There is a cloud on the horizon for public agencies trying to comply with the section of B.C.’s information and privacy law that bars them from letting personal data on citizens leave Canadian soil.
Specifically, cloud computing.
The trend toward storing data on servers anywhere and everywhere, rather than on drives kept physically on site, runs directly into that section of the law. It was written 11 years ago to safeguard against U.S. snooping that was allowed by the far-reaching USA Patriot Act.
The privacy law gets reviewed every five years by a committee. Another review is underway, and members have heard an earful recently about how that privacy safeguard — Section 30.1 — hampers public agencies trying to do business in the interconnected world.
University of B.C. lawyer Paul Hancock appeared recently, representing the four research universities, and said that section is the single most challenging part of the entire information and privacy law.
“It erodes our competitiveness. It’s preventing us from using world-class tools that other universities use in other jurisdictions. It’s adding costs and administrative complexity.”
As an example, he cited the big student information systems universities use. Major vendors of those systems around the world are moving to the cloud.
“They’ve put us on notice that within the next three to five years most of them will be moving out of locally hosted systems and into the cloud.
“If we don’t move with them, we will be stuck trying to support on-premise solutions without support from these vendors. Any IT person can tell you that is a recipe for disaster.”
It would cost millions more to continue with locally hosted systems that he said, ironically enough, aren’t as secure as the latest cloud-based ones.
UBC information-security official Larry Carson said universities eventually will have to look for substandard solutions or be forced to use the cloud, regardless. Some vendors are offering cloud services in Canada, but they still don’t fully comply with the law.
Hancock said the section also perversely bars universities from using some online learning systems that are being developed daily. So people come from all over the world and can’t use systems they have used previously. Meanwhile, most of them are on social media and have their personal information stored on foreign systems that are much less secure.
Another example he cited is in plagiarism detection. Online programs are in common use around the world, but in B.C. they can’t be fully integrated into the systems because they require inputting a student’s name.
“We’ve caused untold frustration for our faculty and bemusement for many of our students, who wonder why we can’t use the system as it’s intended.”
Hancock also said UBC has overseas offices that are unable to access any core systems remotely. “This makes it very hard for them to do their jobs.”
Links could be made highly secure, but would still be unlawful.
The complaints are similar to those voiced by a Vancouver Coastal Health Authority lawyer, who said the section is forcing authorities into second-rate data solutions and generally hampering efficiency.
The College of Registered Nurses has also weighed in on the question of why private bodies routinely handle B.C. citizens’ personal information outside of Canada, but public bodies are forbidden from doing so. It’s also involved with other regulatory agencies in talking about sharing more information on its members across borders to catch disciplinary matters or professional practice matters. That kind of collaboration could run afoul of the section.
A yearbook publisher also appeared before the committee, saying that a competitor is citing his practice of getting the yearbooks printed outside of Canada as a possible violation.
MLAs and B.C. Information and Privacy Commissioner Elizabeth Denham have been resistant to date to making or supporting any changes in that aspect of the law.
NDP MLA Doug Routley said requests to relax it usually are about expediency, and successive commissioners have recommended against changing it. It’s usually more a case of organizations not knowing the law and the fact there are accommodations that can be made when problems arise.