FIPPA and BC K-12 Public Schools: Email correspondence with The Office of the Information and Privacy Commissioner

for BC
From: Richard Ajabu Sent: January-10-13 12:25 PM To: Info Subject: Request for Clarification: FIPPA requirements for K-12 Student Use of Cloud & Other Foreign Computer Services... Hi Monique, Thank you for speaking with me on the telephone this morning regarding K-12 public school student use of cloud and other computer services located on foreign servers. Here are links to three Twitter conversations that will help you understand some of the confusion that is happening in BC K-12 public schools: 1. FIPPA & BC K-12 Public Schools ( http://storify.com/richardajabu/fippa-and-bc-k-12-public-schools ) 2. Let's not be rash with FIPPA ( http://storify.com/richardajabu/is-that-fippa-petition-premature ) 3. Cloud vs FIPPA: Change the Tech? Change the Law? Both? ( http://storify.com/richardajabu/cloud-vs-fippa-change-the-tech-change-the-law-both ) Would the Office of the Information Privacy Commissioner be able to provide further clarification and guidance for BC K-12 Public Schools regarding whether & how BC public schools can use cloud and other computer services located on foreign servers (Google Drive/Gmail/Docs/Chromebook/etc, Twitter, Facebook, MS365, etc). I am concerned that without guidance and examples, BC K-12 public schools will get themselves into trouble regarding FIPPA. Can you clarify whether a single blanket consent form for each service used by students is acceptable (ie 1 for Gmail, 1 for Google Drive, 1 for Twitter, 1 for Facebook, etcgood for the entire year), or whether consent for each individual piece of personal information must be provided? Example consent forms for all the popular computer services would be very useful if your office can provide them for K-12 public school use. BTW, here is that article I mentioned to you this morning that points out other legal risks for Canadians (including students) who access foreign computer servers: Courts Adopt Aggressive Approach in Cross-Border Internet Jurisdiction Cases ( http://www.michaelgeist.ca/content/view/6746/135/ ) With the new copyright changes in Canada, cyber bullying, etc I can imagine those risks are worth considering as K-12 public school students and teachers go about their online research, report writing, socializing, etc. If you have any questions feel welcome to email me at any time. Thank you for any help you can provide. I will share your guidance with others in the BC K-12 public school system. Cheers, Richard Ajabu

Page 1 of 5

FIPPA and BC K-12 Public Schools: Email correspondence with The Office of the Information and Privacy Commissioner for BC (cont)
From: Bradley Weldon [mailto:BWeldon@oipc.bc.ca] Sent: Monday, January 14, 2013 2:03 PM To: Richard Ajabu Cc: Monique LeBlanc Subject: FIPPA and cloud computing

Dear Mr. Ajabu, Thank you for your email regarding the use of cloud computing by public bodies. I have reviewed the links that you provided in the email and I am aware of some educators frustration with the limitations placed on the use of cloud computing and social networking by the Freedom of Information and Protection of Privacy Act (FIPPA). The location of those limitations is primarily in s. 30.1 of FIPPA, which addresses storage of personal information outside of Canada, and s. 33.1, which addresses disclosure outside of Canada. Storage outside of Canada Section 30.1 of FIPPA requires that in most instances personal information must be stored in Canada: Storage and access must be in Canada 30.1 A public body must ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada, unless one of the following applies: (a) if the individual the information is about has identified the information and has consented, in the prescribed manner, to it being stored in or accessed from, as applicable, another jurisdiction; (b) if it is stored in or accessed from another jurisdiction for the purpose of disclosure allowed under this Act; (c) if it was disclosed under section 33.1 (1) (i.1). As you alluded to in your Twitter discussion, while s. 30.1(a) allows an individual to consent to storage outside of Canada, the difficulty presented by the consent described in that section is that the prescribed manner of consent, as provided by s. 11 of the FIPPA Regulation, requires that the consent must specify the personal information for which the individual is providing consent: Consent respecting personal information 11 (1) For the purposes of section 26 (d), 30.1 (a), 32 (b) and 33.1 (1) (b) of the Act, consent must (a) be in writing, and (b) be done in a manner that specifies (i) the personal information for which the individual is providing consent, and

