IN THE MATTER OF: The Trade Union Act, 8.N.S. 1989, c. 475, as amended ~and - IN THE MATTER OF: A Policy Grievance Concerning the Contracting Out of Email and Calendar Services and Violation of the Personal Information International Disclosure Protection Act BETWEEN: NOVA SCOTIA GOVERNMENT AND GENERAL EMPLOYEES UNION (hereinafter called the “UNION”) -and - DALHOUSIE UNIVERSITY (hereinafter called “DALHOUSIE”) Counsel: Arbitrator: Raymond Larkin, Q.C. Bruce Outhouse, Q.C. Alex Gorlewski, Articled Clerk for the Union. Nancy Barteaux Krista Smith Daniel Michaluk for Dalhousie. Hearings held at Halifax, Nova Scotia, on April 11 and 14; May 20 and 21; and June 5, 2014. DATE OF DECISION: August 26, 2015.DECISION The grievance in this matter was filed on December 12, 2011. It alleges that the Employer (referred to herein as “Dalhousie” or the “University”) violated Articles 5 and 14 of the collective agreement, as well as the Personal Information International Disclosure Protection Act (“PIDPA”) by entering into a contract with Microsoft to provide email and collaboration tools that will result in the personal information of employees being stored outside Canada. Dalhousie raised a preliminary objection to my jurisdiction to deal with the alleged violation of PIIDPA. A hearing was held to deal with that issue on July 4, 2013 and, by decision dated September 11, 2013, I dismissed the objection. A hearing on the merits was subsequently held on April 11 and 14; May 20 and 21; and June 5, 2014, At the outset of the hearing, the Union stipulated that it was no longer relying on the alleged breaches of the collective agreement. Consequently, the only remaining issue is the alleged violation of PIIDPA. In connection with the jurisdictional issue, the parties filed an Agreed Statement of Facts which is reproduced in full below without attachments:“AGREEMENT STATEMENT OF FACTS NSGEU and Dalhousie are parties to a collective agreement, a copy of which is attached at Tab 1. Local 77 is a bargaining unit made up of approximately 837 members. On December 12, 2011, NSGEU filed a policy grievance against Dalhousie citing alleged violations of Articles 5 and 14 of the Collective Agreement and claiming that Dalhousie was in breach of the Personal Information International Disclosure Protection Act, SNS 2006, c. 3. (PHDPA). (Grievance Form, attached as Tab 2) ‘The Union’s policy grievance is in res Dalhousie’s decision to contract with provide Office 365 email and collaboration tools to students, staff, faculty, researchers and alumni. Microsoft Office 365 is a ‘cloud’-based service, meaning the application and data is hosted on a network of servers, in Microsofts case located around the world. This summer (2013), Dalhousie will migrate over 60,000 user accounts from servers on University premises to Microsoft-owned servers in the ‘cloud’ to provide employees access to Office 365 email and calendar, and to provide Office 365 email, calendar and collaboration tools to students and alumni. Asa result of the migration, email and calendaring, services of bargaining unit members will be hosted in the cloud. Some members of NSGEU covered by the collective agreement provide IT support for Dalhousie email, calendar, computer data storage and manipulation, On January 17, 2007 the President of Dalhousie University issued a Policy for the Protection of Personal Information from Access outside Canada. A copy is attached at Tab 3. On June 12, 2013 Dwight Fischer, Assistant Vice President and CIO, Information and Technology Services,issued an email to Dalhousie students describing plans to roll out a new email and communications infrastructure to the university community by means of Microsoft Office 365. A copy of Mr. Fisher’s memo is attached at Tab 4. 11, Dalhousie has published various items on its website to inform members of the university community about its plans for new email and calendar tools. A copy of a publication from DAL News called ‘DAL partners with Microsoft for new Email and Calendar Tools’ dated January 15, 2013 is attached as Tab 5. A copy of a webpage called ‘Microsoft Office 365” is attached at Tab 6. A copy of questions and answers concerning Microsoft Office 365 is attached at Tab 7. 12. The Dathousie website includes links to the website of Microsoft Canada Inc. Attached at Tab 8 is a web page titled ‘Dalhousie University bets its collaborative future on Microsoft Office 365° dated April 11, 2013. A copy of a web page called ‘Where is my Data?” is attached at Tab 9. 13. NSGEU’s grievance has been referred to arbitration. Dalhousie has objected to the jurisdiction of the arbitrator to apply PIIDPA in this grievance arbitration.” In addition to the foregoing stipulations, Dalhousie agreed at the hearing that it is a “public body” within the meaning of the PIIDPA. Dalhousie further agreed that “personal information” as defined in s. 3(1)(i) of the Freedom of Information and Protection of Privacy Act (“FOIPOP”) and adopted in PIIDPA, will be stored in the “Cloud” outside of Canada.The key provisions of PIIDPA for present purposes are as follows: “Information to be stored and accessed in Canada 5(1) A public body shall ensure that personal information in its custody or under its control and a service provider or associate of a service provider shall ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada, unless (©) the head of the public body has allowed storage or access outside Canada pursuant to subsection (2). 5(2) The head of a public body may allow storage or access outside Canada of personal information in its custody or under its control, subject to any restrictions or conditions the head considers advisable, if the head considers the storage or access is to meet the necessary requirements of the public body's operation. Disclosure outside Canada 9(1) A public body shall ensure that personal information in its custody or under its control and a service provider or associate of a service provider shall ensure that personal information in its custody or under its control is disclosed outside Canada only as permitted pursuant to this Section.” ‘At the hearing on the merits, each party called two witnesses — Professor William Banks and Darryl Warren by the Union; and John Robertson and Dr. Tom Traves by Dalhousie. The evidence of each of these witnesses is summarized below.Professor William Banks Professor Banks is a member of the Faculties of Law and Public ‘Administration in International Affairs at Syracuse University. He is also Director of the Institute for National Security and Counter Terrorism at Syracuse University and has written many published articles on the Foreign Intelligence Surveillance Act (“FISA”). He has also testified about FISA on two occasions before Congress. He has been a member of the ABA Standing Committee on Law and National Security from 2011 to the present time. It has a sub-committee which he chairs on FISA reform. He is very familiar with FISA and the operational practices of foreign intelligence authorities but does not work inside government and does not have security classification. The Union requested that Professor Banks be qualified as an expert in national security law in the U.S., including surveillance and operational practices under FISA. Dalhousie agreed that he was qualified to give opinion evidence on these subjects. According to Professor Banks, FISA was enacted to resolve issues arising out of the lawfulness and collection of foreign surveillance without warrants. It was first passed in 1978 and has subsequently been amended a numberof times. FISA established the Foreign Intelligence Surveillance Court (“FISC”) to deal with applications by the executive for surveillance. The FISC meets in secret to hear such applications and has the power to grant or refuse them. The process applies to foreign governments as well as “lone wolf” individuals. Originally, FISA only authorized “target surveillance”. However, in 2008, it was amended to authorize the bulk collection of data without identifying a specific target. This is commonly referred to as “programmatic surveillance” and is accomplished through a series of directives which are issued to internet service providers and telcos. The only requirement is that the target is reasonably believed to be outside the United States and the government's purpose is to collect foreign intelligence information. Professor Banks stated that programmatic surveillance would allow U.S. authorities to gather the personal data of Canadians stored on servers in the U.S., including from Dalhousie email and calendaring services. The role of the FISC in this context is largely clerical in nature (i.e., to check that government has made the necessary assertions). Professor Banks described this as a form of data mining and says it is unclear whether the surveillance occurs when the data crosses the border before it even gets to the servers.Professor Banks testified that, following the so-called Snowden disclosures, the U.S. federal government acknowledged the existence of the PRISM program to collect information directly from the servers of Microsoft, Yahoo, Google, Facebook, Pal Talk, AOL, Skype, YouTube and Apple. Indications are that Microsoft has been providing such information to the U.S. government since 2007. It is estimated that only 1.6% of daily traffic is actually collected and that a much smaller subset is actually reviewed. FISA contains “minimization procedures” to limit the potential disclosure and use of personal information concerning “U.S. persons” but these minimization procedures do not apply to Canadians. There is nothing in U.S. law which would prevent personal information of Canadians from being used or copied. On cross-examination, Professor Banks opined that “foreign intelligence” is information that is broadly related to foreign policy and national security. Surveillance is one means of gathering foreign intelligence. Signals intelligence programs involve the electronic monitoring of foreign signals and many states including Canada, Great Britain, New Zealand, Australia, China and Russia have signals intelligence programs. Professor Banks said there is no problem with the U.S. signals intelligence program or the way it is being run. However, he said he believes that FISA needs reform and that he is not alone inthis regard, adding that there is a vigorous ongoing debate about this issue which was sparked by the Snowden disclosures. Professor Banks agreed that he does not have complete knowledge about surveillance activities in the United States because of their inherently secretive nature, but said there is greater transparency now since the Snowden disclosures in June 2013. He also agreed that a person’s communications can only be targeted under Section 1881(a) of FISA (also known as 702) if significant purpose