Privacy in BC is more than just data sovereignty and the cloud

Some random thoughts and notes from the recent InfoSummit I attended. The Summit was put on by the non-profit BC Freedom and Information Privacy Association.

Among the presenters were KPU faculty Mike Larson and UBC legal counsel Paul Hancock. Both spoke on a number of issues, but the one that was most relevant to my work was the discussion on the BC-specific data sovereignty requirement which says that, unless you get consent, personal information collected by BC public bodies must reside on data servers stored in Canada.  In the BC higher education edtech space, this has made using cloud based services problematic for faculty who often have to get signed consent forms from students to use cloud services outside of Canada.

On this point, Mike and Paul were on opposite sides of the debate. Mike supported the requirement, and made the point that the requirement to get informed consent has a strong pedagogical function. When he asks his students to sign a consent form to use cloud-based services, it often kickstarts a conversation with them about privacy, data, security and user rights. Now, Mike does teach Criminology and law, so it feels like a natural fit to have this convo with his students, and I wonder if a, say, English prof or someone teaching trades would be prepared to have this conversation with their students. Or wether their students would even care to have this conversation, as important as it is to have. But still, it was refreshing to hear a faculty member speak about using BC’s informed consent requirement as a pedagogical device to start conversations about privacy in a digital age.

On the other hand (and probably closer to the reality of most faculty), the data sovereignty requirement and informed consent forms are real barriers for faculty who wish to incorporate other technologies into their teaching and learning.  UBC’s Paul Hancock believes that the data sovereignty requirement is much too broad, and he spoke about feeling handcuffed by the legislation when he speaks to instructors who want to use a teaching tool that fits their exact pedagogical goals, but is hosted in another country. For this instructor, Hancock has to advise them that they cannot use the technology unless they get the consent of the students. Getting consent may sound easy, but if you do have students who do not consent, then the instructor has to have an alternative activity or exercise ready for them that is FIPPA compliant. Now you have to start designing additional activities for these special exceptions, and I don’t know many faculty who have extra time on their hands to develop extra activities as a work-around to the legislation.

But it is not just the data sovereignty requirements that are presenting challenges to higher education institutions. Students are now asking institutions for access to the data collected about them within the technologies hosted on campus. Using a Freedom of Information request, UBC student Bryan Short has been trying to get a copy of the data collected about him by the UBC LMS (Blackboard, branded as UBC Connect at UBC). In a five-part blog post series, Bryan neatly and perceptively outlines his experiences trying to get access to learning analytics collected about him using a Freedom of Information request (and does a nice takedown of the LMS in general). Normally, when a public institution has been served with an FOI request, they have 30 days to comply. UBC was unable to comply and has now asked for an additional 30 days to gather the information. I wonder what kind of technical hoops UBC might be jumping thru to even extract this information from their LMS in a meaningful way.

Sadly, this whole process has made Bryan feel like he is a “meddling, bothersome nuisance” for doing something he has the legal right to do.

I don’t think this will be an isolated incident. As digital privacy becomes a bigger issue within our society, I suspect institutions will begin to see more and more of these kinds of requests from students like Bryan asking for access to their learning data, especially if that learning data is being used in anyway to conduct an assessment of the student. Which makes me wonder how many institutions in BC would be able to respond within 30 days to a student FOI request for the data collected about them in the LMS?

Photo: Eye I. By Thomas Tolkien CC-BY


Clint Lalonde

Just a guy writing some stuff, mostly for me these days on this particular blog. For my EdTech/OpenEd stuff, check out


8 thoughts on “Privacy in BC is more than just data sovereignty and the cloud

  1. Maha, yes, but Domain of One’s Own, which I just moved my blog to this week, is in the United States. Instructors in BC would still face the same issues.

    Clint, has there been any discussion around the homework systems that are more and more often packaged with commercial textbooks? Where do those servers reside? Do students have to agree to using them?

    1. I don’t think there is nearly enough talk about where the data for homework systems and other publishers content/tools lives, or whether they are FIPPA compliant. I suspect that, if you peeled back the hood and asked faculty where they are sending their students to when they use those publisher access codes that most wouldn’t know. Or even be aware that they could be asking students to do something that is in violation of privacy regulations.

      1. This really occurred to me this week when I contact Lumen and they said there were limits on what we could do with them because of privacy legislation in Canada (I pointed out that we’re in Sask, not BC), which made me wonder what about Pearson? What about Wiley? Do they have Canadian servers? Are they backed up to servers in the U.S. I shouldn’t be stopped from using Lumen if someone else can use Pearson.

    1. As Heather noted, DoOO as a service as it exists now wouldn’t solve the problem of having the data hosted on a Canadian server. However, DoOO as a concept is something that is definitely influencing the way a number of us are thinking about these issues here in the province.

        1. Exactly right. If students had full control over their data right from the start, then there wouldn’t even be the need to go through bureaucratic hoops like filling a Freedom of Information request to get access to their own data. Make them the stewards of their own data.

Comments are closed.