Canadian privacy laws and cloud computing

First, the disclaimer

What follows is the fruit of our research into Canadian privacy laws as they bear on the use of cloud-based software to store and access personal data as of mid-March, year of our Lord 2012. Of course, we are not lawyers, nor are we Canadian, nor are we from the future. If you have any questions about federal or provincial privacy laws, please seek out legal counsel from north of the 49th.

Now, the fun part: the article!

While most of our customers are located in the United States, we also have a sizable number of Canadian schools using Populi—and many more who are considering us. One thing our Canadian friends ask us is whether they would run afoul of federal or provincial privacy laws by using our service. The laws to which they refer place restrictions on the storage and access of personal information by public institutions—particularly, they stipulate that such institutions must store such data in Canada.

What laws are in play here?

The laws in question are legion and exist at both the federal and provincial level.

The Personal Information Protection and Electronic Documents Act (PIPEDA) of 2000 is a federal data privacy law that governs how private sector business and organizations collect and use personal information. This law makes no requirement about storing personal data in Canada. It is also not binding on provinces if the provinces have in place laws that are substantially similar to PIPEDA. British Columbia, Nova Scotia, and Alberta have each enacted different versions of such "substantially similar" laws.

Alberta's laws make it illegal for a public body or service provider to disclose personal information to an entity that does not have jurisdiction in Alberta. This requirement does not exist for private institutions. More information and an unofficial list of Alberta public institutions can be found at the Government of Alberta website. Spoiler: none of the institutions listed are private colleges. If you're a private college in Alberta, you can join our other Alberta-based customers in using Populi.

British Columbia and Nova Scotia have each enacted laws that go by the names PIPA and FIPPA. In both Provinces, the Personal Information Protection Act (PIPA) governs private bodies; the Freedom of Information and Protection of Privacy Act (FIPPA) governs public bodies.* British Columbia's laws are more strict, so we'll concentrate from here on out on the laws as they exist in that province.

To unsnarl this, we need to understand two key concepts: personal information and public body.

What is personal information?

From British Columbia's definition of it in PIPA, we learn that, in its most restrictive sense...

"Personal information" means information about an identifiable individual and includes employee personal information but does not include

(a) contact information, or

(b) work product information

So student records, financial information, and much of the other information a school would use Populi to manage are all included in this definition. Pretty straightforward.

What is a “public body”?

Less straightforward is the definition of "public body". According to FIPPA, “educational bodies” come under its domain. Many college officials stop reading there and proceed on the assumption that their school can’t use cloud-based services without running afoul of the law.

However, Schedule 1 of that document contains the following:

"Educational body" means

(a) a university as defined in the University Act,

(b) [Repealed 2003-5-19]

(c) Royal Roads University,

(c.1) [Repealed by 2002-35-8]

(d) an institution as defined in the College and Institute Act,

(d.1) the Thompson Rivers University [Added by 2005-17-17]

(e) [Repealed 2004-33-18]

(f) the Open Learning Agency established under the Open Learning Agency Act, [Amended by 1997-52-40]

(g) a board as defined in the School Act, or [Amended by 1997-52-40]

(h) a francophone education authority as defined in the School Act; [Added by 1997-52-40]

Let's look closer at (a) and (d). The University Act applies to the four major universities in British Columbia, as well as any other university “designated as a special purpose, teaching university by the Lieutenant Governor in Council”. Under this law, none of these institutions could use Populi. No one is shedding any tears over this—Populi is not meant for schools with thousands of students like these institutions.

As for the College and Institute Act, it applies to publicly-owned colleges and Provincial institutes. We gather this from requirements in Section 47 that “a pension plan must be provided under the Public Sector Pension Plans Act to employees of an institution” and some clauses in Section 50, to-wit:

Institution is an agent of the government

(1) An institution is for all its purposes an agent of the government and its powers may be exercised only as an agent of the government.