of the acquisition or collection is to obtain foreign intelligence and that an attestation to this effect from the Attorney General or the Director of National Intelligence to the FISC is required to obtain authorization. Professor Banks was referred by Dalhousie’s counsel to Presidential Policy Directive/PPD-28 which was issued on January 17, 2014 on the subject of signals intelligence activities. It states among other things that “U.S. signals intelligence activities must take into account that all persons should be treated with dignity and respect, regardless of their nationality or wherever they might reside, and that all persons have legitimate privacy interests in the handling of their personal information.” He agreed that it now appears minimization procedures will apply to all persons, rather than just to U.S. persons, but with the caveat thatthis does not pose an obstacle to the collection of information which has foreign intelligence value. Professor Banks agreed that routine emails from or to Dalhousie employees and students, as well as calendaring information, would not fall within the definition of foreign intelligence information. Professor Banks confirmed that PRISM is authorized under Section 702 and it accesses data stored on servers. Upstream collection involves pulling email information off the internet backbone before it gets to the server at the end point. Some information may be collected both upstream and through the PRISM program. Professor Banks agreed that geographical borders have become a less viable marker. Emails sent by a person in Canada to another person in Canada may well travel through the U.S. where they could be captured by upstream surveillance. Based on reports filed by Microsoft for the period July 2011 to December 2013, Professor Banks agreed that only a fraction of 1% of Microsoft’s users are affected by orders under FISA. Microsoft states in the reports that it has not received the type of bulk data requests which are commonly discussed in the public forum concerning telephone records. Professor Banks concurred that, based‘on the information currently available, he could not say that the U.S. government is making bulk requests of internet service providers. Professor Banks was asked whether a Canadian sending an email has better legal protection from the National Security Agency (“NSA”) if the email is stored in Canada rather than in the United States. His answer was that he did not think it matters because, “if NSA wants it, they’ll get it”, adding that NSA has several means of accessing the emails of Canadians which are stored in Canada. For example, he said an email from a Canadian to a person in the U.S. would also be stored in the U.S. and could be accessed under PRISM. An email from a Canadian would also be subject to upstream capture by U.S. surveillance if it travelled through the United States. Canadian emails could also be hacked by U.S. authorities and, as well, the Canadian Security and Intelligence Service (CSIS) and the Canadian Security Establishment of Canada (CSEC) could provide direct access to U.S. authorities. Darryl Warren Mr. Warren works as a malware technologist in Information Technology Services (“ITS”) at Dalhousie and is President of the Local. He is very familiar with the computer systems at the University, both before and after the 10switch to the Cloud. He described how the previous email and calendaring systems worked, and how storage was handled. Specifically, all storage of emails, calendaring arrangements and departmental data was stored on servers located at Dalhousie. However, he said that individual users could transfer their emails to Hotmail or Gmail accounts which could be stored anywhere, including in the United States. The main reason users did this was because each of them was assigned limited storage space in the Dalhousie system. Storage problems were ameliorated but not eliminated as a result of an upgrade in 2009. Consequently, by transferring emails to Hotmail or Gmail accounts, users could store more emails than they could using only the Dalhousie system. Mr. Warren testified that the Dalhousie email system worked well in his view, more so after the 2009 upgrade. He said the calendaring system was less satisfactory from both a support and user perspective. When there were problems with the system, it was difficult to fix. Also, users had to pay a fee and, as a result, many people opted not to use it which made it difficult to arrange meetings. Mr. Warren described the transition to the Cloud. He said that the switch to the new calendaring system had to take place all at once and was a fairly simple exercise. However, the migration of the email accounts to the Cloud was imore complicated and took a number of months to complete. He did not indicate that the switch to the Cloud has had any negative impact on bargaining unit members in terms of hours of work, promotional opportunities or remuneration. Mr. Warren said that each user has been allotted 25 gigabytes of Cloud storage space which they can use. He also noted that users have been advised by the University not to store anything in the Cloud that is of a sensitive nature, With respect to incoming emails, Mr. Warren said that they would hit the machines at the Dalhousie virtual border and be redirected to the Cloud. He was not sure precisely where, but said that it could be anywhere in the United States. With respect to outgoing emails, he said that, if it was a Dalhousie account sending to another Dalhousie account, the email “would never leave the building”. However, if the email was being sent beyond the University (i.e., to a non- Dalhousie account), then “there really never was any real control” in that regard. The email would follow available paths, not necessarily the shortest route. Mr. Warren testified he was aware that some other Canadian universities were using the Cloud but that almost all of them were doing so for 12student accounts only, not for faculty or staff. He named 13 universities in other provinces who were still hosting faculty and staff locally, plus all the universities in Nova Scotia except for Dalhousie and Kings. He named four Canadian universities who were no longer hosting staff and faculty locally. Mr. Warren also said that there are externally-hosted services in Canada which guarantee storage and access only in Canada. It is his understanding that the University of Guelph has out-serviced its emailing and calendaring systems to an Ontario company which guarantees storage in Canada. Mr. Warren outlined the Union’s concerns about the switch to the Cloud. He indicated that the Union was initially worried about a possible loss of jobs, He also said that the Union had privacy concerns for the members of Local 77 and the Union was aware that provincial legislation prohibited storage of personal information outside Canada. He reaffirmed that employees had been advised not to put any sensitive information in the Cloud but opined that, as far as he was concerned, this was a situation where there was “a new set of tools without a good set of rules for using them”.On eross-examination, Mr. Warren agreed that storage in Gmail and Hotmail accounts would be less secure than storage in the Cloud. He also agreed that the Banner system which is used at the University for registration, financial services and human resources functions is securely stored at Dal and that the use of this system has increased since the switch to the Cloud. John Robertson Mr. Robertson has a long career in information technology going back to 1972 when he was hired by Bell Canada in its computer operations. He retired from Bell Canada in 2000 and then went to work for SAP Canada Inc. He worked there for approximately six years, then retired again and moved to Nova Scotia. In May of 2007, he was hired by Dalhousie as Director of Academic Computing Services. His role subsequently evolved into that of Deputy Chief Information Officer, ITS. Mr. Robertson testified he was made aware of PIIDPA when he first arrived at Dalhousie by John Sherwood who was then the Executive Director of ITS. He was involved in reviewing the license agreements the University had with external vendors, especially software vendors, to bring them in line with PIIDPA.He worked closely with the University’s Legal Counsel Office at the time to ensure the license agreements were compliant with PIIDPA. The University’s policy for protecting personal information from being accessed outside Canada had been put in place before Mr. Robertson’s arrival. The policy is reproduced in full below: “POLICY FOR THE PROTECTION OF PERSONAL, INFORMATION FROM ACCESS OUTSIDE CANADA. Issued by the President, January 12, 2007 Purpose The purpose of this policy is to assist the University in meeting its obligations to all members of the University community (students, faculty, staff and alumni) and to participants in University research projects to protect their personal information from unauthorized access by authorities outside Canada. This policy is supplementary to other University regulations, policies, and guidelines concerning the administration and release of student, employee and alumni information and concerning the administration and approval of research projects. Definitions ‘Personal information’ means recorded information about an identifiable individual, including, but not limited to: name, address, telephone, email (personal not business); race, ethnic origin or religious political beliefs or associations; age, sex, sexual orientation, marital status or family status; any identifying number or symbol (examples: Daleard ID, SIN, credit card, health insurance, drivers’ licence); fingerprints, blood type, or inheritable characteristies; medical or personal history; educational, employment, financial, or criminal history; personal views or opinions, ees 15‘Data repository’ means any medium where data is recorded, including but not limited to, databases, spreadsheets, paper and electronic documents; ‘Employees’ for the purposes of this policy includes University employees, academic appointees, and individuals engaged to work on Dalhousie research projects; “University data repository’ means a data repository that is owned or controlled by the University or utilized in research projects under the direction of a faculty member. Re Requirement to Store Personal Information in Canada 1. All University data repositories that store personal information shall be housed and backed-up in Canada unless: 8) there is no produet or service available that permits the storage, housing and back-up of the personal information in Canada which meets the purchasing requirements; or b) there is no product or service that permits the storage, housing or back-up of the personal information in Canada that meets the purchasing