Policies and related documents, including standards, guidelines, and procedures, exist to protect Brock students, employees, and the University. All members of the University community have an obligation to comply with the University’s policies. ITS policies are available for review on the University Secretariat Website.
Lab users should also visit the Computer Labs and Printing page to review the Computer Lab Rules and Regulations.
ITS Collection Notice
In the simplest terms, cloud computing means storing and accessing data and programs over the Internet instead of your computer’s hard drive.
If there is a need to store personal information or other sensitive information in the cloud, Brock requires that units complete a Privacy Risk Classification Tool, and in some cases a Privacy Impact Assessment, as well as a Cloud Questionnaire to assess privacy and security.
Many information technology services are moving to the cloud. Brock uses cloud providers for storing identifiable information such as student emails, financial systems and online course evaluations. Examples of secure cloud providers that are contracted to offer cloud services at Brock are Microsoft and Workday.
Brock requires a cloud provider to meet the same privacy requirements that are required of the University, as set out in the Freedom of Information and Protection of Privacy Act (FIPPA). In accordance with FIPPA, the University community’s responsibilities regarding the protection of privacy, and the right of access to information, are that:
- Reasonable measures that are defined and documented are in place to prevent unauthorized access to the information, taking into account the nature of the information to be protected;
- Only those individuals who need access to personal or sensitive information for the performance of their duties shall have access to it; and
- Reasonable measures that are defined and documented are in place to protect personal and sensitive information from inadvertent destruction or damage, taking into account the nature of the information to be protected.
How does the US Government’s ability to access my personal information differ from the Canadian Government’s ability to do so?
The Patriot Act, a piece of counter-terrorism legislation, broadens the US federal government’s power to access or intercept electronic communications, such as emails, including the power to “wiretap” international communications with a secret warrant, or without a warrant, under certain circumstances.
Canadian lawyer and privacy law expert David Fraser argues that this does not make much difference for Canadians, since Canada has already passed very similar legislation in the Canada Anti-Terrorism Act, and Canada cooperates with the US in exchanging intelligence relating to terrorism, sharing “vast amounts of information” across the border. Effectively, he says, the US can already access Canadian information. His assessment of the Patriot Act can be found here.
Even where data is stored in Canada, Canadian authorities are legally empowered to access personal information (PI) in certain circumstances. For this reason, the Privacy Office does not believe that storing data on U.S. servers will have a significant difference to the security of the information.
Who do I contact if considering a cloud solution that includes personal information? (Faculty/Staff)
It is important that you contact both the Privacy Office and ITS as follows:
- To request a Privacy Risk Classification Tool: contact the FIPPA Coordinator at email@example.com or ext. 5380.
- To request a Cloud Questionnaire: contact firstname.lastname@example.org or ext. 4083.