office of the privacy commissioner of canada care of ... -...

Office of the Privacy Commissioner of Canada Care of: Contributions Program 112 Kent Street Place de Ville, Tower B, 3rd Floor Ottawa, Ontario K1A 1H3 Email: [email protected] Fax: 613-947-6850 To the adjudication committee, Please find attached to this letter an electronic submission of an application to your Contributions Program, 2014-2015, titled “Assessing Privacy Risks When Considering Extra-National Outsourcing of eCommunications.” The documents attached include:

a) The signed contributions program application form b) The proposal c) A completed Schedule B, Eligible Costs, form.

The co-investigators on this project are Dr. Andrew Clement, Faculty of Information Studies, University of Toronto; Dr. Lisa Austin, Faculty of Law, University of Toronto. I am acting as the Principal Investigator for the purposes of coordinating our activities. However we are participating equally in the research and knowledge translation activities. Respectfully submitted, [[email protected]] Dr. Heidi Bohaker, Associate Professor

AProposaltotheOfficeofthePrivacyCommissionerofCanada's

ContributionProgram

ASSESSING PRIVACY RISKS

WHEN CONSIDERING EXTRA-NATIONAL OUTSOURCING

OF ECOMMUNICATIONS

January6,2014

AcollaborativeprojectproposedjointlybythreeUniversityofTorontofacultymembers:

LisaAustin,

AssociateProfessor,FacultyofLaw;

HeidiBohaker,

AssociateProfessor,DepartmentofHistory,

FacultyofArtsandScience;

AndrewClement,Professor,

FacultyofInformation;

THE UNIVERSITY OF TORONTO.

Austin, Bohaker, Clement: OPC Contributions Program 2014‐2015 Proposal, Page 2 of 14

Proposal for: ASSESSING PRIVACY RISKS WHEN CONSIDERING EXTRA‐NATIONAL OUTSOURCING OF ECOMMUNICATIONS

1. BASIC ADMINISTRATIVE INFORMATION

Applicant Organization: University of Toronto

Authorized Representative

Drew Gyorke

Director, Agency & Foundation Funding McMurrich Building, 3rd floor 12 Queen's Park Crescent West Toronto, ON M5S 1S8 Phone: 416‐978‐7248 [email protected] Principal Investigator

Associate Professor Heidi Bohaker

Department of History

The University of Toronto

#2074‐100 St. George St.

Toronto, Ontario, M5S 3G3

Phone: 416‐946‐0978

Fax: 416‐978‐4810

[email protected]

Administrator

Elisa Lee

Research Grant Financial Officer

Department of History, Faculty of Arts and Science


Phone: 416‐978‐3918

Fax: 416‐978‐4810

[email protected]

Co‐investigator

Associate Professor Lisa Austin

Centre for Innovation and Policy

Faculty of Law


84 Queen’s Park

Toronto, Ontario M5S 2C5

Phone: 416‐9946‐7447

Fax: 416‐978‐2648

[email protected]

Co‐investigator

Professor Andrew Clement

Information Policy Research Program

Faculty of Information


140 St. George Street Toronto, Ontario, M5S 3G6

Phone: 416‐978‐3111

[email protected]


2. LEGAL STATUS

The University of Toronto is a not‐for‐profit organization.