requirements in a competitive ‘manner, having regard to the overall cost, range of services or functions, degree of sensitivity of the personal information at issue, data security arrangements, and. whether it is necessary to meet the requirements of University program, operation or activity; Employees who wish to purchase a product or service under section 1(a) or (b), must obtain the prior written approval of the responsible Vice-President. In all other cases, when purchasing or renewing arrangements for software, hardware or services for the collection, hosting, storage, management, manipulation, or other use of personal information, the employee making the purchase or requesting services must ensure that the proposed arrangement includes a requirement that the personal information must be stored, housed and backed-up in Canada. Access to Personal Information from Outside Canada 3. Access from outside Canada to personal information held in y data repositories shall not be permitted unless: 16d) e) the individual’ own personal information; or the employee is using a web-based or other internet access tool as a necessary part of performing his or her assigned duties or as a necessary part of a research project; or such access is approved in writing in advance by the responsible Vice-President as part of a software, maintenance or troubleshooting arrangement (including any renewals); i) that is part of an overall arrangement that is, necessary to meet the requirements of a University program, operation or activity; and ii) that contains appropriate security controls and restrictions on the use and disclosure of the personal information; or consent from the individuals to whom the information relates has been provided ina manner approved by the responsible Vice-President; or such access is otherwise approved in advance in writing by the responsible Vice-President. Disclosure of Personal Information Outside Canada 4. Personal information held on Univer s shall not ty data reposito be disclosed to any person or organization outside Canada unless: a) b) ©) 4d) the disclosure is to the individual to whom the information relates; or the individual has consented to the disclosure, such consent to be in a form approved by the responsible Vice-President; or the disclosure is necessary for the delivery of contracted payroll services under the direction of the Department of Personnel Services; or the disclosure is necessary for completing financial transactions under the direction of the Department of Financial Services (eg. processing of cheques, drafis,card or other forms of payment by, and to the credit of, the University); or ©) such disclosure is otherwise approved in advance in writing by the responsible Vice-President, ‘Transporting Personal Information Outside Canada 5. Employees may transport personal information temporarily outside Canada only to the extent that it is strictly necessary for their assigned duties or as a necessary part of a research project. In such event, employees are required to take all reasonable precautions to protect the personal information. Requests for Disclosure of Personal Information 6. Any requests for disclosure of personal information by authorities or organizations from outside Canada, or which have the appearance of being from such sources, shall be referred to the University Legal Counsel Office as soon as reasonably possible following receipt of such a request. Procedures 1. Approval under section 2 of the Policy (software, hardware or service where data is to be stored outside Canada) shall be in Form A. The employee making the purchase or request for services shall submit a completed Form A to the responsible Vice-President for signature. No purchase or service request shall be completed until Form A has been signed. 2. Approval under section 3 of the Policy (maintenance or ‘troubleshooting services where personal information is to be accessed from outside Canada) shall be in Form B. The employee making the purchase shall submit a completed Form B to the responsible Vice- President for signature. No purchases or service request shall be completed until Form B has been signed. POLICY FOR THE PROTECTION OF PERSONAL INFORMATION AGAINST INTERNATIONAL DISCLOSURE FORM A - APPROVAL TO PURCHASE SOFTWARE, HARDWARE, OR SERVICES THAT STORE, HOUSE OR BACK- UP PERSONAL INFORMATION OUTSIDE CANADA. Indicate what type of personal information the product will be used to house, store or back-up (check all that apply) 18Name, address, telephone, email (personal not business) Race, ethnic origin or religious political beliefs or associations ‘Age, sex, sexual orientation, marital status or family status Any identifying number or symbol (examples: Daleard ID, SIN, credit card, health insurance, drivers’ licence) Fingerprints, blood type, or inheritable characteristics Medical or personal history Educational, financial, criminal or employment history Personal views or opinions e000 90000 PLEASE NOTE: If the above information is not linked to an identifiable individual then approval is not necessary. Name of company/firm and name of international affiliations: Give the full name of the company, place of operation(s), whether owned or part of an international group of companies ~ you should ask the company/firm for this information) Product/service name and purpose/functio1 (Give the name of the product or service and briefly describe its purpose.) University program, operation, activity or research project: (Describe the program, operation, activity or research project that the product or service is to support and what value it adds to that program, operation, activity or research project. In the case of research projects, please indicate whether ethics approval has been granted and provide protocol number.) Other similar products or services availabl Canada? Yes _No__ Ifno, deseribe the process undertaken to support this conclusion: If yes, why is this product superior? (Please address comparative cost, range of service, functionality, other relevant factors) 19What security measures are proposed to protect the personal information? (Provide details concerning the security of the system as well as, contractual measures taken to protected [sic] against or reduce unnecessary access to personal information) Has the contract been reviewed by Legal Counsel Office? Yes, No Name: Department: Department Approval: Faculty Approval (for academic units only): University Approval: Vice-President POLICY FOR THE PROTECTION OF PERSONAL, INFORMATION AGAINST INTERNATIONAL DISCLOSURE FORM B- APPROVAL TO PURCHASE MAINTENANCE OR TROUBLESHOOTING AGREEMENT PERMITTING REMOTE, ACCESS FROM OUTSIDE CANADA Indicate what type of personal information that the underlying software stores (Check all that apply): © Name, address, telephone, email (personal not business) © Race, ethnic origin or religious political beliefs or associations ‘Age, sex, sexual orientation, marital status or family status Any identifying number or symbol (examples: Daleard ID, SIN, credit card, health insurance, drivers’ licence) Fingerprints, blood type, or inheritable characteristics Medical or personal history Educational, financial, criminal or employment history Personal views or opinions e000 00 20PLEASE NOTE: If the above information is not linked to an identifiable individual then approval is not necessary. Name of company/firm and name of international affiliations: (Give the full name of the company, place of operation(s), whether owned or part of an international group of companies ~ you should ask the company/firm for this information) Service-provider funetion: (Give the name of the service-provider and briefly describe what product or service the service-provider is to support) University program, operation, activity or research project (Identify the University program, operation, activity or research project that is being supported by the product or service that is to be serviced under the proposed arrangement. In the case of research projects, please indicate whether ethics approval has been granted and provide protocol number.) Other services for this product available from within Canada? Yes __ No If no, deseribe the process undertaken to support this conclusion: Ifyes, why is the underlying product superior? (Please address comparative cost, range of service, functional relevant factors) What security measures are proposed to protect the personal formation? (Provide details concerning the security of the system as well as contractual measures taken to protected [sic] against or reduce unnecessary access to personal information) 2Has the contract been reviewed by Legal Counsel Office? Yes No Name: Department: Department Approval: University Approval: Mr. Robertson said that his involvement was mainly with Form B of the policy which, as he noted, had to be signed off by the Legal Counsel Office. He also indicated that the Legal Counsel Office does annual reports to the Province under PIDPA and that the Province then prepares an annual report which draws together all of the reports from various public bodies. Shortly after commencing work at the University, Mr. Robertson observed that there were problems with both the emailing and calendaring systems. He found the emailing system awkward and especially cumbersome in terms of managing attachments. The calendaring system was not being widely used because of the costs involved. Integration with mobile devices was also a problem. Consequently, according to Mr. Robertson, there was a growing cry for better products. Some improvements were made in both the email and calendaring 22systems in 2008 and 2009. However, problems remained and more and more users were switching to Google and Hotmail to avoid space restrictions on the University email storage and to take advantage of the added features which Gmail and Hotmail offered as compared with the University’s system. Mr. Robertson also said that there were ongoing issues with both the email and calendaring systems in terms of capacity, integration and functionality. Mr. Robertson described in some detail the problems with storage at Dalhousie. He said that University storage was reaching its limits both in terms of power supply and cooling loads. Adding capacity would mean more hardware costs and added physical space requirements, as well as incremental running costs. Dwight Fischer succeeded Mr. Sherwood in December of 2008 and filled the newly-created position of Assistant Vice-President of ITS and Chief Information Officer. After familiarizing himself with the existing systems, he concluded that major change was necessary for emails, calendaring and storage. Initially, consideration was given to acquiring and running new systems in-house but this option was ruled out by mid-2009 for cost and operational reasons. Consideration