly, even when cloud-based tools are used in reliance on the Order, BCIT must still ensure that these tools are properly vetted to ensure that third party providers have appropriate data security practices and there are appropriate contractual safeguards in place.
Additionally, it is still important that BCIT employees who use these tools from remote locations continue to exercise appropriate diligence to ensure that the personal information they access, collect, use or store is secure. For more information, see Protecting Personal and Confidential Information or contact email@example.com.
Q. What should students be told?
Under FIPPA, public bodies are ordinarily required to provide individuals with notice of the purposes for which their personal information may be collected, used and disclosed. That requirement has not changed.