3. ORGANIZATIONAL BACKGROUNDS

The principal investigator and co‐investigators come from three different faculties at the University of Toronto. The Department of History in the Faculty of Arts and Science emphasizes the study of the past not only for its own sake but to provide context and background for present day debates and issues. Professor Heidi Bohaker is a historian of Canada and of Aboriginal peoples in North America. She has a broad interest in the types of archives and categories of information both states and non‐states kept and keep about their people. She also has a strong research interest in the digital humanities, and is co‐director of an international database project known as GRASAC or the Great Lakes Research Alliance for the Study of Aboriginal Arts and Cultures. As the technical lead and designer of the database, Bohaker has the responsibility of safe‐guarding the research in progress of members from many different countries. At the same time she is also concerned with the protection of digital data that First Nations contributors consider sacred and/or sensitive. As a result, Bohaker has developed research interests and experience in the privacy and security of digital data and eCommunications. The Information Policy Research Program (IPRP) at the Faculty of Information is an on‐going program of research examining key public policy issues, notably access, privacy and governance. It is coordinated by Prof. Andrew Clement, founding Director of the Collaborative Graduate Program in Knowledge Media Design and a co‐founder of the Identity Privacy and Security Institute. Commencing in 1995, IPRP has been serving as the organizational hub for a series of Canadian policy research projects, each with its own research focus, team members and funders. Clement is also co‐investigator in The New Transparency: Surveillance and Social Sorting research project. This multidisciplinary, international study is funded for 7 years by SSHRC's Major Collaborative Research Initiative (MCRI) program and headed by Prof. David Lyon at Queens University. Clement and Prof Colin Bennett, co‐lead the integrated sub‐projects on Digitally Mediated Surveillance and Politics of Surveillance. The Centre for Innovation, Law and Policy at the Faculty of Law examines the interface between technology and law. The CILP is at the forefront of the Faculty of Law's commitment to ensuring that its faculty, curriculum and resources are responsive to those social, cultural, economic and technological developments that have consequences for, influence or are shaped by law in its various forms. A multi‐faceted and interdisciplinary research centre, the CILP primarily focuses on intellectual property, cyberlaw, and privacy, as well as telecommunications and biotechnology law. The core faculty affiliated with the CILP approach foundational, theoretical and topical issues concerning law and technology through the scholarly rubrics of law, philosophy, political science, economics and cultural studies. Professor Austin is a member of the Centre; her research and teaching interests include privacy law and property law. Professor Austin is a noted expert in this field and has made numerous scholarly and public policy contributions.


4. PREVIOUS FINANCIAL SUPPORT

Andrew Clement has recently been the principal researcher on two OPC funded projects entitled respectively: “Proportionate ID Project” and “ ‘Smart’ Private Eyes”, both completed in 2011 and a 2012‐2013 OPC Contributions Grant titled “IXmaps: Mapping Canadian Privacy Risks in the Internet Cloud”. This most recent project focused on the impact of Internet routing protocols on the privacy risk to data in transit. The findings of this last project directly support the broader policy and legal questions being raised in this proposal. Amount: $49,920.00 Clement’s ID Lab team has also previously received funding for two projects from the Office of the Privacy Commissioner's Contributions Program. The "Visions for Canada’s Identity Policy Understanding Identity Policy and Policy Alternatives" project (2006‐07) was conducted with the Policy Engagement Network at the London School of Economics. It evaluated contemporary identity schemes in various governmental jurisdictions and explored options for the development of a Canadian‐wide policy for identity management. The "Implementing PIPEDA" project (2004‐5) was conducted in partnership with the Centre for Innovation Law and Policy in the Faculty of Law at U of T (Lead Researcher: Rajen Akalu). This project evaluated the implementation of PIPEDA by reviewing privacy statements posted on the Internet by companies in the telecommunications, airlines, banking and retail sectors. Professor Clement was also a co‐investigator on the 2012‐2013 project “Video Surveillance & Privacy: Who is Watching ?” led by Dr. J. Ferenbok, consisting of a qualitative study of citizen’s attitudes and opinions towards the changing nature of video surveillance in Canada, suggestions for improving public education in the area of video surveillance, and an expert’s panel discussion on video surveillance. Lisa Austin has been a Faculty Research Advisor on two projects funded by the Office of the Privacy Commissioner of Canada Contributions Program. The most recent, in 2007, was “Personal Information Protection in the Face of Crime and Terror: Information Sharing by Private Enterprises for National Security and Law Enforcement Purposes.” The grant was awarded to the Centre for Innovation Law and Policy, University of Toronto Faculty of Law (Lead Researcher Andrea Slane); Amount: $50,000. Austin was also a Faculty Research Advisor for a 2004 Office of the Privacy Commissioner of Canada Contributions Program grant, “Implementing PIPEDA: A review of privacy statements and on‐line practices.” (Lead Researcher: Rajen Akalu, Centre for Innovation Law and Policy). Amount: $48,300.


