Tag: outsourcing

Saskatchewan IPC issues report on Edge imaging incident

I’m working through a reading pile today, and will note briefly that the Saskatchewan IPC has issued a report about the Edge Imaging cyber incident from earlier this year, which affected a number of Ontario school boards.

It was an atypical incident. Edge Imaging used a subcontractor called Entourage Yearbooks to store and process school yearbook photos. A threat actor accessed an Entourage AWS server, downloaded and deleted photos and held them for ransom. Edge ultimately reported to its school board/division clients that Entourage, “reported that they secured the return of all the Canadian photo files from the threat actors, along with their commitment that the photo files have been deleted, and were not distributed.”

The Saskatchewan IPC report deals with whether the photos contained personal information, whether the affected school divisions met their duty to notify, and whether the service providers investigated reasonably, and whether the affected school divisions took appropriate protective steps in light of the incident. It is very cursory. The matter is simply a reminder about outsourcing risks, which school boards need to manage. The Ontario IPC updated its guidance earlier this year – see Privacy and Access in Public Sector Contracting with Third Party Service Providers.

Edge Imaging (Re), 2024 CanLII 90510 (SK IPC).

Arbitrator says outsourcing e-mail system to the cloud lawful

On August 25th, Arbitrator Outhouse held that Dalhousie University did not violate the Personal Information International Disclosure Protection Act by providing e-mail and other IT services via a cloud-based platform. The decision is about compliance with the Nova Scotia statute, though Arbitrator Outhouse does make comment on the interests and risks involved in an outsourcing of this kind.

OPC releases “Guidelines for Processing Personal Data Across Borders”

On January 27th, the federal Privacy Commissioner released a document entitled “Guidelines for Processing Personal Data Across Borders.” The guidelines reflect the OPC’s pragmatic approach to the issue, but seem to put slightly greater emphasis than in prior commentary on the need for organizations to examine local and polictical factors in their due dilligence process:

In the case of outsourcing to another jurisdiction, PIPEDA does not require a measure by measure comparison by organizations of foreign laws with Canadian laws. But it does require organizations to take into consideration all of the elements surrounding the transaction. The result may well be that some transfers are unwise because of the uncertain nature of the foreign regime or that in some cases information is so sensitive that it should not be sent to any foreign jurisdiction.

The Guideline is available here.

Cloud Computing, Second Life and the University

This is the title of our just-published university sector client bulletin. It was one of those writing projects I thought I could tackle quickly but led to some significant inquiry and learning, all of which was rewarding. It is written for universities but is relevant to anyone with responsibility for computer use policy in an organization. Click here for more. Hope it is helpful.