(2) An institution may, in its own name, carry out its powers and duties under this Act and, with the consent of the minister and the Minister of Finance, acquire and dispose of land or buildings.

(3) Despite subsection (2), an institution may lease, or enter into an agreement to lease, land or buildings for a term that ends on or before the end of the fiscal year in which the institution entered into the lease or agreement.

(4) If an institution disposes of land or buildings, it must not spend the proceeds of the disposition without the consent of the minister.

Are you a public institution? Ask yourself these two questions: Are my employees considered government employees? and Do I need to ask the Minister of Finance if I can buy or sell real estate or spend the proceeds from a sale? If you answer No to both questions, you are, in all likelihood, not a public college—and are therefore free to use Populi to manage your school's information.

If you answer Yes to either question, British Columbia probably considers you to be a public college. Therefore, you may not use Populi unless we stored your data on servers in Canada—a complicated endeavor given how much we rely on other cloud-based services (the Amazon cloud, for instance) to provide Populi at our current price.


As we said in the disclaimer, we’re not lawyers. Involving as it does various laws and jurisdictions, this is a complex issue. If you do seek legal counsel and can confirm or deny anything we’ve said in this article, at we’d love to hear from you.

Further Reading

British Columbia's Cloud Computing and Privacy FAQ

British Columbia's Office of the Information and Privacy Commissioner (OIPC)

An article on cloud computing from itWorld Canada

*As a supplement to FIPPA, British Columbia has published a guide to cloud computing (PDF) for public bodies; the long and the short of it is that the cloud is off-limits to public bodies in that province.

Killing bugs

Every field bears thorns and thistles. A good farmer makes sure that they don't proliferate and ruin the crop. For that matter, every profession has its own thistles, its own bunch of ankle-biting thorns lurking in the wheat and the corn. For us here at Populi, those are software bugs, errors in the code we've written that cause functional problems for our users. So an important part of our job here is finding them and killing them.

Software bugs get their name from the days of computing yore* when a modest computer filled a room with hardware—lockers, tubes, relays, engineers, switches—that moved information from Point A to Point B. "Bugs" in the system were just that: little creatures that got in the works and prevented the physical passage of electrical impulses from one locker or tube to another, thereby preventing the computer from working properly. Troubleshooting those problems had to be, I dunno, just a ton of fun.

Having built Populi without using lockers, tubes, and the like, our extermination system is much less arduous. We start with software testing, or, as it's called in the biz, "Quality Assurance". When our developers deploy code in our local development environment, it's kicked over to our QA crew—Toby and (more informally) Brendan and Isaac. These three run the new feature or function through its paces to determine a few things:

  • Does it work as intended?
  • Does it even work in the first place?
  • Does it break anything else?

We ask other questions during the QA process,** but these three are key. If the QA guys find that the code or feature fails on one of these points, they send it back to the developer who authored it and tell them where to spray for pests. The respective teams repeat this process until the code or feature works. Only then do we release it.

Once we release, our users subject our code to a different kind of testing—that of everyday use in a live environment with all of its attendant surprises and unexpected side-roads. And if something's not working, they let us know.

The first thing we do in our bug hunt is verify whether there's a bug at all. Sometimes the user's workflow has gotten something out of order. Sometimes another user has changed or deleted something the first user was looking for. And sometimes we discover that everything's working fine, but we don't currently accommodate a particular "edge case" that the user needs Populi to handle. If it's the first problem a little garden-variety training is in order; if the second, we update the feature to handle the "edge case".

But if the user's problem turns out to be neither of the above, it's time to start digging through the code to see what grubs and creepy-crawlies we discover.