5. PROJECT DESCRIPTION

The three co‐investigators came together initially as a result of concerns over a proposed plan for the extra‐national outsourcing of eCommunications at the University of Toronto in the Fall of 2013. In studying the issue as it applies to the University context, they quickly realized that the issue itself and the questions raised and answered in the course of their initial research, affect all Canadians. Other organizations and private sector companies face similar questions when evaluating the promise of extra‐national eCommunications outsourcing against the risks posed to privacy and the threat of state surveillance if data is hosted in the United States or in other jurisdictions where Canadian privacy rights are not protected by law or treaty. The co‐investigators feel it is in the broad public interest to build on the research they have completed so far and to share the results of those findings in an accessible format for others contemplating extra‐national outsourcing. We feel that we have the combined expertise to assess competing perspectives on outsourcing and provide Canadians easier access to reasoned arguments and factual evidence, in order for them to make the best and most informed decisions for their organizations and companies. This project aims to assess the risks that such outsourcing to large corporations promises to remediate (i.e. by reducing the likelihood of ‘hacker attack” against servers with less access to high level security service) against the risk of state surveillance posed by routing and storing data particularly in the United States, risks made apparent by the release of information by Edward Snowden and other NSA whistleblowers about the significant extent of NSA gathering and surveillance of the data belonging to foreign (to the US) nationals. In particular, revelations about the PRISM program, in which 9 leading internet services providers are alleged to have ‘partnered’ with the NSA in facilitating access to their stored data, has raised a storm of controversy and widespread questioning of the risks of doing business with corporations covered by US jurisdiction. Notably, Google and Microsoft are among the most prominent providers of outsourced, cloud‐based eCommunications services such as email and calendaring; they are also listed among the PRISM partners, a fact that exposes the data of non‐US persons who use their services to bulk NSA surveillance. For another example, the eCommunications of Canadians are routinely subject to unnecessary risk in that much Canadian Internet traffic transits the United States between Canadian senders and recipients (aka “boomerang” traffic), exposing the email to the risk of capture by the NSA’s warrantless UPSTREAM program. Email originating in Toronto, for instance, routinely enters the United States on route to the University of Toronto’s servers [5] How should these risks be described and assessed in a Privacy Impact Assessment? Given what is now known about the extent of NSA surveillance, can extra‐national outsourcing be compliant with requirements under PIPEDA? Under what conditions could the NSA violate the privacy of Canadians’ electronic data? Are the Patriot Act and other US statutes (e.g. FISA Amendments Act 2008) indeed “red herrings?” or do they pose significant threats to the privacy rights and expectations of Canadians? What confidence can and should Canadians considering outsourcing place in the assertions of service providers that encryption strategies, for example, can protect user data from third party access? The three co‐investigators have been actively engaged with the issue of eCommunications outsourcing. Andrew Clement organized an educational forum on this topic held at the iSchool


at the University of Toronto on the 16th November 2013. The forum included experts and stakeholders with a range of positions on the issue, including Caspar Bowden, former Microsoft chief privacy advisor [1] and Robert D. Cook, the CIO of the University of Toronto [2]. Speakers also included Sukanya Pillay, Executive Director of the Canadian Civil Liberties Association and Jim Turk, the Executive Director of the Canadian Association of University Teachers. Heidi Bohaker also gave a paper on the implications of extra‐national outsourcing from a historian’s perspective. In short, Bohaker reminded the audience that eCommunications such as those offered by Microsoft and Google create complex and rich archives of the activities of subscribing organizations and their users. Bohaker then reviewed various known examples in post‐World War II history of occasions when even Western democracies have violated the privacy rights of their own citizens for political ends, reaffirming the need to be vigilant in protecting those rights[3]. Following the iSchool forum, on December 12, 2103 Lisa Austin co‐authored an op‐ed piece “Our data, our laws,” which appeared in the National Post, along with other leading privacy experts in Canada [4]: Heather Black is a privacy consultant and former assistant privacy commissioner in the Office of the Privacy Commissioner of Canada; Michael Geist is the Canada research chair in Internet and e‐commerce law at the University of Ottawa; Ian Kerr is the Canada research chair in ethics, law & technology at the University of Ottawa; Avner Levin is the director of the privacy and cyber crime institute and chair of the Law & Business Department at Ryerson University. Andrew Clement has presented ”IXmaps‐Tracking your personal data through the NSA’s warrantless wiretapping sites” at the 2013 IEEE‐ISTATs Conference[5] and has a paper he is presenting at the upcoming iConference in March of 2014 titled “NSA Surveillance: Exploring the geographies of internet interception.”[6] The three co‐investigators recognize that they have not only produced significant research to date on this topic, but that also much more remains to be done. This grant provides a timely opportunity for the co‐investigators to continue their research, communicate important findings to the public and provide effective training opportunities in this area for graduate students working under our supervision. The goal of this project is to develop a web‐based set of resources and assessment tools to assist Canadian organizations considering extra‐national outsourcing. The resulting deliverables include: 1. A website based on an open‐source content management system:

Following the well‐established model of public website development by the Information Policy Research Program (http://iprp.ischool.utoronto.ca/), our project will develop a site on which we can publish other deliverables, including as described below: the literature survey, the results of our analysis of perspectives on outsourcing, a framework for organizations to use for their privacy impact assessments when considering extra‐national outsourcing, and policy recommendations. The investigators of this grant are English‐speaking, and will produce English language documents. However, we have included a budget item for French language translation of core documents such as the


framework document and policy recommendations.

2. A literature survey of scholarship on the privacy implications of extra‐national outsourcing: Building on work already begun by the co‐investigators, the graduate students hired for the project will complete the literature review and prepare an annotated e‐bibliography, assessing the relevance of the material cited and ranking its importance to help decision‐makers find the most relevant and authoritative expert opinions on this topic.

3. Analysis of perspectives on extra‐national outsourcing in industry, media and

government communications: Business stakeholders, in particular outsourcing service providers, see either a threat to their business model (for those offering extra‐national services) or an opportunity (for those offering domestic outsourcing services). Public‐sector organizations and private companies consider outsourcing as an option to both improve productivity and reduce costs. In the initial wave of cloud computing, media and government (including Provincial Offices of Privacy Commissioners) have also taken positions on outsourcing that make it difficult to change tack when new information occurs. See for example a September 2012 decision of the Ontario’s Privacy Commissioner supporting Ontario’s Ministry of Natural Resources decision to outsource hunting and fishing licensing to a US based Company, Active Outdoors. In her analysis of the privacy implications and threat of the Patriot Act, Dr. Cavoukian relied upon decisions of the federal Privacy Commissioner, and pointed as well to writings of legal scholar Michael Geist, and Canadian privacy lawyer David T. Fraser.[7] But as our co‐investigator Dr. Lisa Austin has found, the legal differences between Canada and the United States, and the limited or near non‐existent protection for the data of Canadians in the United States, goes far beyond the Patriot Act. Assertions that the legal risks to state surveillance of Canadians’ data in Canada versus the United States are comparable are factually wrong.[4] One part of our project will therefore be tracing out the history of decisions around outsourcing, providing an evidence‐based approach to the issue while historicizing for our audience how these different perspectives about the implications of outsourcing have changed over time and indeed are continuing to change in response to recent events and news.

4. The development of a framework for assessing the risks of extra‐national outsourcing: A key objective of our project is to create a template based on a set of questions that will provide a checklist for those contemplating extra‐national outsourcing to ensure that they have effectively completed their privacy impact assessments (PIAs). For example, the template will ensure that decision‐makers understand the difference between metadata and content, the different ways in which third parties can use and access those different categories of information, the potential consequences for Canadians of such third party access, and the different risk mitigation strategies that


must be employed in each case (where possible). It is crucial, for example, when evaluating outsourcing options to consider the different risks associated with data in transit, metadata in transit, data and metadata encrypted at rest, and the necessary un‐encryption of data to use SaaS (software‐as‐a‐service). Each of these risks needs to be separately assessed. Only then can organizations effectively weigh the cost/benefit of extra‐national outsourcing and the risks to privacy. We’ll develop and test this assessment framework by analysing existing PIAs.