Page 2 of 5

FIPPA and BC K-12 Public Schools: Email correspondence with The Office of the Information and Privacy Commissioner for BC (cont) (ii) the date on which the consent is effective and, if applicable, the date on which the consent expires. Consent cannot be open-ended but must enumerate the specific personal information that will be stored outside of Canada. Therefore, in instances where it is not possible to know ahead of time what personal information will be stored, the consent provisions are not a practical source of legal authority for storage of personal information outside of Canada. Our office does not provide precedents for this type of consent, however, s. 11 of the FIPPA Regulation clearly enumerates what constitutes valid consent, and could likely serve as a template. We would welcome the opportunity to review a draft consent and work with a public body to determine whether the draft would likely authorise the storage of personal information outside of Canada. The FIPPA Regulation is available here: http://canlii.ca/en/bc/laws/regu/bc-reg-1552012/latest/bc-reg-155-2012.html. Disclosure outside of Canada Similar concerns apply to the use of cloud services that either reside outside of Canada or otherwise disclose personal information on the internet, such as Facebook. In those instances, the public body must find an authorisation for this disclosure in s. 33.1 of FIPPA, and the same requirement for specificity that applies with respect to storage outside of Canada would also apply to consent for disclosure outside of Canada. I note that s. 33.1 (r) of FIPPA authorises disclosure of personal information on a social media site where the information is disclosed: a) by the individual the information is about; b) is obtained or compiled by the public body for the purpose of enabling the public body to engage individuals in public discussion or promotion respecting proposed or existing initiatives, policies, proposals, programs or activities of the public body or respecting legislation relating to the public body; and c) is disclosed for a use that is consistent with the purpose described above. This is intended to authorise a public body to use social media to interact with the public without requiring specific consent for disclosure outside of Canada. This would likely facilitate, for example, a schools public Facebook page where it provided information about the schools activities, and would allow individuals to post comments on that page. However, this would likely not authorise the use of social media to disclose personal information about identifiable individuals unless they had consented to that disclosure in writing, or the information was collected at a performance or event that was open to the public, and that the individual attended voluntarily (as authorised in s. 33.1 (q) of FIPPA). The interaction of FIPPA and the use of cloud-based services is somewhat complex, but I hope that I have answered your specific questions regarding the use of consent to authorise storage or disclosure of personal information outside of Canada. Please contact me if you have questions or would like to discuss this matter further. Page 3 of 5

FIPPA and BC K-12 Public Schools: Email correspondence with The Office of the Information and Privacy Commissioner for BC (cont) Regards, Bradley Weldon, LL.B, CIPP/C Policy Analyst Office of the Information and Privacy Commissioner for British Columbia 250-356-5722 (Victoria) or 604-660-2421 (Vancouver) or toll-free 1-800-663-7867. This email and any attachments are only for the use of the intended recipient and must not be distributed, disclosed, used or copied by or to anyone else. This email and any attachments may be confidential, privileged or subject to the provisions of the Freedom of Information and Protection of Privacy Act or all of these things. Email can be intercepted in transit or sent to the wrong address, so use secure means to communicate with us if you are concerned about confidentiality. If you receive this in error please contact the sender by return email and delete all copies of this email and any attachments.
From: Richard Ajabu Sent: January-14-13 5:56 PM To: Bradley Weldon Cc: Monique LeBlanc Subject: RE: FIPPA and cloud computing Thank you very much Bradley. That is helpful and I very much appreciate your offer to review a draft consent. For efficiency, I suspect that it would be best for one organization (Ministry of Ed? BC School Trustee Assoc? BC Public School Employer Assoc? Other?) to draft a document clarifying what is and is not allowable, as well as any draft consent that may be needed, submit it to you for review, and then make the final revision available to all 60 BC public school districts for their use. I would like to encourage this happen sooner than later because it is my understanding that BC school districts may be frustrated and moving forward regardless. It would help if I could forward a copy of your email below to key personnel/organizations; is that OK? I will encourage that a single contact person be established to liaise with you regarding the review of a draft document, and that the final document (with consent template) be shared with all 60 school districts. If you have any other suggestions, please let me know. Thanks again for your help with this. Cheers, Richard Ajabu

Page 4 of 5

FIPPA and BC K-12 Public Schools: Email correspondence with The Office of the Information and Privacy Commissioner for BC (cont)
From: Bradley Weldon [mailto:BWeldon@oipc.bc.ca] Sent: Tuesday, January 15, 2013 9:16 AM To: 'Richard Ajabu' Subject: RE: FIPPA and cloud computing

Hi Richard, Yes, feel free to pass that along to anyone who might be interested. Its actually quite straightforward once one understands how FIPPA deals with storage and disclosure outside of Canada, but it can be a bit confusing to get that point. Call me if you have any questions. Regards, Bradley Weldon, LL.B, CIPP/C Policy Analyst Office of the Information and Privacy Commissioner for British Columbia 250-356-5722 (Victoria) or 604-660-2421 (Vancouver) or toll-free 1-800-663-7867.
From: Richard Ajabu Sent: Tuesday, January 15, 2013 10:59 AM To: 'Bradley Weldon' Cc: 'Monique LeBlanc' Subject: RE: FIPPA and cloud computing Thanks Bradley. Ill share this around and I think it will help to reduce associated confusion in BC K-12 public schools. Cheers, Richard Ajabu

Page 5 of 5