Secure Cloud

Cloud technology represents the next great shift in government’s digital transformation. It means using modern tools and systems to help improve how we deliver services to British Columbians.

Across the B.C. public sector, the adoption of cloud is progressing and will only accelerate over the next few years as cloud solutions become the new norm in the market. Some of the most common tools we use for streamlining our processes, collaborating with colleagues, and communicating and engaging with citizens and clients will soon migrate to cloud technology.

In October 2019, the Ministry of Citizens’ Services amended the Freedom of Information and Protection of Privacy Act to enable certain aspects of using Canada-based cloud technology in B.C., with implications for the entire B.C. public sector.

 Explore within:

Introduction to cloud

What is cloud computing?

Cloud computing refers to services provided on-demand over the Internet, such as data storage, business software, or computing power. As a user, you get access to this service without having to manage the service yourself. One common example of cloud computing is Gmail, which allows you to log in through a web browser on any device to access your emails (i.e., the data is hosted by the cloud service provider, Google).

Benefits of cloud computing

There are many benefits to cloud computing. For example, cloud services are more efficient, scalable and highly accessible. In addition, they can provide better security since cloud providers offer security features and internationally recognized certifications that would be a challenge for any one ministry or organization to deliver on its own. Finally, cloud solutions help us innovate: they let us experiment with new technologies and tools without making large capital investments up front.

FOIPPA amendments

In October 2019, the Ministry of Citizens’ Services amended the Freedom of Information and Protection of Privacy Act to enable certain aspects of using Canada-based cloud technology in B.C. These amendments do not authorize public bodies to use all cloud services – just those that store data in Canada and otherwise meet the requirements of the new sections and the rest of the Act. (Services will also need to meet the organization’s business, security and system requirements.)

About the Amendments

The Freedom of Information and Protection of Privacy Act (FOIPPA) generally requires personal information to be stored and accessed only within Canada, with a few specific exceptions. This limits public bodies from using cloud technology that stores personal information outside Canada, unless expressly authorized. There were already provisions in FOIPPA that authorize the disclosure of personal information inside or outside Canada. And in October, government added two more – specifically:

The new section 33.1 (1) (p.1) authorizes public bodies to disclose personal information inside and outside of Canada for temporary processing. This provision sets limits on that disclosure, including:

  • The processing cannot involve intentional access by a human.
  • The processing cannot result in storage of personal information outside of Canada, unless otherwise specified.
  • Where the processing happens outside of Canada, the disclosure must be for the minimum amount of time necessary.

The new section 33.1 (1) (p.2) authorizes public bodies to disclose personal information inside and outside of Canada if the personal information is metadata that is generated by an electronic system and that describes an individual’s interaction with the system. This provision sets limits on that disclosure, including:

  • Where practicable, any identifiable information in the metadata is removed or destroyed.
  • Where the disclosure is to a service provider, there is a contractual prohibition on using or disclosing the information further.

The FOIPPA Policy and Procedures Manual includes guidance on interpreting these new sections.

What this means

These amendments allow the B.C. public sector to use some common tools and technology needed to maintain operations, such as email and software for word processing, presentation and translation. They also remove a barrier to adopting the next generation of cloud-based or cloud-enabled tools – many of which already require or will soon require the temporary processing of data outside Canada.

Privacy and security

The Freedom of Information and Protection of Privacy Act requires that personal information be treated with a high standard of protection and care at all times. Data can only be stored in Canadian facilities that meet B.C.’s information security standards.

Read the FOIPPA Policy and Procedures Manual.

Exploring cloud solutions

The B.C. government is already using some cloud storage and other cloud services to increase productivity and improve how we deliver services to British Columbians. Over the next few years, it is expected that the adoption of cloud will accelerate across the public sector as cloud solutions and cloud storage become the new norm in the market.

While cloud technology is the future of modern service delivery, cloud solutions may not be appropriate in every case. A cloud solution is only appropriate if it meets every business, privacy, security and system requirement. Any ministry or organization within the B.C. public sector is able to explore and purchase cloud services, so long as they are appropriate and their intended use complies with legal and policy requirements.

The Office of the Chief Information Officer (OCIO) has existing enterprise contracts with some major vendors for services including:

  • OpenShift (RedHat)
  • Salesforce
  • Service Now
  • MS Dynamics
  • Microsoft Office

While ministries can access and purchase cloud services online, they may also wish to consult these vendors first as they may have negotiated better terms and already gone through the mandatory privacy and security requirements, including Privacy Impact Assessments (PIAs) and Security Threat and Risk Assessment (STRAs).

In some cases, the broader public sector can also access these enterprise contracts. Each contract has a list of affiliated ministries and other government entities such municipalities or crown corporations. Check with the contract owner to determine if you are eligible to use an established contract.

The Province is also adopting innovative ways to expedite cloud procurement. The Customer Relationship Management (CRM) Request for Qualifications created a pre-qualified list of vendors that provide cloud-based CRM platform capabilities and have agreed to B.C.’s cloud security and privacy schedules and legislation. To date, four vendors have successfully screened through:

  • Salesforce
  • Microsoft
  • Service Now
  • Oracle CRM on Demand

Vendor information

To work with a ministry or public sector organization in B.C., cloud service providers must agree to detailed security requirements in their contracts. At a high level, these requirements include:

  • Complying with an established cloud security framework;
  • Undergoing annual third-party audits to demonstrate compliance with this framework, while giving government the right to audit components; and
  • Enabling security investigations, online access to evidence, and legal discovery.

For more information about the contract requirements, please read the Office of the Chief Information Officer’s Security Schedule for Cloud Services.