Another facet of living in the online world while being a (future, hopeful!) public employee is being aware of FIPPA, the Freedom of Information and Protection of Privacy Act in BC and the Cloud Computing Guidelines for Public Bodies. This post will contain some of my notes after reading this document, most notes will be direct pull quotes.

  • It is important to note that “FIPPA applies to personal information that is in the custody or under the control of a public body.”
  • Public bodies cannot store or access personal info outside of Canada.
  • But the most of the well known cloud computing companies are American and do exactly this
  • Written consent must be given, including the specific information to be store, and dates for the beginning and end of consent.
    • Consent must also specify who may store or access the data, the jurisdiction in question, and the purpose for the use of a cloud computing company outside of Canada.
  • There was a confusing part about monetary payments, but I think this section means that if the information is being given in combination with payment to a foreign government, the corresponding data is allowed to be stored in said jurisdiction.
  • All data stored must be protected. The public body with the goals of storing data outside of Canada must review the security of the company. This includes governance, identity & access management, infrastructure security, encryption and contractual provisions.

While the document is written in fairly straightforward language it will probably take me another couple read throughs before I get all the details sorted. The guidelines seem rather strenuous, however, it seems pretty commonplace to use Google, Facebook, and Amazon for so many different aspects of our lives. How public bodies avoid, or don’t avoid, this will be interesting to note going forward.