The digging is the part that's most like the old days of checking each switch, tube, and locker for moths. One of our programmers—usually Patrick—simply reads through the code, line-by-line, to find what's wrong. A few things to keep in mind about this job:

  • Computers and software are very literal; they require extremely precise instructions in order to work.
  • Bugs take several forms. The code might have a syntax problem, or is missing a statement, or has a slash where it should have a bracket (among a zillion other things).
  • Indeed, bugs are usually miniscule, but a tiny error is all it takes to transform a precise instruction into nonsense.***
  • Every part of Populi talks to other parts of Populi. And even those functions that aren't directly connected are linked together like that Six Degrees of Kevin Bacon**** game from the late '90's. A bug in one place can affect a dozen other functions that rely on the broken function to do their own jobs.
  • Populi has about 361,000 lines of code.

Of course, knowing the nature of the problem narrows the needle-in-a-haystack odds in the bug hunt. For instance, if someone's having trouble in Admissions, we know not to look at the Library codebase. Of course, given Populi's intra-connectivity, sometimes we do need to look afield for the bug; a problem with Student Billing might trace back to an error in course enrollment, for example.

Whatever the case, a review of the code turns up one or more culprits, at which point we take the next steps—polishing the code, running it through our QA battery, and then finally releasing it to our live servers.via

Fixing bugs can be very time-consuming, but we're laser-focused on it. We know that the only thing worse than us having to find a bug is having a bug prevent you from getting your work done. For us, bug-killing isn't an abstract matter of "we'll-get-to-that-someday" software development. It's a matter of active, responsive, "get-it-done-yesterday" customer support.

*Yeah, I know, this is over-simplified.

**Especially the question: does it work in Internet Explorer? That browser is a real turkey sometimes.

***We recently found an error that consisted of one wrong character. Easiest fix ever!

****Isaac Grauke once met Kevin Bacon; therefore, there is only one degree of separation between any given Populi feature and the man himself.

New release: SMS Emergency Notifications

We're pleased to release one of our customers' most-requested features: SMS Notifications! 

It's really simple:

First, your users opt-in to receive emergency notifications via SMS in their personal settings. Once they've submitted their verification code, they can now receive SMS messages from you via Populi.

All you need to do is go to the new Emergency Notifications tab in Communications. Compose a message, hit send, and it'll go out to all of your active faculty, staff, students, and advisors who've opted-in (you can also select specific campuses). If any of the recipients haven't opted-in to receive SMS messages, they'll get an email instead.

To help ensure your recipients can continue to get emergency notifications, we lock in their SMS number on their profile so it can't be changed by anyone, not even Staff.

Each of our three Pricing Plans comes with a certain number of SMS messages included for free. Small gets 500, Medium gets 1,000, and Large gets 2,000. If you run over your free allotment, additional SMS are just two cents per SMS recipient.

Populi Inc. releases idiotic press release


February 24, 2012

Populi Inc. of Moscow, Idaho, announced this morning that users have successfully sent over 181 emails to their email dropboxes, a new record for the company. Populi, makers of the industry-leading Populi College Management System©®™, released the award-winning email dropboxing feature on February 20th to wide acclaim in today's competitive environment.

"We're incredibly pleased at the response of our users to the new email dropboxing feature in the Populi College Management System©®™," said James Hill, Chief Technical Officer of the award-winning Populi company that makes robust, computer-y software solutions for today's leading-edge colleges. "In just four or five short days, they have sent 182 emails to their email dropboxes, allowing them to post emails to any person's Activity Feed©®™ using any email client including such popular programs and/or internet websites like Outlook, Apple Mail, Thunderbird, Gmail, Hotmail, Yahoo Mail, Juno, MapQuest, and many others. And these numbers have nowhere to go but up."

"We're pleased as a pig in punch in a poke at how our customers have responded to this new feature," added Hill, who then also added, "Really, growth like this is unprecedented. Really, really unprecedented and robust."

Populi CEO Isaac Grauke said, "The amazingly incredible thing is that Populi included this brand-new email dropboxing feature at no extra cost to current customers of the Populi College Management System©®™. Even better, it's easy for future customers to take advantage of the completely popular feature—all they need to do is sign up for Populi. It's a powerfully robust, industry-leading, best-of-breed, fruit-forward, tailor-made solution to the challenges today's colleges in the sub-1000-student market segment are facing. The future's the limit here."

