AMS updates privacy policy to remove potential security loophole

The AMS recently updated its privacy policy (SR1) to require staff to store personal information only on AMS sites, servers and pre-approved vendor sites.

SR1 must be reviewed every three years to assure alignment with the BC Personal Information Protection Act, and was updated last month by the Governance Committee and privacy officer Sheldon Goldfarb.

The updated policy includes a clause which indicates that AMS staff “shall not use [non-AMS file-sharing services] for storing or sharing personal information.”

The previous SR1 policy had no explicit mention of where personal information should be stored, and staff were able to use third-party storage like Google Drive and Dropbox.

In a statement to The Ubyssey, AMS Chief Technology Officer Hong-Lok Li wrote that this “loophole” was a significant privacy issue.

“We have updated the privacy policy recently to close this loophole by requiring AMS staff who have access to personal/confidential information to store them only on AMS storage, which is consistent to UBC’s privacy policy,” Li wrote.

Staff are still able to use third party platforms for uses other than transmitting and storing personal information, but are encouraged to transition to the AMS’s OneDrive.

The new policy better aligns with UBC’s privacy policy, which requires staff and faculties to use UBC services to store and share personal or confidential information. As a public institution, UBC is obligated to use platforms that store data in Canada in accordance with the BC Freedom of Information and Protection of Privacy Act. As a private entity, the AMS is only subject to the BC Personal Information Protection Act which does not specify the location of where data must be stored.

But, Li said there has never been a known case involving personal information being stored on a third party storage platform.

“We simply felt it was important to be more explicit to better ensure the protection of private information going forward,” Li wrote.