OIPC Cloud Computing Guidelines for BC Public Bodies
Recently, the Office of the Information and Privacy Commissioner for British Columbia published cloud computing guidelines for public bodies in British Columbia. The purpose of the guidelines is to provide information to public bodies about how BC’s Freedom of Information and Protection of Privacy Act (BC FIPPA) applies to cloud computing.
What is Cloud Computing?
Cloud computing is an increasingly popular on-demand service model for IT provision, often based on virtualization and distributed computing technologies. It typically involves the provision of web-based services, such as online file storage and applications, using hardware and software managed by the service provider. For many customers, cloud computing offers an attractive, cost effective, scalable and readily-accessible IT solution.
When Do the Privacy-related Requirements of BC FIPPA Generally Apply?
BC FIPPA applies to personal information that is in the custody or under the control of a public body, including its employees and service providers. The term “personal information” is defined in BC FIPPA and means any recorded information about an identifiable individual. The words “custody” and “control” are not defined. Determining who has custody and control of personal information can be difficult and depends on a variety of circumstances. A public body that has personal information in its custody or control must comply with BC FIPPA. There are currently more than 2,900 public bodies in BC, including schools, hospitals and municipalities.
What Do the Guidelines Cover?
The guidelines review certain requirements of FIPPA that are particularly pertinent to cloud computing. BC public bodies are reminded that they must protect personal information no matter where it is located. Subject to certain limited and narrow exceptions, public bodies must ensure personal information, including information in computer logs and on backup drives, is only stored in and accessed from inside Canada. These requirements often prevent a public body from being able to engage a cloud service provider because many cloud service providers store information outside of Canada.
The guidelines also discuss the limited circumstances in which a public body can store or access personal information outside of Canada, including the difficult-to-apply consent exception. Public bodies can store or access personal information outside of Canada if the individual, for whom the personal information is about, has given consent to the public body to do so in the prescribed manner. However, it is often challenging or impractical to obtain the multiple consents required when recorded information contains the personal information of multiple individuals, as is often the case (e.g. e-mails).
BC FIPPA requires public bodies to protect personal information by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal. The guidelines state that the determination of reasonable security arrangements in the context of cloud computing will usually require a review of the security the cloud service provider has in place, taking into account the sensitivity of the personal information involved. The guidelines call out in particular the following key areas a security review should cover:
Governance – corporate policies, procedures and standards for security and privacy
Identity and Access Management – controls surrounding access by cloud service provider employees, as well as employees and users of the public body’s systems
Infrastructure Security – the management and ongoing maintenance of network, system and application security including layered security controls and patch management
Encryption – encryption of personal information during transmission and storage
A BC public body considering contracting with a cloud service provider must:
conduct appropriate advance due diligence on the provider to ensure the provider can deliver its cloud services in compliance with BC FIPPA
ensure that any service contract entered into with the provider includes robust confidentiality, privacy and security provisions (which may require variation of the provider’s standard service contract to ensure compliance with BC FIPPA)
Cloud service providers that want to do business with public bodies in BC should ensure that they can satisfy the applicable requirements of BC FIPPA, including having sufficient security measures in place to protect any personal information obtained from BC public bodies.
cloud computing cloud service provider compliance consent due diligence encryption Freedom of Information and Protection of Privacy Act governance guidelines identity and access management IT IT security personal information privacy public body