Disclaimer
What follows is the fruit of our research into Canadian privacy laws as they bear on the use of cloud-based software to store and access personal data as of May, 2023 (this article is an update to a March, 2012 blog post). Of course, we are not lawyers, nor are we Canadian, nor are we from the future. If you have any questions about federal or provincial privacy laws, please seek out legal counsel from north of the 49th.
Introduction
While most of our customers are located in the United States, we also have a sizable number of Canadian schools using Populi, many of whom have wondered whether they would run afoul of federal or provincial privacy laws by using Populi. The laws to which they refer place restrictions on the storage and access of personal information by public institution—particularly, they stipulate that such institutions must store such data in Canada.
What laws are in play here?
The laws in question are legion and exist at both the federal and provincial level.
The Personal Information Protection and Electronic Documents Act (PIPEDA) of 2000 is a federal data privacy law that governs how private sector business and organizations collect and use personal information. It was amended in 2015 by the Digital Privacy Act. This law makes no requirement about storing personal data in Canada. It is also not binding on provinces if the provinces have in place laws that are substantially similar to PIPEDA. Quebec, British Columbia, and Alberta have each enacted different versions of such "substantially similar" laws; four other provinces (Ontario, New Brunswick, Newfoundland, and Nova Scotia) have similar laws governing the use of health information.
Alberta's laws make it illegal for a public body or service provider to disclose personal information to an entity that does not have jurisdiction in Alberta. This requirement does not exist for private institutions. More information and an unofficial list of Alberta public institutions can be found at the Government of Alberta website. Spoiler: none of the institutions listed are private colleges. If you're a private college in Alberta, you can join our other Alberta-based customers in using Populi.
British Columbia and Nova Scotia have each enacted laws that go by the names PIPA and FIPPA. In both Provinces, the Personal Information Protection Act (PIPA) governs private bodies; the Freedom of Information and Protection of Privacy Act (FIPPA) governs public bodies. British Columbia's laws are more strict, so we'll concentrate from here on out on the laws as they exist in that province.
To unsnarl this, we need to understand two key concepts: personal information and public body.
What is personal information?
From British Columbia's definition of it in PIPA, we learn that, in its most restrictive sense...
"Personal information" means information about an identifiable individual and includes employee personal information but does not include
- (a) contact information, or
- (b) work product information
So student records, financial information, and much of the other information a school would use Populi to manage are all included in this definition. Pretty straightforward.
What is a “public body”?
Less straightforward is the definition of "public body". According to FIPPA, “educational bodies” come under its domain. Many college officials stop reading there and proceed on the assumption that their school can’t use cloud-based services without running afoul of the law.
However, Schedule 1 of that document contains the following:
"Educational body" means
- (a) a university as defined in the University Act,
- (b) [Repealed 2003-5-19.]
- (c) Royal Roads University,
- (c.1) [Repealed 2002-35-8.]
- (d) an institution as defined in the College and Institute Act,
- (d.1) the Thompson Rivers University,
- (e) [Repealed 2004-33-18.]
- (f) [Repealed 2003-48-14.]
- (g) a board as defined in the School Act, or
- (h) a francophone education authority as defined in the School Act;
Let's look closer at (a) and (d). The University Act applies to the four major universities in British Columbia, as well as any other university “designated as a special purpose, teaching university by the Lieutenant Governor in Council”. Under this law, none of the institutions indicated here could use Populi.
As for the College and Institute Act, it applies to publicly-owned colleges and Provincial institutes. We gather this from requirements in Section 47 that “a pension plan must be provided under the Public Sector Pension Plans Act to employees of an institution” and some clauses in Section 50, to-wit:
Institution is an agent of the government
- (1) An institution is for all its purposes an agent of the government and its powers may be exercised only as an agent of the government.
- (2) An institution may, in its own name, carry out its powers and duties under this Act and, with the consent of the minister and the Minister of Finance, acquire and dispose of land or buildings.
- (3) Despite subsection (2), an institution may lease, or enter into an agreement to lease, land or buildings for a term that ends on or before the end of the fiscal year in which the institution entered into the lease or agreement.
- (4) If an institution disposes of land or buildings, it must not spend the proceeds of the disposition without the consent of the minister.
To determine whether or not your school is a public institution, it seems that you are directed to ask yourself these two questions:
- Are our employees considered government employees?
- Do we need to ask the Minister of Finance if we can buy or sell real estate or spend the proceeds from a sale?
If you answer No to both questions, you are, in all likelihood, not a public college—and are therefore able to use Populi without running afoul of the law.
If you answer Yes to either question, British Columbia probably considers you to be a public college. Therefore, you may not use Populi unless we stored your data in Canada.
Repeating the disclaimer
As mentioned above, we’re not lawyers. Involving as it does various laws and jurisdictions, this is a complex issue. If you do seek legal counsel and can confirm or deny anything we’ve said in this article, we'd really like to hear from you!
0 Comments