5. Recommendations for policy makers and legislators on changes needed to ensure the protection of Canadian eCommunications: A key outcome must be the production of a set of recommendations for policy makers and legislators. The co‐investigators of this project are not in principle against outsourcing, cloud computing or even extra‐national outsourcing. But certain privacy risks could be further mitigated if policy and law makers took specific actions. For example, what are the viable alternatives for Canadian organizations doing business with PRISM corporations such as Microsoft and Google? Are there Canadian outsourcers that can provide comparable cloud services while offering robust privacy protections? How can they be better known? For another example, in addressing the risks from from boomerang routing, we’ll recommend policy changes for Internet service providers, procurement requirements of outsourcing customers, and other legal or regulatory changes that will reduce or eliminate such routing risks. This will build on the recently completed “IXmaps: Mapping Canadian Privacy Risks in the Internet Cloud” project funded by the OPC.

6. A public forum inviting stakeholders to share their perspectives and learn from each other: Building on the very successful forum held 16 November 2013, this public forum would come towards the end of our project, in March of 2015. The forum will be a place for the co‐investigators to review with invited experts and the general public what if anything has changed on the legal and/or policy landscape since the 2013 forum, and also to present the assessment framework and policy recommendations that we have developed for feedback from stakeholders before the submission of our final report. A final report on the implications of extra‐national outsourcing: The OPC will receive a final report on the complete findings of the research for publication and dissemination on their website that will include the literature review, decision framework and the recommendations for policy makers.

In the wake of the Snowden revelations, and in light of the continued and growing interest in cloud computing services, this project could not be more timely. Canadians as a whole will benefit from the output of this project. Many Canadians, including the co‐investigators, frequently make use of extra‐national outsourced eCommunications services quite happily and enthusiastically, giving very little thought to the fact that their data as a result resides on


servers in the United States. Canadians making outsourcing decisions need to have clearer information about the fact that where data resides determines what legal protections email and other digital data have from the actions of third parties. This project will provide a web‐based resource that will explain these risks in clear language, and will provide the tools for individuals, companies and organizations to make informed eCommunications outsourcing decisions. The Office of the Privacy Commissioner will also benefit as this project builds on research previously funded by the OPC. The potential risk to privacy of extra‐national outsourcing was identified in previous projects funded by the Office of the Privacy Commissioner.[8] However, new information and evidence about the scope of that risk has been revealed in the wake of the revelations by Edward Snowden in June of 2013. The research and analysis to be provided by the co‐investigators updates the findings of previous projects with new information, and moreover, with a detailed assessment of the distinctive legal frameworks in Canada and the United States (provided by Austin) and new research on the risks to email and other e‐communications transiting the Internet (provided by Clement. As much as the Internet and World Wide Web has created the impression of a seamless, globally interconnected world, the reality is that data, like people, has a citizenship of sorts – rights that descend from the citizenship of the data’s owner. Rights that protect the privacy of our data only apply to those of us fortunate enough to live within nations that have constitutional protection of those rights and rigorous enforcement mechanisms; further those rights apply only as long as our data remains within those borders. If we put our data in jurisdictions that do not respect our privacy rights, we have none. In building on the research we have done to date, and making our findings more publically accessible, the investigators hope to spur public debate and encourage new policies and laws that will make it possible for us to create a world in which we can both enjoy the benefits of cloud computing and the free flow of information without sacrificing the privacy rights afforded us in the Charter of Rights and Freedoms. As the Canadian Supreme Court has made crystal clear on multiple occasions, including most recently in a November 2013 decision, Canadians have a right to privacy of their personal information, which includes their correspondence in whatever form. In paragraph 19 of the unanimous decision, the justices wrote “As this Court has previously recognized, legislation which aims to protect control over personal information should be characterized as “quasi‐constitutional” because of the fundamental role privacy plays in the preservation of a free and democratic society:” [para 19] . They then said “The importance of the protection of privacy in a vibrant democracy cannot be overstated: ”[9] In order to enjoy these protections in this day of rapidly changing eCommunications technologies and outsourcing possibilities, Canadian organizations and individuals need the best and most‐up‐to‐date information and assessment frameworks possible. Our project aims to make a significant contribution to this important goal.