was then given to contracting with a service provider who wouldlook after all hardware, software and licensing requirements in return for a monthly fee. In December of 2009, the University issued a Request for Quotations to “Supply Hosting Services for Microsoft Exchange, Share Point and Blackberry Enterprise Server”. The RFQ specified that the hosting environment must be located in Canada. Mr. Robertson said this specification was inserted in the RFQ because of PIIDPA. Two bids were received in response to the RFQ but neither of them were accepted. Instead, the University decided to pursue a consulting arrangement with one of the bidders. That did not go well and, in January 2011, the University issued a Request for Proposals for a “Communications and Productivity Platform”. The Overview/Background section of the RFP contained the following description of the services being sought: “OVERVIEW/BACKGROUND. Dalhousie University seeks a new, modern suite of communication and productivity tools for the university that fits with new methods of collaborating and supporting teaching, learning and research. It is widely acknowledged that the university’s current slate of loosely integrated applications (including open source email, Meeting Maker calendar, NotifyLink to cell phones and Novell file share) cannot compete with storage capabilities and ease of use offered by third party platforms, particularly with the rapid increase of mobile computing. Additionally, there are many email servers in operation and supported by various departments around campus that 24should be integrated and standardized for the entire university. The successful product or service will fulfil email and messaging (text, voice and video), calendaring, individual and common storage, collaborative document and productivity tools. Additionally, the product or service will be secure, have adequate storage to meet demands of current and future educational requirements and demonstrate commitment to continued and iterative improvements of the product or service.” The RFP, unlike the RFQ, did not contain any requirement that the hosting environment be located in Canada. Four bids were received in response to the RFP. Two of the bidders subsequently partnered to present a Google solution. Microsoft was one of the other bidders and the remaining bid was rejected early on due to its high cost ($2 million per year). Following a fairly extensive evaluation process, which included open presentations by Microsoft and Google, the decision was made by the “CIO office” to recommend Microsoft to the University Executive. However, according to Mr. Robertson, that recommendation was not put forward immediately because, in light of PIIDPA, the advice of Legal Counsel was required and an impact analysis would have to be done in order to get senior executive support for the “exception” from PIIDPA. 25The impact analysis was carried out by the Chair of the Evaluation Committee, the Director of Business Operations with ITS and Legal Counsel. The first impact statement dealt with student and alumni email, calendar and collaboration tools. The impact report rated all negative risks as low with the exception of “vendor failure to disclose suspected or real security breaches” which was rated as medium. The NPV analysis over a five-year period showed a saving to the University of $1.3 million as compared with a Dalhousie-hosted scenario. The impact statement relating to Cloud computing solutions for employee email and calendar tools was completed in November 2011. It recognized there were many benefits to a Cloud-based solution. However, it also discussed in detail the risks associated with same. In general, it rated the severity of risks as being higher in the case of employees than the earlier impact statement covering students and alumni. However, in all applicable aspects of negative risk, the probability of occurrence was rated equal to or lower than current systems at the University. The five-year NPV analysis showed that a cost saving to the University of approximately $552,000 would be achieved by adopting the Microsoft solution over a Dalhousie-hosted scenario. 26On December 12, 2011, Mr. Fischer sent the following email to the University President, Executive and Legal Counsel: subject: VP’s Group; Impact Analysis of Employee ail & Calendar Use, Microsoft 1am scheduled to join your Tuesday morning meeting and discuss the impact analysis we recently performed on migrating Dalhousie employee email to Microsoft's Office 365. A very capable team has reviewed, vetted and crafted this attached Impact Analysis. We are looking for your approval of this document to move the process forward to contract negotiation with Microsoft. It represents a shift in paradigm and a pioneering position in Nova Scotia. Dalhousie will be the first of any university or public agency to take advantage of these ‘cloud’ services from Microsoft. They will control and manage the hardware, the applications, all of the infrastructure. They give away the email and calendar in the hopes that this underlying platform will entice us to buy up the chain of software and functionality. ‘There are issues of privacy and intervention of government, authorities, which are well-vetted in the Impact Analysis, but in the overall assessment, those risks exist today and regardless of where the systems are hosted. In effect, this is a perfect opportunity for the university to truly do more with less. There are some transition and set up costs, but the university will be receiving Microsoft's Exchange Email & Calendar at no cost. When we roll this out, our employees will go from the back of the pack to an industry leader. More so, the information system platform will be in place to begin injection of electronic process i -ments to the bulk of our business operations in the Off the soapbox. I'm coming in to have a brief conversation, leave you with the document and ask for a decision to support it by end of December. If you do, the next step in the process will be to commencenegotiations on the contract with very specific requirements emanating from this Impact Analysis. It’s attached for those of you who want a preview. I will speak to the highlights Tuesday morning. ‘Thank you. Dwight ‘The process was approved by Legal and endorsed by: © Registrar's Office (Asa Kachan) ‘* Human Resources (Barbara Mealiea, for Katherine Sheehan) © Legal Counsel (Karen Crombie, Melisa Marsman) # Research Office (John Newhook) Financial Services (Darrell Cochrane, for lan Nason) » Communications & Marketing (Catherine Bagnell- Styles) « Information Technology Services (Dwight Fischer) * Information Technology Services ~ Data Stewardship (Virginia Lee) ‘e Student Services (Meri Kim Oliver) * Extemal Relations (Joe Rossong) ‘* Institutional Research (Michael O°Sullivan) * Dean’s Council Representative (Michael Shepherd)” Approval to proceed was given by the President and the Vice- President’s group on December 13, 2011. However, as suggested in the employee impact statement, the intent was to negotiate with Microsoft to obtain as many protections and safeguards as possible. Those negotiations did not proceed quickly. Dalhousie had formed a rather large steering group to assess the impact statements and make recommendations. The steering group wanted changes in the 28Microsoft standard contractual templates. Dalhousie was successful in getting some of the changes it wanted but by no means all of them. On November 20, 2012, Mr. Fischer sent the following memo to the University President and others advising that the contract negotiations had finally been concluded and requesting approval to sign the contract: “MEMORANDUM TO: Tom Traves, President Ken Burt, Vice-President Finance and Administration CC: Karen Crombie, Chief Legal Counsel FROM: Dwight Fischer, Assistant Vice President - CIO DATE: November 20, 2012 SUBJECT: Microsoft Office 365 Operational Impacts, Risks and Mitigation Plans As you are aware, ITS has been actively looking for a solution to replace Dalhousie’s aging email and calendar systems. Following completion of the public tender and impact analysis processes last year, Microsoft Office 365 was selected as the preferred solution and contract negotiations ensued. These negotiations have now been completed and while there are some risks associated with deploying Office 365, we believe the low probability of these risks occurring, combined with the overwhelming business benefits, support a strong recommendation to proceed with contract execution and implementation of this solution, Offfice 365 is a cloud-based service that is offered commercially by Microsoft. This means that the 29computers delivering the service and storing the data (eg. the content of user’s email messages) are located in multiple Microsoft’s data centres — these data centres could be located anywhere in the world but typically for Canadian customers, are based in the United States. Office 365 is a suite of services including email, calendaring, document management, web conferencing, instant messaging and collaboration tools that are all tightly integrated with the Microsoft Office programs that run on individual desktop/laptop computers. The scope of the internal impact analyses that have been performed thus far cover implementing email and calendaring for employees, and implementing the entire Office 365 suite for students and alumni. Further impact analyses will be performed in the near future to expanding the employee offering to include the entire Office 365 suite. ‘When examining the impact and risks of implementing Office 365, one has to contrast these with the impact and risks of maintaining the status quo of continuing with our legacy email and calendaring systems. The following is a summary: + Office 365 provides a robust, full featured email and calendaring solution that provides 25 times more storage capacity per user than our current email system, features a universally available, totally integrated calendar, and seamlessly interfaces with mobile computing devices. Office 365 is tightly integrated with MS Outlook which is currently used by a large number of Dalhousie faculty and staff. So the transition to Office 365 will not be dramatic except more features will work and work better. * Office 365 is offered to Post Secondary Educational institutions at no charge. Although Dalhousie must make an investment in newly skilled staff to administer this rich, enterprise-class solution, the NPV analysis for Office 365 deployment to students, alumni and staff (email and calendaring) indicates an economic advantage of $1.8M. over 5 years. * With the Office 365 solution being based in the cloud, Dalhousie no longer has direct control over the computer hardware and operating system. This raises elements of risk in the following