The Office of the Information and Privacy Commissioner recently published Cloud Computing Guidelines for Public Bodies. The Guidelines are intended to inform public bodies about how they may use cloud computing services without offending the Freedom of Information and Protection of Privacy Act (FIPPA).
Cloud computing describes the use of the internet to access, manage and store data on remote network servers located anywhere in the world. It includes a wide variety of applications, including web-based email, social networking sites and document collaboration tools.
Cloud computing permits employees to access and communicate work information from anywhere they have access to the internet, facilitating their ability to work productively outside of the office. Cloud computing can also be cost effective, as vendors are quick to point out.
However, cloud computing can also result in personal information being transferred and stored on remote servers outside of Canada. This is a potential breach of Section 30.1(a) of the FIPPA which requires that personal information in the custody or control of a public body must be stored and accessed only in Canada. Subject to limited exceptions, public bodies in British Columbia are permitted to store personal information outside of Canada only with the consent of the individual the information is about. Such consent must be in writing and specify to whom the personal information may be disclosed.
The Guidelines discuss the challenges in obtaining consent where records contain the personal information of multiple individuals:
For example, if a public body wanted consent to store a student’s email about her parent’s divorce on a server located outside of Canada, the public body would have to obtain the consent of both the student and each of her parents. If the student’s next email contained the personal information of the friends she made during spring break, the public body would have to get their consent too.
To avoid these challenges, public bodies interested in cloud computing services should seriously consider vendors offering services that store information solely within Canada. Further, the Guidelines caution that public bodies must satisfy themselves that sufficient safeguards are in place to protect any personal information accessed, transferred or stored by a public body, regardless of whether these functions are performed through the use of a cloud computing service.