British Columbia FOIPPA Consent Option
In my last post I mentioned that the British Columbia Freedom of Information and Protection of Privacy Act prohibits the storage of public sector personal information outside of Canada, stated as follows:
30.1 A public body must ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada, unless one of the following applies:
(a) if the individual the information is about has identified the information and has consented, in the prescribed manner, to it being stored in or accessed from, as applicable, another jurisdiction;
(b) if it is stored in or accessed from another jurisdiction for the purpose of disclosure allowed under this Act;
(c) if it was disclosed under section 33.1 (1) (i.1).
There are exceptions as you can see. Specifically, if all individuals have consented to having their personal information stored outside of Canada (option ‘a’), the IT solution in question would theoretically be compliant with section 30.1.
Is Obtaining Consent Practical/Feasible?
On the surface, it would seem so. Before any individual can access the IT solution, they are presented with an electronic form requesting consent to store their personal information outside of Canada and they must consent before being able to use the IT solution. Or, must consent be in writing? According to some sources consent must be in writing as stated in “Cloud Computing and the Public Sector in British Columbia”; also in “Cloud Computing, Social media, and Privacy”. However, the Office of the Information & Privacy Commissioner (OIPC) concluded that it was acceptable to use electronic consent to store personal information in the United States, in the case brought against the Mission School District by the Mission Teacher’s Union (Order F07-10, Jun 2007). (The case involved the Mission School District using a USA based online assessment tool for teaching applicants.)
Back to the idea of using an electronic form to obtain consent. The form would of course include all relevant details pertaining to the need and use of the personal information, where it would be stored, how it would be accessed, how it will be secured, etc; “Cloud Computing, Social media, and Privacy” contains some details on what a consent form must specify. Thompson Rivers University has a real world example of using electronic consent to store personal information outside of Canada. Their example is requesting consent to store personal information outside of Canada for the purpose of registering a child for a camp.
The consent approach may work for some IT solutions and use case scenarios. But, my findings indicate it may not be that straight forward because certain scenarios may see an individual add the personal information of another individual into the system.
Take the Collaborative Learning Platform (CLP) as an example. I designed and implemented the core CLP SharePoint platform and the student dashboards for the West Vancouver School District. The student dashboards include a blog for each student to record their thoughts and to write blog articles for some of their assignments created in their Virtual Classroom (also a part of the CLP). To architect and implement the CLP in Azure and/or Office 365 is on the roadmap.
British Columbia FOIPPA compliance is a major impediment to moving the CLP to the cloud unless it’s possible to obtain consent to store personal information (student, teachers, etc) outside of Canada. And the consent approach is sanctioned by FOIPPA. But, the student dashboards include blogs. And if a student creates a blog post containing the personal information of any other individual then, in theory, that’s a potential violation of section 30.1 of FOIPPA.
Refer back to my mention of the real world consent request example used by Thomson Rivers University (TRU). I haven’t run through the registration process, but my question is: If at any point in the registration process there are fields in which the user enters personal information of another individual, then is TRU in violation of section 30.1 of FOIPPA?
In attempting to answer the question “Is Obtaining Consent Practical/Feasible?”, I haven’t yet reached a conclusion. I think there is a way of making consent work while remaining compliant with FOIPPA but my research so far is inconclusive. Technically, I can think of conceptual designs that would see personal information remain in Canada while the CLP solution is hosted in Azure or Office 365, but the additional complexity and potential additional latency are likely to be show stoppers.
Hopefully, at some point FOIPAA will be brought into line with the reality of the risks posed by the USA Patriot Act and allow the public sector to more readily achieve the benefits of cloud computing.