areas: 30- Identity and access management security controls, The robustness, effectiveness, currency and ongoing monitoring of these controls rest with Microsoft. Sub- standard or weak controls increase the risk of unauthorized access to the system and the possibility of intentional or accidental disclosure of data. However a review of Microsoft’s security control standards and policies indicated best practices are being followed and Dalhousie’s concerns are adequately addressed. Although Microsoft is a bigger target for cyber hackers than Dalhousie, many of the security controls in place for Office 365 are superior to those used for our legacy systems reducing the probability of a security breach. = Data backups required to recover lost or corrupted data are managed by Microsoft. Microsoft’s backup process is to replicate the data and the Office 365 service across multiple computers housed in multiple geographical separated data centres. This enables simple data reconstruction from an alternate data centre and it also causes minimal, if any, disruption if a catastrophic event occurs at one of their data centres. Again, this process is superior to what is currently in place at Dalhousie where all processing is performed in the Killam Data Centre and data backups are stored on Sexton Campus. - Dalhousie is totally reliant upon Microsoft to maintain, service levels and continuous operation of the service. Microsoft has achieved an enviable system availability record approaching five 9’s (system is up 9.999% of the time) by deploying a highly redundant architecture (multiple data centres, multiple virtual computer servers, redundant network connections, multiple instances of Office 365 executing, etc.) with the ability to dynamically balance the processing load with the available capacity. Although the probability of experiencing a major and lengthy outage of the Office 365 service is low, the risk i significant and we will mitigate this risk by implementing a contingency plan that outlines an alternate service delivery model and expedited exit strategy that could be enacted as required As part of the impact analysis exercise, a comprehensive plan was developed outlining all of the risks and mitigation plans associated with the implementation of 31Office 365. An action plan status report has been included to provide more detailed information as required and under separate cover, the Legal Counsel Office has provided a discussion with respect to the legal risks associated with adopting Office 365. Yes, there are some risks with going to Office 365 and yes, there are some risks associated with cloud-based computing. However, Microsoft is a well-established and fiul IT company that has invested significant resources to make Office 365 an ongoing, viable and successful service offering. This is a core part of Microsoft’s business and they continue to reduce risk and probability of occurrence by not only following but creating best practices. The reality is that Dalhousie’s risk profile continues to grow the longer we rely on our legacy systems that are costly to maintain, succes I trust you concur with our recommendation to sign the contract with Microsoft so our team can proceed with the implementation of Office 365 at the University.” Mr. Robertson testified that he made a fairly substantial contribution to the above memo and attended a meeting the following day, along with Mr. Fischer and Chief Legal Counsel, Karen Crombie, to discuss it with the President and Vice-President of Finance and Administration. He and Mr. Fischer talked about the operational aspects of the agreement and Ms. Crombie provided legal advice. The President agreed that the contract should be signed and it was executed by the Vice-President of Finance and Administration on December 11, 32Mr. Robertson testified that, in preparation for the implementation of Microsoft 365, the University did a lot of user education to reinforce the proper use of email. This education was directed, in part, to emphasizing that sensitive information should not be stored in the Cloud. Mr. Robertson gave evidence that Dalhousie still has substantial capacity to store personal or sensitive information on its own servers. In-house File Exchange and Novell File Share are not Cloud based. Dalhousie also has its own version of Share Point which is different from the Cloud Share Point part of Microsoft 365. Dalhousie also has a secure file transfer system which is used to transmit sensitive documents and information to others both within and external to the University. On cross-examination, Mr. Robertson agreed that cost was one of the primary factors in the selection of Microsoft 365. He said another consideration was the fact that Microsoft was in the best position to maintain its own products. Mr. Robertson indicated that “sensitive information” was a broader term than personal information and would include certain information related to the University itself and documentation within its control. He did not consider that all personal information, such as a name, would constitute sensitive information. 33Mr. Robertson agreed with Union counsel that the only legal commitments concerning PIIDPA which the University was able to negotiate with Microsoft are contained in the following provisions of the Enrollment for Education Solutions Microsoft Online Services Agreement: 2. Privacy. a Privacy practices. Microsoft complies with all data protection and privacy laws generally applicable to Microsoft’s provision of Microsoft Online Services. However, Microsoft is not responsible for compliance with any data protection or privacy law applicable to Institution or its industry and not generally applicable to information technology service providers. b. Customer Data. Microsoft will process Customer Data in accordance with the provisions of this Microsoft Online Services Addendum and, except as stated in the Enrolment and this Microsoft Online Services Addendum, Microsoft (1) will acquire no rights in Customer Data and (2) will not use or disclose Customer Data for any purpose other than stated below. Microsoft's use of Customer Data is as follows: (Customer Data will be used only to provide Institution the Microsoft Online Services. This may include troubleshooting aimed at preventing, detecting and repairing problems affecting the operation, of Microsoft Online Services and the improvement of features that involve the detection of, and protection against, emerging and evolving threats to the user (such as malware or spam). (ii) Microsoft will not disclose Customer Data to law enforcement unless required by law. Should law enforcement contact Microsoft with a demand for Institution Data, it will attempt to redirect the law enforcement agency to request it directly from Institution. As part of this effort, Microsoft may provide Institution’s basic contact information to the agency. If 34compelled to disclose Customer Data to law enforcement, Microsoft will use commercially reasonable efforts to notify Institution in advance of a isclosure unless legally prohibited.” Mr. Robertson was questioned by Union counsel about the following statement attributed to Mr. Fischer in the Dal News issue dated February 9, 2011: “The fact is, even if we host and fund a solution in-house, email can no longer be regarded as secure or private...when you send an email, it’s like sending a postcard.” Mr. Robertson disagreed with Union counsel that Mr. Fischer’s statement was intended to convey the message that, “you can’t do anything about privacy, so forget about it”. He said that the intention was to provide as much privacy as possible but that email is a tool provided by the University and how private it is depends upon how it is used. Mr. Robertson was also asked about the following statement in a Dal News issue dated March 10, 2011: 35«...Nova Scotia is one of three provinces in Canada, along with Alberta and British Columbia, that passed stricter privacy legislation after the U.S, Patriot Act....That does place limits on what we can do with information, specifically with regards to U.S.-owned servers. However, if it can be demonstrated that a viable Canadian alternative does not exist or is cost-prohibitive to use, exceptions may and have been made.” Mr. Robertson agreed that the exception to PIIDPA applies if'a Canadian alternative exists but is cost prohibitive. When asked which large Canadian universities store data in the U.S., Mr. Robertson cited the University of Alberta. He also said that the University of Toronto is looking at a Cloud-based email service and that the University of New Brunswick had already gone to a Cloud-based service for students. Dr. Tom Traves Dr. Traves was the President of Dalhousie University from 1995 until 2013. He described the University organization structure as being large and complex. It has five Vice-Presidents — Academic, Finance and Administration, Research, External Relations and Student Services — all of whom report to him. There are also a number of Assistant Vice-Presidents, including Dwight Fischer who is responsible for overseeing the ITS operation and reports to the Vice- 36President of Finance and Administration. Dr. Traves usually met with the Vice- Presidents as a group at least once a week. Dr. Traves testified that he was aware, as a user, that the email and calendaring system at the University was deficient. He said it did not work consistently, crashed occasionally and was very slow. The problems got worse over time as mobile devices and more students placed increasing demands on the system. From his perspective, the system was not meeting the University’s needs in a practical way and that was a situation which existed when Mr. Fischer was appointed as Chief Information Officer in December of 2008. Dr. Traves did not discuss the specifics of a potential solution with Mr. “ischer in the early stages. He was aware of the RFQ which was issued in December of 2009 but he had no direct involvement with it. He said he would have been very sceptical of an internal solution because the problem was of a long- standing nature and, if it could have been fixed internally, that would have happened a long time previously. He also felt that building a system just for the University would be costly to update and maintain and that the “world was filled with examples of governments and businesses going that route with disastrous 37results”. For these reasons, it was Dr. Traves® opinion that going with an outside provider with an off-the-shelf product which worked made a lot of sense. Dr. Traves indicated that he was also aware of the January 2011 RFP. He said he was briefed on it by the Vice-President of Finance and Administration but had no involvement in preparing it or with the evaluation process. He recalled reading accounts of some