Canadian privacy laws and cloud computing

Brendan March 20, 2012

First, the disclaimer

What follows is the fruit of our research into Canadian privacy laws as they bear on the use of cloud-based software to store and access personal data as of mid-March, year of our Lord 2012. Of course, we are not lawyers, nor are we Canadian, nor are we from the future. If you have any questions about federal or provincial privacy laws, please seek out legal counsel from north of the 49th.

Now, the fun part: the article!

While most of our customers are located in the United States, we also have a sizable number of Canadian schools using Populi—and many more who are considering us. One thing our Canadian friends ask us is whether they would run afoul of federal or provincial privacy laws by using our service. The laws to which they refer place restrictions on the storage and access of personal information by public institutions—particularly, they stipulate that such institutions must store such data in Canada.

What laws are in play here?

The laws in question are legion and exist at both the federal and provincial level.

The Personal Information Protection and Electronic Documents Act (PIPEDA) of 2000 is a federal data privacy law that governs how private sector business and organizations collect and use personal information. This law makes no requirement about storing personal data in Canada. It is also not binding on provinces if the provinces have in place laws that are substantially similar to PIPEDA. British Columbia, Nova Scotia, and Alberta have each enacted different versions of such "substantially similar" laws.

Alberta's laws make it illegal for a public body or service provider to disclose personal information to an entity that does not have jurisdiction in Alberta. This requirement does not exist for private institutions. More information and an unofficial list of Alberta public institutions can be found at the Government of Alberta website. Spoiler: none of the institutions listed are private colleges. If you're a private college in Alberta, you can join our other Alberta-based customers in using Populi.

British Columbia and Nova Scotia have each enacted laws that go by the names PIPA and FIPPA. In both Provinces, the Personal Information Protection Act (PIPA) governs private bodies; the Freedom of Information and Protection of Privacy Act (FIPPA) governs public bodies.* British Columbia's laws are more strict, so we'll concentrate from here on out on the laws as they exist in that province.

To unsnarl this, we need to understand two key concepts: personal information and public body.

What is personal information?

From British Columbia's definition of it in PIPA, we learn that, in its most restrictive sense...

"Personal information" means information about an identifiable individual and includes employee personal information but does not include

(a) contact information, or

(b) work product information

So student records, financial information, and much of the other information a school would use Populi to manage are all included in this definition. Pretty straightforward.

What is a “public body”?

Less straightforward is the definition of "public body". According to FIPPA, “educational bodies” come under its domain. Many college officials stop reading there and proceed on the assumption that their school can’t use cloud-based services without running afoul of the law.

However, Schedule 1 of that document contains the following:

"Educational body" means

(a) a university as defined in the University Act,

(b) [Repealed 2003-5-19]

(c) Royal Roads University,

(c.1) [Repealed by 2002-35-8]

(d) an institution as defined in the College and Institute Act,

(d.1) the Thompson Rivers University [Added by 2005-17-17]

(e) [Repealed 2004-33-18]

(f) the Open Learning Agency established under the Open Learning Agency Act, [Amended by 1997-52-40]

(g) a board as defined in the School Act, or [Amended by 1997-52-40]

(h) a francophone education authority as defined in the School Act; [Added by 1997-52-40]

Let's look closer at (a) and (d). The University Act applies to the four major universities in British Columbia, as well as any other university “designated as a special purpose, teaching university by the Lieutenant Governor in Council”. Under this law, none of these institutions could use Populi. No one is shedding any tears over this—Populi is not meant for schools with thousands of students like these institutions.

As for the College and Institute Act, it applies to publicly-owned colleges and Provincial institutes. We gather this from requirements in Section 47 that “a pension plan must be provided under the Public Sector Pension Plans Act to employees of an institution” and some clauses in Section 50, to-wit:

Institution is an agent of the government

(1) An institution is for all its purposes an agent of the government and its powers may be exercised only as an agent of the government.

(2) An institution may, in its own name, carry out its powers and duties under this Act and, with the consent of the minister and the Minister of Finance, acquire and dispose of land or buildings.

(3) Despite subsection (2), an institution may lease, or enter into an agreement to lease, land or buildings for a term that ends on or before the end of the fiscal year in which the institution entered into the lease or agreement.

(4) If an institution disposes of land or buildings, it must not spend the proceeds of the disposition without the consent of the minister.

Are you a public institution? Ask yourself these two questions: Are my employees considered government employees? and Do I need to ask the Minister of Finance if I can buy or sell real estate or spend the proceeds from a sale? If you answer No to both questions, you are, in all likelihood, not a public college—and are therefore free to use Populi to manage your school's information.

If you answer Yes to either question, British Columbia probably considers you to be a public college. Therefore, you may not use Populi unless we stored your data on servers in Canada—a complicated endeavor given how much we rely on other cloud-based services (the Amazon cloud, for instance) to provide Populi at our current price.

Postscript

As we said in the disclaimer, we’re not lawyers. Involving as it does various laws and jurisdictions, this is a complex issue. If you do seek legal counsel and can confirm or deny anything we’ve said in this article, at we’d love to hear from you.