Cloud Computing in the BC Government
Last updated: February 1, 2021
Cloud technology represents the next great shift in government’s digital transformation. It means using modern tools and systems to help improve how we deliver services to British Columbians.
Across the B.C. public sector, the adoption of cloud is progressing and will only accelerate over the next few years as cloud solutions become the new norm in the market. Some of the most common tools we use for streamlining our processes, collaborating with colleagues, and communicating and engaging with citizens and clients will soon migrate to cloud technology.
In October 2019, the Ministry of Citizens’ Services amended the Freedom of Information and Protection of Privacy Act to enable certain aspects of using Canada-based cloud technology in B.C., with implications for the entire B.C. public sector.
On this page:
What is cloud computing?
Cloud computing refers to services provided on-demand over the Internet, such as data storage, business software, or computing power. As a user, you get access to this service without having to manage the service yourself. One common example of cloud computing is Gmail, which allows you to log in through a web browser on any device to access your emails (i.e., the data is hosted by the cloud service provider, Google).
Benefits of cloud computing
There are many benefits to cloud computing. For example, cloud services are more efficient, scalable and highly accessible. In addition, they can provide better security since cloud providers offer security features and internationally recognized certifications that would be a challenge for any one ministry or organization to deliver on its own. Finally, cloud solutions help us innovate: they let us experiment with new technologies and tools without making large capital investments up front.
Cost considerations for cloud computing
Saving money by using cloud services is possible; however, this isn’t always the case and most often not the most significant benefit. Making cloud economics work requires effective selection of solution candidates, ongoing management, upfront investment, and a mid-to-long-term horizon for return on investment.
To explore and adopt cloud solutions, you will need to work closely with your ministry or organization’s information privacy, security and procurement specialists to ensure information is always treated with a high standard of protection and care.
These specialists will help you consider key legislation such as the Freedom of Information and Protection of Privacy Act (FOIPPA) and the Information Management Act as well as all relevant privacy, security and procurement policies, procedures and standards when evaluating and selecting a cloud solution. They also have more information on the recent amendments to FOIPPA, which have enabled certain aspects of using Canada-based cloud technology in B.C. These policies will help you adopt cloud in an appropriate, safe and secure way.
Your ministry specialists can support you in creating your:
- Procurement approach – The process that you will use to evaluate and select the appropriate solution for your needs and ensure that agreements with vendors meet government’s legislation and policy requirements.
- Privacy Impact Assessment, or PIA – A process used to evaluate and manage privacy impacts and to ensure compliance with privacy protection rules and responsibilities.
- Security Threat and Risk Assessment, or STRA – A process used to assess and report security risks for an information system.
- Statement of Acceptable Risk, or SOAR – The SOAR documents all the risks identified through the Security Threat and Risk Assessment, their risk ratings, and any planned action to mitigate them. A signed SOAR constitutes the completion of a STRA (above).
There are privacy and security resources that include specific considerations for cloud projects:
- Privacy Protection Schedule for Cloud Services – Ensures high privacy standards are maintained for personal information held by service providers and includes terms that are applicable for cloud applications.
- Cloud Security Schedule – Assists ministries to identify the types of services required and the level of care that is expected when cloud services are used. To work with a ministry or public sector organization in B.C., cloud service providers must agree to detailed security requirements in their contracts. At a high level, these requirements include:
- Complying with an established cloud security framework;
- Undergoing annual third-party audits to demonstrate compliance with this framework, while giving government the right to audit components; and
- Enabling security investigations, online access to evidence, and legal discovery.
More information about contract requirements related to security can be found in the security schedule.
The B.C. government is already using some cloud storage and other cloud services to increase productivity and improve how we deliver services to British Columbians. Over the next few years, it is expected that the adoption of cloud will accelerate across the public sector as cloud solutions and cloud storage become the new norm in the market.
While cloud technology is the future of modern service delivery, cloud solutions may not be appropriate in every case. A cloud solution is only appropriate if it meets every business, privacy, security and system requirement. Any ministry or organization within the B.C. public sector is able to explore and purchase cloud services, so long as they are appropriate and their intended use complies with legal and policy requirements, including those related to procurement, privacy, security and risk management.
The Office of the Chief Information Officer (OCIO) has existing enterprise contracts with some major vendors for services including:
- OpenShift (RedHat)
- Service Now
- Microsoft Dynamics
- Microsoft Office
- Microsoft Azure
Prior to procuring public cloud services, ministries should engage Corporate Software Asset Management to review the corporate agreements in place – the Province may have already negotiated an agreement that the ministry can leverage. In these cases, some of the privacy and security terms have already been defined in enterprise agreements and a corporate tenant infrastructure is already in place. Keep in mind that Security Threat and Risk Assessments (STRAs) and Privacy Impact Assessments (PIAs) are still required during the development of a new project, program, system or activity or for changes to existing projects, programs systems or activities.
If your ministry is interested in Microsoft products the first step is to consult with an OCIO Enterprise Services enterprise architect to discuss your needs. They will be able to help your ministry plan and understand supportability and integration with services. Please contact OCIOo365@gov.bc.ca to initiate a consultation.
In some cases, the broader public sector can also access these enterprise contracts. Check with email@example.com to determine if you are eligible to use an established contract.
The Province is exploring ways to expedite cloud procurement. The Customer Relationship Management (CRM) Request for Qualifications created a pre-qualified list of vendors that provide cloud-based CRM platform capabilities and have met the requirements of B.C.’s cloud security and privacy schedules and legislation. To date, four vendors have successfully screened through:
- Service Now
- Oracle CRM on Demand
By using the list of qualified suppliers, ministries can streamline their procurement and save time negotiating contracts. Contact firstname.lastname@example.org to discuss your business need and learn more about the process.