interviews with Mr. Fischer and was aware that presentations were made to various stakeholder groups including the Deans and the Assistant Vice-Presidents. When the Evaluation Committee recommended Microsoft 365 for students and alumni, he and the Vice-Presidents attended a presentation by Mr. Fischer. Approval was given to pursue negotiations with Microsoft. Ata later point in time, Ms. Crombie advised him that going with Microsoft would raise some issues because of the storage data in the U.S. Dr. Traves directed her and Mr. Fischer to look at the issue and determine whether it was a “show stopper”. The explanation he was given was that he had to be satisfied on two things — that the program was necessary to ensure the University’s good operation and that appropriate risk management measures were in place. Dr. Traves said the intention was always to get a University-wide service but the original assumption was that this could be achieved in stages, 38starting first with students and alumni. However, it quickly became apparent that Microsoft was not prepared to proceed on this basis so a further impact analysis was done for employees and staff. When that was ready, he received a further presentation, He read the impact analysis and considered it to be very thorough. It identified the advantages of Microsoft 365. It also identified the associated risks and made recommendations on how to deal with them. From December 2011 to November 2012, Dr. Traves had no direct involvement in the negotiations with Microsoft but received updates from time to time. He recalled receiving Mr. Fischer’s memo of November 20, 2012 and attending a meeting with Mr. Fischer and the Vice-Presidents the following day. He said this was nearing the end of the process and he was being asked to decide if. going with Microsoft was a necessary requirement for the operation of the University. In his view it was. He considered it absolutely necessary for the function of the University to have a robust system to communicate externally and internally. The University was growing steadily in size with campuses in New Brunswick and elsewhere in Nova Scotia. Given the information revolution in recent years, he believed it was absolutely necessary to have a system that was modem and functional. His understanding was that there was no practical option in Canada. Consequently, in order to go to the Cloud, the University would have 39to put strategies in place to satisfy PIIDPA. He said that, among other things, he needed to be advised by Legal Counsel Office that it was on side. He said he asked the technical people at the November 21* meeting about the operational risks and that they were satisfied that user interests were being protected and that the system would work properly. At the end of the meeting, he authorized Mr. to proceed and move the contract with Microsoft to closure. Dr. Traves identified the following form which he signed on June 14, 2013: “POLICY FOR THE PROTECTION OF PERSONAL INFORMATION AGAINST INTERNATIONAL DISCLOSURE FORM A- APPROVAL TO PURCHASE SOFTWARE, HARDWARE, OR SERVICES THAT STORE, HOUSE OR BACK- UP PERSONAL INFORMATION OU’ CANADA. Indicate what type of personal information that the underlying software stores (Check all that apply): All types of personal information, including: Name, address, telephone, email (personal not business) Race, ethnic origin or religious political beliefs or associations ‘Age, sex, sexual orientation, marital status or family status Any identifying number or symbol (examples: Daleard ID, SIN, credit card, health insurance, drivers” licence Fingerprints, blood type, or inheritable characteristics Medical or personal history Educational, financial, criminal or employment history Personal views or opinions Hm Dd od Oe PLEASE NOTE: If the above information is not linked to an identifiable individual then approval is not necessary. 40Name of company/firm and name of international affiliations: (Give the full name of the company, place of operation(s), whether owned. or part of an international group of companies ~ you should ask the company/firm for this information) Microsoft Corporation One Microsoft Way Redmond, WA 98052 USA Operations are world-wide, Product/service name and purpose/function: (Give the name of the service-provider and briefly describe what product or service the service-provider is to support) Service Provider: Microsoft Corporation Servic Office 365 (Email and Calendar) Service Description: Office 365 is a service that is hosted by Microsoft and provides email, calendar, collaboration tools and unified communications to users within an organization. At this time, only email and calendaring suite of services will be offered to employees, faculty, students and email only for alumni. University program, operation, activity or research project: (Identify the University program, operation, activity or research project that is being supported by the product or service that is to be serviced under the proposed arrangement. In the case of research projects, please jcate whether ethics approval has been granted and provide protocol number.) The entire University operation is affected. Email and calendar tools are essential aspects of the University’s information technology services. They are key to the successful and efficient operation of the University, and form a necessary part of our learning and teaching, research and administrative processes. They are used extensively by members of the Dalhousie community to communicate and collaborate among themselves, and with third parties. Other similar products or services available in Canada? Yes XNo__ If no, describe the process undertaken to support this conclusion: 41Ifyes, why is the underlying product superior? (Please address comparative cost, range of service, functionality, other relevant factors) ‘The option to continue to host email/calendar services in-house does exist, but at considerable cost and resources by Dalhousie to keep the services secure and up-to-date. There are also a number of shortcomings with the current in-house service, including limited functionality and ease of use, limited capacity, unreliability, limited security. Outsourcing the service to a cloud-based solution has numerous advantages as compared to in-house services, including enhanced security measures, greater service standards and reliability, improved functionality, increased storage capacity and cost savings. There are no cloud-based solutions that store or access the data exclusively in Canada, Of all other cloud-based service providers, Microsoft's Office 365 service is superior in terms of functionality, security, service standards, reliability, compatibility with current computing systems, and cost. The Office 365 hosting environment offers extensive processing and storage capacity with robust backup and failover capabilities, and superior operational and security controls. The Microsoft Office 365 service also offers superior integration capabilities with other Microsoft products already in use at Dalhousie such as MS Office and SharePoint. In total, Office 365 is a reliable, modern, industry-leading service that integrates well with Dalhousie’s technical environment and offers significant economic advantage when compared to other services or an in-house system. What security measures are proposed to protect the personal information? (Provide details concerning the security of the system as well as contractual measures taken to protected [sic] against or reduce unnecessary access to personal information) © Technical Due Diligence: IT'S performed a detailed review of the Microsoft Office 365 technical documentation to ensure that the service adequately addresses the University’s functional, technical, security and operational requirements. in addition, the Dalhousie technical team performed functional testing using an Office 365 demonstration environment and production environment. ITS is satisfied with all reviews and (esting results, and are satisfied that the Office 365 will exceed Dalhousie’s functional, technical and performance requirements. Also, Microsoft has a security policy 42for online services that addresses organization of information, asset management, human resources security, communications and operations management, access control, information systems acquisition, development and maintenance, information security incident management, business continuity management and compliance. Contract; Microsoft and Dalhousie have executed agreements in place with respect to Office 365. These agreements provide mechanisms for the University’s management of confidential, proprietary and personal information and provide appropriate protection against loss or misuse of such information. Exit Strategy: A high level contingency plan outlining alternative options for email and calendaring has been developed by ITS. ITS will also define a small number of termination/distuption scenarios, assign/prioritize the appropriate alternative options for each scenario, and expand the planning detail for each option. Risk assessment and walkthrough simulation of the plans are to be performed by the end of the year. Alternative Services for Sensitive Information: Alternative on-site services are currently available at Dalhousie for storing and managing sensitive information: Novell File Share and Dalhousie File Exchange. In addition, DalShare (on premise Sharepoint) is being developed and introduced over the next few years as another option for storing and managing sensitive information. Development and Communication of Best Practices. ITS has commenced, and will continue to develop and communicate best practices and guidelines for administrators, faculty and researcher in relation to the communication of sensitive information. Communications will reinforce user awareness and compliance with the applicable University policies and privacy laws. In addition, alternative communication tools are identified for sharing and storing confidential, highly sensitive and/or personal information (eg. Novell file share, Dalhousie File Exchange, and on premise SharePoint (once fully implemented)). The education, training and communication materials are currently being developed and refined. Periodic Audits. Ongoing threat/risk assessments will be performed in conjunction with Dalhousie’s internal auditor. Also, rrosoft is required to provide the results of periodic audits of control effectiveness and recovery readiness in accordance with industry standards. 