Frequently Asked Questions – Use of Cloud Services during COVID-19

FIPPA contains standing provisions which prohibit the storage or access of personal information outside of Canada (s. 30.1) except with consent or as expressly permitted under the Act. This provision was originally enacted in 2004 to address concerns about government outsourcing of services that involved the processing of personal information about British Columbians outside of Canada. In order to ensure compliance, public bodies, including educational institutions, have had to make careful choices about their cloud services providers and avoid those that are based outside of Canada, except with consent or unless they can provide assurances regarding the domestic storage of personal information.

The COVID-19 Outbreak and public health guidance that individuals should engage in social distancing has led to significant disruption in many workplaces and at educational institutions where physical in-class instruction is no longer possible. This has imposed pressures on organizations to find new ways to facilitate operations and the delivery of services using remote access tools.

In order to support public bodies in these efforts, the Minister of Citizens’ Services has issued a Ministerial Order under section 33.1(3) of the Act relaxing the territorial restrictions on the foreign access to and storage of personal information. The effect of this Order is to allow employees, students, patients or other consumers of public sector services to access and/or deliver those service using cloud-based third-party tools and applications.

The Order only applies to a public body’s ordinary use of personal information for operational purposes. In other words, it does not expand the ability of public bodies to collect use and disclose personal information. It applies to the internal or external sharing of personal information generally for the purposes for which the information was ordinarily collected or for purposes that are directly related to or “consistent” with those purposes. For example, an educational institution can rely on the Order to implement cloud-based tools in order to provide educational services or to communicate with employees for management employment programs.

The Order also applies only when the following conditions are met:

• The third-party tools or applications are being used to support and maintain the public body’s programs or activities
• The tools or applications are supportive of public health recommendations and requirements to minimize the transmission of COVID-19; and
• Any disclosure of personal information is limited to the minimum amount of personal information reasonably necessary for the performance of the duties of the public body’s employees and officers.

Top

On May 31, 2021, the temporary ministerial order was further extended to remain in effect until Dec 31, 2021 and was enacted only for the purposes of supporting public bodies in their efforts to facilitate remote working and service delivery arrangements. Faculty and staff should clearly understand that the Order will not form the basis of any permanent working arrangements. This should be carefully factored into any decision about purchasing or implementing these tools into operations on a longer-term basis.

The Order does not remove or relax BCIT’s ongoing obligation to ensure that the personal information about students, employees and others is secure against risks such as loss, theft, unauthorized collection or disclosure. Accordingly, even when cloud-based tools are used in reliance on the Order, BCIT must still ensure that these tools are properly vetted to ensure that third party providers have appropriate data security practices and there are appropriate contractual safeguards in place.

Additionally, it is still important that BCIT employees who use these tools from remote locations continue to exercise appropriate diligence to ensure that the personal information they access, collect, use or store is secure. For more information, see Protecting Personal and Confidential Information or contact techhelp@bcit.ca.

If you are using cloud services and applications for educational learning and teaching and assessment purposes, see https://learn.bcit.ca or contact techhelp@bcit.ca.

• Zoom remote conferencing platform
• Proctorio remote proctoring service

Under FIPPA, public bodies are ordinarily required to provide individuals with notice of the purposes for which their personal information may be collected, used and disclosed. That requirement has not changed.

BCIT also recommends transparency when using third party tools for classroom instruction. Students should be told what tools are being used and should be directed to the provider’s privacy policy. Even when it is legally permitted, it is also prudent and recommended to provide individuals with notice if their personal information may be accessed by a third-party provider or used or disclosed outside of Canada.

For more information or questions about privacy and information security, contact:

• Information Access and Privacy Office (IAPO) email: privacy@bcit.ca
• IT Service Desk email: techhelp@bcit.ca