6. SUMMARY

The goal of this project is to effectively assist Canadian organizations considering extra‐national outsourcing through the creation of a web‐based suite of resources that brings the best expertise on this issue together in one place. Many Canadian companies and organizations have already outsourced eCommunications services to US corporations, particularly Microsoft and Google while others are considering this option to both save money and enhance service. But what are the privacy implications of doing so? What happens to the privacy rights of Canadians when their electronic data is stored on servers in the United States and in other international jurisdictions? And what do Canadians need to know in order to make informed decisions about using cloud‐based outsourcing services? This project aims to assess the risks that such outsourcing to large corporations promises to remediate (i.e. by reducing the likelihood of ‘hacker attack” against servers with less access to high level security service) against the risk of state surveillance posed by storing data abroad. How should these risks be described and assessed in a Privacy Impact Assessment? Given what is now known about the extent of NSA surveillance, can extra‐national outsourcing be compliant with requirements under PIPEDA? Under what conditions could the NSA violate the privacy of Canadians’ electronic data? Are the Patriot Act and other US statutes “red herrings?” or do they pose significant threats to the privacy rights and expectations of Canadians? What confidence can and should Canadians considering outsourcing place in the assertions of service providers that encryption strategies, for example, can protect user data from third party access? The project will pursue this goal through the following core activities:

1) A website based on an open‐source content management system containing: a) A literature survey of scholarship and key publications on the privacy implications of

extra‐national outsourcing; b) Analysis of perspectives on extra‐national outsourcing in industry, media and

government communications; c) The development of a framework for assessing the risks of extra‐national

outsourcing d) Recommendations for policy makers and legislators on changes needed to ensure

the protection of Canadian eCommunications 2) A public forum inviting stakeholders to share their perspectives.

To support this project, we are requesting $49 530.50 from the Office of the Privacy Commissioner. Since the co‐investigators are all full‐time faculty members and do not require salary support, the funds will be used to support the research and writing of graduate students hired for this project. In this way the project will not only produce a curated set of resources for Canadian companies and organizations considering eCommunications outsourcing this project will also further the development of HQP (highly qualified personnel) through the experience and training given to our graduate students. We expect to submit a final report in May of 2015.


7. TIMELINE AND MONITORING

PHASE ONE: MAY-AUGUST 2014

Post job notices and hire graduate students.

Hire a web developer to install a basic website and content management system on the iSchool’s webserver.

Work with graduate students to review materials collected to date and to prepare web accessible literature review.

PHASE TWO: SEPTEMBER-DECEMBER 2014

Beginning planning for March 2015 forum. Consider and invite potential speakers.

Working collaboratively with graduate student researchers, analyze published perspectives and PIAs on extra‐national outsourcing and develop an easy‐to‐use framework for assessing risks for the general public to use.

PHASE THREE: JANUARY-MARCH 2015

Undertake detailed planning for March 2015 forum.

Develop policy recommendations.

Host forum

Present framework at forum and invite stakeholder feedback.

Present initial policy recommendations at forum and invite stakeholder feedback.

Revise and prepare final framework and policy recommendations documents.

Arrange for translation of final framework and policy recommendation documents into French.

POST FUNDING: APRIL-MAY 2015

The investigators prepare the final report and submit it to the Office of the Privacy Commissioner of Canada.


8. DETAILED BUDGET

The Faculty of Arts and Science contributes

the salary and benefits of Heidi Bohaker estimated at $60/hr for an average of 10 hours per month total with a 24% benefits overhead over the 11month course of the project. $8 184

The Faculty of Law contributes

the salary and benefits of Lisa Austin estimated at $90/hr with a 24% benefits overhead for an average of 10 hours per month total over the 11 month course of` the project. $12 276

The Faculty of Information contributes:

the salary and benefits of the Andrew Clement estimated at $80/hr with a 24% benefits overhead for an average of 20 hours per month total over the 11 month course of the project. $10 912

use of meeting space and audiovisual services for the public forum $1 000

server space and IT support $1 000

$2 500 for a Politics of Surveillance intern funded by SSHRC through the New Transparency project

TOTAL IN KIND CONTRIBUTIONS: $ 35 872 The Office of the Privacy Commissioner is being asked to cover the remainder of the project cost, namely:

• salaries and benefits of three graduate student researchers estimated at $25/hr for an average of 40 hours per month each for 9 months of the project. $32 490

materials, supplies, food at the forum and travel expenses of speakers for the forum $5 000


website development $4 0001

translation budget (English‐French) $5 000

Indirect costs (15%), required by the University to support the grant $6 460.50

TOTAL CONTRIBUTION REQUESTED: $49 530.50

9. COMMUNITY INVOLVEMENT AND SUPPORT

The public will be invited to attend the March 2015 forum, and the website will invite public comment and feedback.

