More Content - Including Podcasts

Wednesday, May 2, 2012

BC's Freedom of Information & Privacy Act - Implications for Higher Ed

Paul Hancock, UBC
Bill Trott, UVic
Craig Neelands, SFU

All three are members of the BCNET security working group.

Paul provided a privacy primer for everyone. A quick history of how we've gotten to where we are today in Canada, and the paradigm of informational privacy, and the distinction between security and privacy. Security is about protection from threats, privacy is related, but different. Privacy is more about what you can and cannot do with information.

We are subject to FIPPA, one if Canada's most stringent rule sets governing the collection, storage, protection, retention, use, and disclosure of information. Significant implications around storage come from the requirement that information can only be stored in Canada.

Failure to comply affects us not only financially, but reputationally.

Paul shifted to discuss privacy impacts of cloud computing. After defining cloud computing, Paul reminded us of the constant impetus we have in Higher Ed to move to cloud based services. The primary implications are foreign storage, and access issues such as the US Patriot Act. Consent may be a loophole allowing this, but it isn't bullet-proof. Even encrypting the data does not make this acceptable in the eyes of the law.

Security, retention, jurisdiction, all pose challenges - in fact roadblocks - to moving services like email to a cloud solution with foreign data storage or movement.

Recent developments in the act may provide interesting options as the Minister is apparently being given powers to waive compliance.

The privacy impact assessment topic was next covered by Bill. When a breach is noted, the first two questions will be "was it encrypted" and "is there a privacy impact assessment"?

A PIA is not so much a 19 page form as it is a process. A PIA is a compliance tool, a risk assessment and mitigation tool, a decision making tool for the executive, and most importantly, an educational tool.

Section 69.5.3 in the recently revised FIPPA clarifies that we have a responsibility to conduct PIAs, and while its not clear that it is mandatory, we should be erring on the side of caution. Several situations were brought up by Bill where we need to be doing a PIA, and they all came across as common sense.

The root is to build trust inside and outside our organisation, show leadership in privacy, and have the best defence in the event of a breach.

Craig defined privacy breaches to us, and cited examples common in the higher ed sector. Craig showed that there is a difference between privacy and data breaches, so that we can focus responses to privacy breaches.

We should start with a framework for privacy breach responses; acceptable use policies that are in effect and understood, breach response processes and tools, and an understanding of when and how to notify the Office of Information & Privacy Commissioner. Many of these tools are available from the OIPC website.

SFU had 10 breaches last year, which has led to revisions to processes and tools, and made awareness of a need to account for the financial impacts.

The question came up as to whether Google Analytics was a challenge, and UVic noted that they've developed their own system to deal with that. It was noted that Google Analytics has the option to turn off collecting the last octet of IP Addresses, and that may or may not be a solution.

A great question came up asking if BCNET was in violation due to the pathway through Blaine WA that has data transmission through the US for traffic to and from UVic. The answer is that transmission does not legally equal access or storage, so at present we believe we are compliant. This discussion spun out further to an excellent debate with no solid answer.

- Posted using BlogPress from my iPad

Location:W Cordova St,Vancouver,Canada

No comments: