Canada: FIPPA And Cloud Services – Compliance From Procurement To Go-Live

A brief scan of the daily news from any outlet demonstrates just how engrained privacy has become in the public consciousness. From data breaches to lost devices to the introduction of the European Union's General Data Protection Regulation, privacy has become headline news, particularly where it involves a breach relating to a public body like a university. In light of this enhanced public awareness, a review of internal privacy practices and compliance activities is a prudent step for any higher education institution.

Here in BC, universities, colleges and institutes are subject to the Freedom of Information and Protection of Privacy Act (commonly known as FIPPA), which establishes standards for both information access and privacy right protections. Compliance with FIPPA is a multifaceted undertaking that requires ongoing measures to monitor and update privacy practices and procedures.

With recent developments in technology, many of the software tools used by higher education institutions are migrating to the cloud. Cloud services provide a great example for demonstrating the steps that should be taken to ensure a FIPPA-compliant solution.

In this, the second of our series on FIPPA, we'll provide a flavour for how integral considerations arising out of FIPPA are during a typical procurement process for a new cloud system, including for product and vendor selection:

• Procurement planning and preparation: While the protection of personal information has become a universally accepted requirement, FIPPA has a number of unique requirements that many vendors are unfamiliar with – for example, data sovereignty (the requirement that data must stay in Canada except in a very short list of exceptions, which applies not just to day-to-day data repositories but also back-ups and remote, follow-the-sun customer service). Also important is keeping the freedom of information provisions clear, including the broad obligation to disclose information upon request to the public, and the narrow exceptions for commercially sensitive information.

On that basis, procurement documents should be drafted with FIPPA compliance in mind, providing insight into BC's FOI and privacy landscape and building certain elements, such as data residency and access restrictions, into your mandatory business requirements, as well as expectations around confidentiality in the procurement process.

• Proponent selection: Once proposals have been submitted, you should have sufficient information to assess whether proponents are capable of FIPPA compliance, including how their solution operates, where it is located and the proposed support model. This is a good time to start preparing a privacy impact assessment to identify and develop a plan to manage privacy risks and impacts. FIPPA compliance should be front of mind during the evaluation process, given the legal and reputational risks associated with a data breach or delays in the project resulting from revelations that certain components of the system are not yet available in Canada.
• Contract negotiations: While FIPPA automatically applies to service providers, including FIPPA's obligations in your contract is not only essential to ensuring a common understanding and common expectations, but also giving the institution a way to enforce those obligations directly with the service provider. The contract should include a requirement to promptly report data breaches, ensure all data is stored in Canada, impose restrictions on the collection, use and disclosure of personal information, acknowledge the freedom of information request process and generally require FIPPA compliance. This process should also provide answers to any outstanding business or technical questions and assist you to finalize your privacy impact assessment.
• Go-live and beyond: Once the solution has been deployed, a variety of ongoing compliance activities remain. Any significant change to the solution will need to be reviewed and, if necessary, the privacy impact assessment updated. In the event of a data breach, the Privacy Commissioner must be promptly notified and various investigation and mitigation activities will need to be undertaken. On receipt of a request for access to information, you will need to assess the request and engage with the service provider to obtain and disclose the requested information.

Prudence also suggests monitoring and periodically auditing compliance with FIPPA, to ensure that the common understandings and commitments articulated in the contract have made their way to the operational and technical teams who are sustaining the system. Stories of unintentional non-compliance and project delays caused by data sovereignty are common—so it's important to not just tick the box during procurement and again at contract negotiation, but to revisit and reconfirm compliance.

The above only touches on some of the issues that post-secondary institutions need to consider when outsourcing their technology and platforms 'to the cloud'. Over the coming months, we will expand on these and other issues and provide practical tips on identifying and managing risks. So, stay tuned.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.