Privacy Review

Privacy Contact: For assistance in reviewing the privacy implication of the cloud software, please contact privacy@uwo.ca.

Summary: The University has legal and/or contractual obligations to protect information belonging to its students, faculty, staff, vendors and others. When negotiating a contract or service with a vendor for cloud based services, faculty/staff should take into account the following privacy considerations:

Information

Will the vendor store "personal information" as defined by FIPPA, "personal health information" as defined by PHIPA or "Files" as defined in any University collective agreement?

Recommendation:

When dealing with these types of information, you must take care to ensure that the University's obligations under the applicable Act or agreement are fulfilled.

The collective agreements of the faculty association and the librarians and archivists association impose specific privacy obligations on the University when storing their members personal information, research materials and/or teaching materials off-premises with a third party. In such instances, Legal Counsel and the Privacy Officer must be contacted.

Jurisdiction

In which country will the information be stored?

Recommendation:

Information should be stored in Canada wherever possible. The laws of other jurisdictions, including the US, do not offer the same privacy protections as the laws of Canada.

Privacy Policy

Does the vendor have a detailed privacy policy related to your data?

Recommendation:

Any legitimate vendor will have a privacy policy.  It should be reviewed to understand how the vendor protects the privacy of your information.

Use of Data for Other Purpose

Can the vendor use your data for purposes other than the provision of the service to you (for targeted advertising or individual/aggregate research)?

Recommendation:

The Contract with the Vendor should state that the Vendor will only use your information to provide the services.

Disclosure

Can the vendor disclose or sell your data to third parties?

Recommendation:

The Vendor should never be able to disclose information to third parties unless required by law or unless as agreed upon to provide the services.

Access

Who will have access to your information?

Recommendation:

Access to the information should be limited to those employees of the Vendor who require access in order to provide you with the service.

Security

What are the security features used by the vendor to protect your information, while in transit and stored by the vendor?

Recommendation:

You should understand how the vendor secures your data and contact the University's Information Security Officer where required.  FIPPA for example requires you to take reasonable measures to prevent unauthorized access to "personal information" collected by the University, taking into account the nature of the records to be protected.

Legally Compelled Disclosure

If the vendor is legally compelled to disclose your information, will you be notified?

Recommendation:

The Vendor should provide you notice of any requests to access your information, unless legally prohibited from doing so.

Data Breach

If there is a privacy breach, will you be notified?

Recommendation:

The Vendor should promptly notify you of any unauthorized access to or loss of your information and inform you of the steps taken to resolve the breach.

Data Retention and Destruction

  • How long will the vendor hold onto your information?
  • How and when will your information be destroyed?

Recommendation:

You should understand how long the vendor will retain your information.
The Contract with the Vendor should require the Vendor to transfer information to you on termination of the Contract or as directed by you.  The Contract should also require the Vendor to securely destroy any information remaining in its possession following the termination.


Published on  and maintained in Cascade CMS.