43ion logs and Ongoing monitoring of tran: system activity will be performed by operational staff. ‘* User Notifications, An information banner will be presented to the ir first use of the system advising them that data will be stored outside Canada and asking them to confirm their acknowledgement of this. This banner will also be permanently available on the Dal Office 365 website. Has the contract been reviewed by Legal Counsel Office? Yes X No_ Name: Dwight Fischer June 14, 2013 Department: ITS Department Approval: [signed D. Fischer] University Approval: The form was included in the University’s report to government under PIIDPA. Dr. Traves testified that, with respect to the security measures described in the form, he relied on ITS to provide those descriptions. He also said that cost and function are related, adding that “a solution that is beyond one’s means doesn’t work and neither is a solution that is cheap but is not functional”. In his opinion, the two have to be balanced. 44On cross-examination, Dr. Traves indicated the University’s operating budget was approximately $350 million per year. He confirmed that he was briefed and advised by people throughout the process and that he relied on such advice. Among other things, he had been told that the University of Alberta had adopted Microsoft 365 and noted that it was a larger institution than Dalhousie. He said that the other universities in Nova Scotia were much smaller and that their information management needs would be much simpler. He described the needs of Dalhousie as “pressing”. In response to a question from Union counsel whether a major university could operate in Canada and store its data within the country, Dr. Traves agreed it could be done if it did not involve an overhaul of the existing system. He said that for Dalhousie to build a system to store data in Canada would have entailed so many risks, both operational and financial, that it was not acceptable. He recalled that the question had come up early on and the answer was that there was no practical way to do that in terms of cost and functionality. Dr. Traves conceded that he could not be sure the American government could never look at the University’s data. The Union submitted a comprehensive closing brief and supplemented it with oral argument on the final day of hearing. The Union rested its case 4ssquarely on PIIDPA and did not argue that there was any stand-alone breach of the collective agreement, either in terms of contracting out or in the exercise of management rights. The Union says that the issues to be determined are: (a) Is Dalhousie permitted to store employees’ personal information in the United States pursuant to Section 5(2) of PIIDPA? (b) Has Dalhousie ensured that employees’ personal information is not disclosed outside of Canada contrary to Section 9 of PIIDPA? The Union submits that the determination of these issues is a matter of statutory interpretation and, in particular, raises the following questions: (a) What does it mean under Section 5(2) for a course of action to be necessary? 46(b) What is the scope of the discretion enjoyed by the head of a public body under Section 5(2)? (©) What is the meaning of the requirement in Section 9(1) to “ensure that only personal information in its custody or under its control is disclosed outside Canada only as permitted pursuant to this Section”? The Union argues that interpretation of Sections 5 and 9 of PIDPA should be guided by the statute’s purpose. In this connection, the Union emphasizes that PIIDPA is privacy legislation and that its purpose is to safeguard the personal privacy of Nova Scotians against surveillance by the U.S. federal government by preventing storage, access and disclosure of such information outside of Canada. The Union further observes that protection of privacy is regarded as a fundamental value and is recognized in Canada as worthy of constitutional protection. Reference on this point is made to Dagg_v. Canada (Minister of Finance), [1997] 2 S.C.R. 403; R. v. Osolin, [1993] 4 S.C.R. 595; and R.v. Mills, [1999] 2 $.C.R. 668. 47As a corollary of the importance placed on the protection of privacy, the Union notes that our courts, when interpreting privacy legislation, have given a broad construction to protection provisions while giving a narrow construction to exceptions. See Cash Converters Canada Inc. v. Oshawa (City), 2007 ONCA 502; Canada Post Corporation and Canadian Union of Postal Workers, [1988] C.L.A.D. No. 12 (Bird); and Peace Country Health and United Nurses of Alberta, [2007] AG.A.A. No. 17 (Sims). The Union urges me to apply the modern rule of interpretation to Sections 5 and 9 of PIIDPA. It cites the following passage from Merk v. International Association of Breach, Structural, Ornamental and reinforcing Iron Workers, Local 771, 2005 SCC 70: “18 Allied with s. 10 of the Interpretation Act, 1995 is the contextual approach to statutory construction encapsulated by E. A. Driedger: ‘[T]hhe words of an Act are to be read in their entire context and in their grammatical and ordinary sense harmoniously with the scheme of the Act, the object of the Act, and the inter of Parliament.’ (Construction of Statutes (2 Rizzo Shoes Ltd. (Re), 1998 CanLII 837 (SCC), [1998] | S.C. 27; Bell ExpressVu Limited Partnership v. Rex, 2002 SCC 42 (CanLI1), [2002] 2 $.C.R. 559, 2002 CC 42. The analysis is applied in several steps. [Emphasis added)” 48The Union notes, as well, that Section 9(5) of the Nova Scotia Interpretation Act, R.S.N.S. 1989, c. 235, effectively incorporates a broad and purposive approach to the interpretation of statutes. The Union emphasizes the grammatical and ordinary sense of the words used in Sections 5 and 9 of PIIDPA. It says that both sections contain a strict and definitive prohibition with limited exceptions. The Union asserts that the scheme of the Act is to prevent the disclosure of personal information to foreign governments by limiting the storage of such information outside Canada and by strictly prohibiting its disclosure outside Canada. The mischief to be remedied by PIIDPA is the sweeping power of electronic surveillance by the U.S. government, conducted in secret and without notification of disclosure. This is clear, so the Union says, from the Auditor General’s 2005 report to the Nova Scotia House of Assembly and from the debates which took place in the House during the passage of the legislation. Consequently, in the Union’s submission, Sections 5 and 9 of PIIDPA should be interpreted in a manner consistent with its scheme and object — namely, to eliminate the risk to the privacy of Nova Scotians posed by American surveillance legislation. 49In particular, the Union refers to the U.S. Patriot Act, a set of amendments that were made to the Foreign Intelligence Surveillance Act (FISA) in 2001 and to the further amendments which were made in 2008. Referring to the testimony of Professor Banks, the Union says that FISA provides a procedural framework to allow the U.S. federal government to engage in various types of surveillance, including electronic surveillance, on foreign persons and groups. Furthermore, the 2008 amendments allowed, for the first time, “programmatic surveillance” which enables the NSA to use a broad “vacuum-cleaner-like” approach to collect massive amounts of information. The only limitation on surveillance of this nature is that the targets are reasonably believed to be outside the United States. Targeting may be directed at a large set of email addresses or an entire ISP and the NSA uses both “upstream” and “downstream” methods of data collection. The Union highlights the fact that Microsoft is one of the large service providers which has allowed direct access to its servers for purposes of data collection by U.S. authorities. To make the situation even worse, so the Union says, Microsoft is prohibited by law from reporting that they have allowed the U.S. government direct access to their servers and that minimization procedures only apply to U.S. persons. 50Turing to the specific language of Section 5(1), the Union correctly points out that it starts by placing an obligation on any public body in the Province to “ensure that personal information in its custody or under its control...is stored only in Canada and accessed only in Canada”. It then goes on to provide for three exceptions, only one of which arguably applies in the present case — namely, that the head of the public body has allowed storage or access outside Canada pursuant to subsection 5(2) which reads as follows: “5(2) ‘The head of a public body may allow storage or ‘access outside Canada of personal information in its custody or under its control, subject to any restrictions or conditions the head considers advisable, if the head considers the storage or access is to meet the necessary requirements of the public body’s operation.” The Union concedes that the provision of email and calendaring services to Dalhousie’s students, faculty and staff are required for its operation as a public body. However, it argues that, for Section 5(2) to apply, the head has to conclude that the storage or access of personal information outside Canada is a necessary requirement of the public body’s operation. In this context, the Union refers to the Oxford English Dictionary where the word “necessary” is defined as meaning “indispensable, vital, essential and requisite”. It also cites Society of SIComposers, Authors and Music Publishers of Canada v. Canadian Assn. of Internet Providers, [2004] 2 S.C.R. 427, where Justice Binnie stated at para. 91: “Necessary” is a word whose meaning varies somewhat with the context. The word, according to Black's Law Dictionary, may mean something which in the accomplishment of a given object cannot be dispensed with, or it may mean something reasonably useful and proper, and of greater or lesser benefit or convenience, and its force and meaning must be determined with relation to the particular object sought.” In the Union’s view, given the quasi constitutional status of privacy rights and the broad surveillance powers of the American government, the word “necessary” should be strictly construed to mean “a requirement of a public body’s operation that cannot be dispensed with”. In other words, so the Union contends, the personal information of Nova Scotians held by public bodies should only be stored or accessed in the United States where storage or access in the United States cannot be dispensed with. It does not simply mean that email and calendaring services have to be necessary. Rather, it means that the storage of personal data in the United States must be necessary in the strict sense. The Union acknowledges that Section 5(2) accords a measure of discretion to the head of a public body in determining whether allowing storage or 52access to personal information outside Canada is necessary to meet the requirements of the public body’s operation. However, in the Union’s submission, the head’s discretion is by no means absolute and must be exercised reasonably. As authority on this point, the Union cites Judicial Review of Administrative Action in