The British Columbia Information and Privacy Commissioner (“IPC”) has released guidelines on cloud computing. The guidelines apply to the public sector bodies to which British Columbia’s Freedom of Information and Protection of Privacy Act (“FIPPA”) applies.
Paragraph 30.1(a) of FIPPA restricts the ability of public bodies in British Columbia to transfer data outside of Canada. Subject to limited exceptions, public bodies in British Columbia are permitted to store personal information outside of Canada only with consent of the individual with respect to whom the information relates. The consent must be provided in writing and specify to whom the personal information may be disclosed.
The British Columbia IPC recognizes that some vendors are offering cloud computing services that store information solely within Canada. However, the IPC cautions that public bodies must make inquiries to determine whether they can rely on these representations. In addition, the IPC states that public bodies must consider whether there are reasonable security measures, such as:
- corporate policies, procedures and standards with respect to security and privacy;
- controls regarding access by authorized users;
- infrastructure security, including layered security controls and patch management;
- encrypted transmission and storage of personal information;
- contractual safeguards for the information to prevent unauthorized use, to require mandatory breach reporting and to permit audits.