With the implementation of Microsoft Office 365 (O365) as the new email and calendaring solution for students, Queen's is taking its first major step towards externally hosted enterprise solutions. As such, we have undertaken a thorough assessment and evaluation process to address the potential risks posed by this service delivery platform.
It is worth noting the general principle that email is not confidential. Users are advised to follow the Email & FIPPA Best Practices posted on the Queen`s Freedom of Information and Protection of Privacy website.
In order to assess the risk involved in storing information with a third party, Queen's commissioned an independent Privacy Risk Assessment (PRA) to provide expertise on legislative requirements and best practices. This assessment, conducted by an external consultant, specifically looked at how students' private or personal identifiable information would be handled in O365. The only data being shared with Microsoft for the provisioning of this service is students' names and their Queen's email addresses.
The primary objectives of the PRA were to:
The PRA concluded that Queen's has a good base of privacy controls already in place and will be in compliance with both FIPPA and PIPEDA. It also made several recommendations for improvement that the University has committed to implementing, such as enhancements to current policies and procedures in areas like information retention and destruction.
On February 24, 2011, Ryerson University hosted a symposium entitled, "Exploring the Future of E-mail, Privacy, and Cloud Computing at Ryerson." Guests from the higher education community were invited to attend, including from Queen's University. Privacy Lawyer David Fraser spoke regarding privacy and externally hosted solutions.
There is a commonly held misconception that if an American company is used to provide server hosting, any data housed on those servers would be open to scrutiny by the US Government. In fact, the information being shared with the service provider will be subject to the same legislation that has always governed it, and there is no additional risk posed by the location of the servers. When mitigating risk, the focus should be on entering sound contracts with a quality service provider and not the location of the data. The following slide is an excerpt from his presentation at Ryerson:
The full presentation, Privacy and the Cloud for Universities and the Real World. – David Fraser, Partner, McInnes Cooper, is available on David Fraser's website.