What is FIPPA and What Are its Consequences?
FIPPA or or the Freedom of Information and Protection of Privacy Act applies to personal information that is in custody or under the control of a public body, specifically pertaining to British Columbia and Nova Scotia, Canada.
The term ‘’public body’’ is defined in FIPPA to include schools, hospitals, municipalities, and more. It is important to determine whether your entity is a public body because of the rules about what public bodies can do with personal information, as outlined in BC’s act.
Section 30.1 of BC’s FIPPA highlights that personal information can only be stored in and accessed from inside Canada.
This law presents an issue for public bodies that are faced with limited providers of Cloud Computing services, mainly because most companies that offer cloud computing store their information outside of Canada. On the other hand, Cloud Computing providers are faced with the inability to provide their services without moving their servers into Canada. This raises the costs of services provided, which is one of the main reasons Canadian companies look to cloud computing in the first place.
How eSchedule Addresses FIPPA and Canadian Data Privacy Laws:
Being a Software as a Service (SAAS) company, eSchedule has moved their servers in order to address these customers, and as of the 1st of August, 2014 solely hosts their data in Canada. Given this legislation, our commitment is to make data stored on our servers secure and compliant with government user requirements in Canada with no additional costs of data migration.
This law affects education employee scheduling within post-secondary institutions as well, whose main concern while using services like cloud computing, is data or information traveling outside of Canada and therefore being subjected to foreign laws. This creates an immediate threat to security and integrity of their data. FIPPA does provide for ‘’informed consent’’, whereby an individual may allow storage of personal information outside of Canada if they are consenting to and specifically allow it. However, this can still be a high risk scenario and requires a lot of work, especially in the higher education industry.
eSchedule is on a mission to understand how this law affects the education industries procurement of new software solutions and if it is preventing them from addressing their difficulties around scheduling part-time, seasonal and auxiliary staff. Our goal is to provide a solution that is simple, fast and secure, but most of all compliant with the Canadian Freedom of Information and Protection of Privacy Act.
Tips on reviewing cloud providers
To ensure security measurements are in place, it may be necessary to have a public body view the security of a cloud provider. Specific areas should be assessed from a security perspective and should take into account how sensitive the information being stored by the cloud provider is. This includes:
- Identity and Access Management – controls surrounding access by cloud provider employees as well as employees and users of the public body’s systems.
- Infrastructure Security – the management and ongoing maintenance of network, system and application security including layered security controls and patch management.
- Encryption – personal information should be encrypted during transmission between the public body and the cloud provider as well as in storage at the cloud provider’s facilities
- Contractual provisions – public bodies should address FIPPA in contracts with third parties and include requirements such as notifying the public body in the event of a personal information breach and the ability to ask about the ways in which information is being managed.
FIPPA Complaints
The Office of the Information and Privacy Commissioner is responsible for overseeing FIPPA. If an individual complains that a public body is improperly storing or accessing his or her personal information, the Commissioner may investigate. The Commissioner has the power under FIPPA to investigate a public body even if no one has complained. Following an investigation, the Commisioner could ask or order a public body to comply with FIPPA.
Summary
While some organizations are offering cloud computing products that store personal information solely inside of Canada, public bodies and especially higher education institutions, should make appropriate inquiries to ensure that they can rely on the representations these organizations are making. No matter where a public body stores personal information, FIPPA requires public bodies to protect personal information. If public bodies choose to store personal information outside of Canada, they must only do so if FIPPA authorizes it.
1Office of the information & privacy commissioner, “Cloud computing guidelines for public bodies”, Victoria, 2012, online at: https://www.oipc.bc.ca/.
Freedom of Information and Protection of Privacy Act. 1993, c. 5, s. 1.