Privacy and Security

Q. Has a Privacy Impact Assessment (PIA) on the potential risks of using Gmail been performed?
A. Yes, it has been completed, submitted and accepted by the Alberta Office of the Information and Privacy Commissioner.


Q. Does the PIA include all Google Apps for Education applications, or is it limited to only the email and calendar apps?
A. The PIA considers all information and data flows and therefore includes all applications available through the University of Alberta Google Apps for Education service. These include Google Docs and Google Sites.


Q. The PIA looks at the flow of data happening now, but would it be sustainable over 20 to 30 years?
A. We are entering into a 4-year contract with Google. After four years, both parties can review the partnership. Any major change in information flows triggers revisiting the PIA and conducting any additional assessments, revisions, and updates, as needed in ensuring information privacy and security is upheld.


Q. Does the US Patriot Act allow the US government to access my personal information?
A. Yes. The Patriot Act allows for the US Government to access personal information that is held or accessible by anyone within the United States or any US citizen by two different methods. The first tool which the US Government possesses is found in Section 215 of the Patriot Act. Under this section the relevant Government agency must apply to a court for an order allowing them to access the personal information in question. The information which can be collected pursuant to this court order is very broad. The second tool which the US Government has is found in Section 505 of the Patriot Act. It is under this section that the Government can issue National Security Letters whereby they can request that personal information be disclosed to them. The information can be accessed where it meets the following criteria: that the information sought is relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities. No court order is necessary for a National Security Letter to be issued; however, the type of information that is retrievable is more limited than through that available in a Section 215 (see above) order.


Q. How does the US Government's ability to access my personal information differ from the Canadian Government's ability to do so?
A. In Canada, like in the United States, the Government has wide abilities to view personal information that is held in email accounts. The Canadian Government's ability to do this is found in various pieces of Canadian legislation including the Criminal Code, the Canadian Security Intelligence Service Act, the National Defence Act, and others.

The key difference between Canada and the United States is that, in general, the Canadian legislation requires that all warrants for the seizure of personal information must be issued by a judge. However, it still remains that the application to the court for this order/warrant will be made without the knowledge of either the holder of the information or the person who is the subject of the information.

There have been a number of recent bills introduced in the Canadian House of Commons which would increase the scope of information that is available to the Canadian Government and also decrease the number of restraints preventing the Government from accessing that information.

Should you wish to see further information regarding the Canadian system for intelligence gathering you can visit the website for The Office of the Privacy Commissioner of Canada and review a Position Statement produced by that office.


Q. Does the US Government have access to intelligence and personal information that has been collected by the Canadian Government?
A. Yes, the US and Canadian governments readily share intelligence of this nature pursuant to bilateral agreements which have been entered into and pursuant to existing legislation which permits the sharing of information.


Q. If I use Gmail will my personal information be more readily available to the US Government?
A. The information may be physically located in the United States, which would allow the US Government to obtain direct access to that information. If the information is located in Canada, the US Government would have to approach the Canadian Government to obtain that same information.

Also, information which is held in an email account has no guaranteed privacy. Any email exists not only in the account it has been sent to, but also in the account it was sent from, in any accounts to which it was forwarded, and likely on many servers which are situated in the United States. If an email user wanted to ensure that their account was not subject to US Government surveillance they would also need to ensure that those with whom they are corresponding have also ensured that their own accounts have no US exposure.


Q. Is Google able to provide assurances to the University of Alberta and all of the potential Gmail users that they will not release personal information to the US Government?
A. The contract with Google provides the University assurances that it will not release any personal information unless it is required to do so by law. Where possible Google will notify the University of any requests/demands for personal information. Requests/demands for personal information will often include a requirement that the holder of the information not advise any other party, other than their own legal counsel, that such a request/demand has been made. The effect of this is that the University would have no notice of its information being accessed by the US Government.


Q. Will the use of Gmail increase the probability that my name will be added to a no fly list?
A. It is not clear how the so-called no fly list is composed and therefore the University is unable to provide any comment on how or why any one person is added to this list.


Q. Does the University's change to Gmail infringe on my privacy rights?
A. No. The Office of the Privacy Commissioner of Canada has reviewed similar scenarios where email is provided to an organization by a US based companies and has determined that there is not an automatic infringement of privacy rights. The Commissioner's findings provide a useful overview of the privacy implications where email is provided by a US based company and the University encourages any interested person to review those findings.