Populi Inc. is the world's most-beloved maker of web-based solutions for higher education college management in the sub-1000-student market segment with its Populi College Management System©®™. Founded in Fall of 2007, Populi Inc. is dedicated to helping colleges in the sub-1000-student market segment more fully leverage their implementations and maximize industry-leading synergies.

This press release contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this press release. Please notify the sender immediately by press release if you have received this press release by mistake and delete this press release from your system.

Press release transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this press release, which arise as a result of press release transmission. If verification is required please request a hard-copy version from Populi, Inc. 1336 Alturas Drive, Moscow, ID 83843.

No employee or agent is authorized to conclude any binding agreement on behalf of Populi Inc. with another party by press release without express written confirmation by the Executive Director. Populi Inc. accepts no liability for the content of this press release, or for the consequences of any actions taken on the basis of the information provided, unless that information is subsequently confirmed in writing. It may also be privileged or otherwise protected by work product immunity or other legal rules. Please note that any views or opinions presented in this press release are solely those of the author and do not necessarily represent those of the company.

New release: Contact organizations and a few other things

The Populi crew took the evening of President's Day to release a bunch of new features. Here's a look at what we did...

New stuff in organizations

Organizations now have an Activity Feed; a Members tab to track members, employees, and students with that contact Org; custom info fields, and images.


Email dropboxing is a new feature that lets you post email to a person's Activity Feed from any email client. Check out the video to learn more about how it works.

We also now provide bounce/spam reports for email addresses on Profiles.

Personal settings

New personal settings let you select your local timezone, hide your profile from non-staff users, keep your birthday off the News Feed, as well as let you choose a default Activity Feed visibility setting and generate your email dropbox. We also moved your email signature here.


Library got some new reports and workflows, including:

  • Resource batches and Inventory in the Catalog
  • Circulation reporting by loan, resource, resource type, home library, and home location
  • Browse resources is now exportable

A few new financial items:

  • You can now bulk-add tuition schedules from the Data Slicer
  • Invoice and transaction numbers are now generated sequentially (previously they were generated every-other-number to avoid potential conflicts)
  • You can now print financial aid award letters
  • We loosened the financial aid workflow: you no longer need to package aid before invoicing charges to have the aid auto-apply to those charges
  • Overaward alerts now exclude declined financial aid
  • More detailed totals under Profile > Financial Aid > Summary > Total Aid
  • A new setting lets you select the Term you wish to begin automatically generating pending charges—this will be really helpful for schools that want to back-enter financial and billing data

A few things we're working on...

The Populi development team is plugging away at our next release. Here's a glance at some of it:

Personal settings for all users

Depending on your user roles, you'll have different options—Timezone, birthday announcement opt-out, Activity Feed visibility, plus a few other things.

Organization profiles

Organization Profiles are getting the look and functionality of regular Profiles. In addition to an Activity Feed, there'll also be a Members tab that lets you keep track of people in your system who are associated with that organization.

Associating people with Organizations will be easier—add new Orgs right from a person's Info tab. You can also specify the relationship (Employment, Member, and for College type orgs, Student) and the timeframe of the person's involvement with the Org.

Also: custom info fields for Organizations!

New reports and workflows in Library

We'll be releasing a Circulation report with multiple perspectives on your active loans. In addition, there will be Inventory and Resource Batching tools in the Library Catalog.

Email dropboxing

The other marquee feature is email dropboxing. Dropboxing works by giving you a secret email address. When you copy or forward to that secret address, Populi will figure out the recipients and post your email to their Activity Feeds. The best part is, you can do this from any email client—Outlook, Gmail, Apple Mail, iOS Mail app, etc.—not just Populi. This will make your communications easier than ever to record, and will make the Activity Feed a more complete record of your correspondence with prospects, students, and other contacts.