10. PROVINCIAL/TERRITORIAL SUPPORT

Not Applicable

11. KNOWLEDGE TRANSLATION ACTIVITIES

There are two key components to the knowledge translation aspects of this proposal: the development of a public website and the public forum. The entire purpose of this project is to take research developed and in progress by the investigators and make it publically available and publically accessible for Canadians and Canadian organizations to use in their extra‐national outsourcing deliberations.

12. HOW WE WILL ACKNOWLEDGE THE OPC

Our goal is to consistently refer to the OPC as the commissioning body for our research and activities. We will do so publicly at the public forum. Our reports and websites will all mention the sponsorship of OPC. We will invite OPC staff to engage and participate in each step of the process.

1 Based on confirming prior experience to estimate a reasonable budget by taking the middle range of a cost estimate provided by an internet website development company for a simple site based on a content management system such as Drupal, which will allow our researchers and users to continue adding content after the initial site is set up. See: http://www.brain-storminc.com . The web server space will be provided by the iSchool, University of Toronto.


REFERENCES

[1] Caspar Bowden, "How the US crafted secret mass‐surveillance laws for foreign cloud data, without any legal rights or redress,” (2013) Paper presented at the Teach‐in on University e‐Services Outsourcing to U.S. Corporations. 16 November 2013. http://ecommoutsourcing.ischool.utoronto.ca/

[2] Bob (Robert D.) Cook, " Proposed project to migrate UofT faculty and staff email to Microsoft Office 365,” (2013) Paper presented at the Teach‐in on University e‐Services Outsourcing to U.S. Corporations. 16 November 2013. http://ecommoutsourcing.ischool.utoronto.ca/

[3] Heidi Bohaker, "States, Power, and Information Technology: Perspectives from History,” (2013) Paper presented at the Teach‐in on University e‐Services Outsourcing to U.S. Corporations. 16 November 2013. http://ecommoutsourcing.ischool.utoronto.ca/

[4] Lisa Austin, Heather Black, Michael Geist, Anver Levin and Ian Kerr (2013), “Our Data, Our Laws,” National Post, 12 December. http://fullcomment.nationalpost.com/2013/12/12/our‐data‐our‐laws/

[5] Andrew Clement, “IXmaps – Tracking your personal data through the NSA’s warrantlesswiretapping sites” (2013) IEEE ‐ ISTAS conference, Toronto, June 26‐27, 2013. https://www.dropbox.com/s/9y4xtavova2qtj4/ISTAS13paper 26 IXmaps %E2%80%93 Tracking May 22.pdf”

[6] Andrew Clement, “NSA Surveillance: Exploring the geographies of internet interception,” forthcoming at the iConference2014, to be held in Berlin, March 4‐7, 2014. https://dl.dropboxusercontent.com/u/8140293/Publications/Clement%2C%20A.%20%282014%29%20NSA%20Surveillance‐%20Exploring%20the%20geographies%20of%20internet%20interception%20iConf2014%20Jan2.pdf

[7] Ontario, Office of the Ontario Privacy Commissioner, “Reviewing the Licensing Automation System of the Ministry of Natural Resources: A Special Investigation Report [PC12‐39]”

[8] See for example the OPC funded projects “The Private Sector, National Security and Personal Data: An Exploratory Assessment of Private Sector Involvement in Airport and Border Security in Canada” (2011) and “Personal Information Protection in the Face of Crime and Terror: Information Sharing by Private Enterprises for National Security and Law Enforcement Purposes” (2007).

[9] Alberta (Information and Privacy Commissioner) v. United Food and Commercial Workers, Local 401, 2013 SCC 62:, para 19, 21.

Office of the Privacy Commissioner of Canada

Commissariat à la protection de la vie privée du Canada

Print FormContributions Program 2014-2015

Eligible Costs – Schedule B

Project Title Assessing Privacy Risks when Considering Extra-National Outsourcing of eCommunications

Duration of Project Start: May 1, 2014 Finish: March 31, 2015

Allowable

Expenditures

Organization

Carrying Out

the Project

Office of the

Privacy

Commissioner

(OPC)

Other Sources

of Funding

Total Project

Funding

Salaries and benefits $33 872 $29 070 $62 942

Travel expenses $3 000 $3 000

Telecommunications $4 000 $4 000

Contractual services

$1 000 $5 000 $6 000

Materials and supplies $2 000 $2 000

Rentals (includes equipment and meeting

rooms) $1 000 $1 000

Other (specify) $6 460.50 (indirect) $ 6 460.00

Total $35 872 $49 780.50 $85 402.50

*Administrative expenses should be limited to no more than 15% of the total project cost.

Costing Memorandum

1. General

1.1. The total Eligible Costs of the Project shall be the sum of the applicable direct and indirect costs which are, or are to be reasonably and properly incurred or allocated, in the performance of the Project, less any applicable credits. These costs shall be determined in accordance with the Recipient's cost accounting system as accepted by the Office and applied consistently over time. (see Schedule C). 1.2. This Costing Memorandum applies equally to all goods and services (including labour) acquired from related parties or associates. These acquisitions shall be valued at cost and shall not include any mark-up for profit, return on investment, administration or overhead except as provided for in this Agreement and shall not exceed fair market value. The Office is not obliged to accept any of these costs as eligible unless access is provided to the relevant records of the related entity.



1.3. The Goods and Services Tax or Harmonized Sales Tax is an eligible cost only where the amount of tax is not refundable in whole or in part by the Canada Revenue Agency as an Input Tax Credit or as a Rebate. 2. Definition of Reasonable Cost

2.1. A cost is reasonable if, in nature and amount, it does not exceed that which would be incurred by an ordinary prudent person in the conduct of a competitive business. 2.2. In determining the reasonableness of a particular cost, consideration shall be given to: 2.2.1. whether the cost is of a type generally recognized as normal and necessary for the conduct of the Recipient's business or performance of the Project; 2.2.2. the restraints and requirements by such factors as generally accepted accounting principles, arm's length bargaining, and applicable laws and regulations; 2.2.3. the action that prudent business persons would take in the circumstances, considering their responsibilities to the owners of the business, their employees, customers, the Government and public at large; 2.2.4. significant deviations from the established practices of the Recipient which may unjustifiably increase the Eligible Costs of the Project; and 2.2.5. the specifications, milestone schedule and requirements of the particular Project as they affect costs. 3. Costs

3.1. Eligible Costs The eligible costs under the program are the reasonable costs directly related to the activities mentioned in the Statement of Work (Schedule A). However, administrative expenses should be limited to no more than 15% of the total project cost. 3.2. Non-Eligible Costs Costs other than those allowed in this Costing Memorandum are ineligible unless specifically approved in writing prior to the time costs are incurred. Notwithstanding that the following costs may have been or may be reasonably and properly incurred by the Recipient during the performance of Project activities; they are considered ineligible: a. Allowance for interest on invested capital, bonds, debentures, bank or other loans together with related bond discounts and finance charges; b. Legal, accounting and consulting fees in connection with financial reorganization, financial security issues, capital stock issues, and prosecution of claims against the Office; c. Losses on investments, bad debts and expenses for the collection thereof; d. Losses on other projects or contracts; e. Federal and provincial income taxes, excess profit taxes or surtaxes and/or special expenses in connection therewith



f. Provisions for contingencies; g. Premiums for life insurance on the lives of officers and/or directors where proceeds accrue to the Recipient h. Amortization of unrealized appreciation of assets; i. Depreciation of assets paid for by the Office; j. Fines and penalties; k. Expenses and depreciation of excess facilities; l. Unreasonable compensation for officers and employees; m. Product development or improvement expenses not associated with the product being acquired under the Project; n. Donations; o. Dues and other memberships other than regular trade and professional associations; p. Trade-mark expenses; q. Land and buildings.

office of the privacy commissioner of canada care of ... -...

Documents