Canada (Carswell, 2013) (Brown and Evans); and Waddell v. Canada (Governor in Council), [1983] B.C.J. No. 2017 (BCSC). Further, the Union argues that the reasonableness standard is also supported by the fact that PIIDPA must be treated as part of the collective agreement. The Union refers to Article 14.03 of the collective agreement which provides, in part: “The Union acknowledges itis the exclusive function of ‘o ensure the provision of teaching and sand facilities in the interests of students and faculty members by all reasonable measures...” [emphasis added] The Union also refers to Article 14.05(2) of the collective agreement which states that “it is the exclusive function of the Employer to establish and enforce reasonable rules and regulations covering the conduct, duties and methods 53of operation of the Employees not inconsistent with the provisions of this Agreement”. The Union submits that the reasonableness requirement in the exercise of management rights that affect the privacy of employees involves a “balancing of interests” approach and takes into consideration whether less intrusive means are available to address the Employer’s legitimate concerns. See Communications, Energy and Paperworkers Union of Canada, Local 30 v. Irving Pulp & Paper, Ltd., 2013 SCC 34. Having regard to the wording of the collective agreement and the fact that PIIDPA must be applied as forming part thereof, the Union submits that the head’s exercise of discretion under Section 5(2) must satisfy the test of reasonableness. Thus, any unreasonable exercise of discretion by the head breaches PIIDPA and the collective agreement. The Union submits Dalhousie has not met the test of reasonableness. Rather, so the Union says, the exercise of Dr. Traves’ discretion was based on issues of cost, convenience and the view that Microsoft 365 was superior technology. However, the Union contends that Dr. Traves’ decision to store 34personal information outside of Canada was plainly unreasonable having regard to the purpose of PIIDPA. It emphasizes that every other university in Nova Scotia stores their data in Canada and that all but a few Canadian universities do likewise. Consequently, the Union asserts that it is obviously not necessary for the operation ofa university in Nova Scotia or elsewhere in Canada for personal information on email and calendaring services to be stored in the United States. The Union submits that the exercise of Dr. Traves’ discretion not to obtain email and calendaring services in Canada or to maintain the Dalhousie in- house system was driven by cost — a cost which the Union says was only modestly higher than the cost of storing data in the U.S. given the scale of the University’s operations and overall budget. In the Union’s view, allowing considerations of cost to dominate all other considerations, including the importance of privacy and protection of employees’ personal information, constituted an unreasonable exercise of discretion and thus resulted in a breach of Section 5(1) of PIDPA which requires that such information be stored only in Canada. Turning to the second issue, the Union submits that Dalhousie failed to ensure that the personal information of its employees is disclosed outside of Canada only as specifically permitted in Section 9. Section 9(1) reads as follows: 55“9(1) A public body shall ensure that personal information in its custody or under its control and a service provider or associate of a service provider shall ensure that personal information in its custody or under its control is disclosed outside Canada only as permitted pursuant to this Section.’ Disclosure of personal information outside Canada is permitted in various circumstances described in Sections 9(2), 9(3), 10 and 11. The Union correctly points out that none of the permitted disclosures apply in the circumstances of the present case. Further, the Union asserts that the word “disclosed”, although not defined in PIIDPA, should be interpreted as meaning to “make something available for collection”, irrespective of whether it is ever collected or actually viewed. In this connection, the Union relies on the rule of statutory interpretation that, where a statute uses two different words, each is presumed to have a different meaning. It points out that “access” is defined in Section 4 of the PIIDPA regulations as meaning “the action, process, opportunity or means of finding, using, examining or retrieving, including obtaining from storage”. The Union submits, therefore, that “disclosed” or “disclose” must be presumed to have ‘a more expansive meaning than access. Otherwise, the Legislature would have used the word “access” in Section 9(1) rather than “disclosed”. See R. v. Barnier, 56[1980] 1 S.C.R. 1124; Agraira v. Canada (Public Safety and Emergency Preparedness), [2013] 2 S.C.R. 559; Peach Hill Management Ltd. v. Canada, 257 N.R. 193 (F.C.A.); and Toronto Transit Commission v. Canada (Minister of National Revenue - M.N.R.), 2010 FCA 33. In similar vein, the Union asserts that giving the same meaning to “disclosed” and “access” would create conflicts between Section 5 and Section 9 of PIIDPA because, while the former deals with storage and access, the latter deals with disclosure and the exceptions in each case are markedly different. Again, in the Union’s submission, this suggests that “disclosed” has a considerably broader meaning than the word “access”, and includes simply making the information available for collection. Consideration of the purpose of PIIDPA, in the Union’s view, leads to the same conclusion. It reiterates that the purpose of the Act was to address the danger posed by secret American electronic surveillance legislation to the privacy of Nova Scotians. It would be most consistent with this purpose, according to the Union, to interpret “disclosed” as the “making available of personal information”. The Union says that it could not have been the intent of the Legislature to allow 37personal information to become vulnerable to being analyzed by U.S. authorities, even if it was never actually collected or reviewed. In the alternative, the Union argues that Dalhousie violated Section 9(1) of PIIDPA because it cannot “ensure” that personal information currently being stored outside of Canada will not be disclosed. It says that the words “shall ensure” are imperative and should be strictly construed. It notes that the dictionary meaning of the word “ensure” is “make certain”. The Union also refers in this connection to Regina v. Greening Industries Ltd., [1968] 1 O.R. 759 (O.C.C.); and Mountain v. Legal Services Society, [1983] B.C.W.L.D. 2177 (BCSC), where it was held that the words “shall ensure” imposed an imperative obligation. In this context, the Union refers to Nova Scotia’s FOIPOP legislation which it says deals with both access and disclosure. In particular, the Union characterizes Section 20 of that legislation as an “elaborate balancing process....with a lot of judgment built in”. By way of contrast, the Union points out that Section 9 of PIIDPA has no balancing process. Consequently, according to the Union, disclosure of personal information is only permitted outside Canada in accordance with Sections 9(2), 9(3), 10 and 11. Since none of these exceptions apply, it follows, in the Union’s submission, that Dalhousie has failed to ensure 58that personal information being stored under its contractual arrangement with Microsoft will not be disclosed. Indeed, Dalhousie’s contract with Microsoft expressly recognizes that Microsoft may be required to provide information to U.S. government authorities acting in accordance with U.S. law. By way of remedy, the Union requests that the grievance be allowed and that an order be issued requiring Dalhousie to revert to the in-house email and calendaring system, unless and until an alternate storage site for email and calendaring data is obtained in Canada. Dalhousie filed a memorandum of law dealing with the ways in which Canadian authorities can awfully obtain personal information stored on servers located in Canada and how Canadian authorities may legally share such personal information with U.S. or other intelligence and law enforcement agencies. The memorandum describes in detail the role of the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment of Canada (CSEC) and their intelligence gathering powers under the Canadian Security Intelligence Service Act, R.S.C., 1985, ¢. C-23, and the Anti-terrorism Act, S.C. 2001, c. 41, respectively. Section 12 of the CS/S Act states that: 59“12. The Service shall collect, by investigation or otherwise, to the extent that it is strictly necessary, and analyse and retain information and intelligence respecting activities that may on reasonable grounds be suspected of constituting threats to the security of Canada and, in relation thereto, shall report to and advise the Government of Canada.” CSEC is Canada’s version of the NSA. Itis responsible for foreign signals intelligence. CSEC is limited to foreign surveillance; however, it often intercepts the data of Canadians. Purely foreign intercepts are not subject to any oversight mechanism. Where the intercept has a Canadian nexus, CSEC must obtain ministerial authorization but no judicial authorization is required. Ministerial authorization is predicated on the Minister of National Defence being satisfied that such interceptions are for the sole purpose of obtaining foreign intelligence. The memorandum also points out that Canadian privacy legislation generally allows for the lawful investigative and intelligence gathering powers described above. Specifically, Section 27(m) of the Nova Scotia Freedom of Information and Protection of Privacy Act allows a public body to disclose personal information to law enforcement agencies in Canada to assist in an investigation and Section 27(n) allows law enforcement agencies to disclose personal information to other law enforcement agencies in Canada and to law 60enforcement agencies in foreign countries pursuant to an arrangement, written agreement, treaty or legislative authority. Also, the Personal Information Protection and Electronic Documents Act, 8.C, 2000, c. 5, was amended post-9/11 requiring private sector entities to disclose personal information of its customers to law enforcement authorities if CSIS, the RCMP or other authorized government institution makes a request and the information relates to national security, the defence of Canada or the conduct of international affairs. The memorandum outlines how the personal information of Canadians contained in emails which are lawfully collected or intercepted by Canadian authorities may be shared with U.S. and other foreign authorities. The memorandum quotes the following excerpt from the most recent annual report of the Canadian Security Intelligence Review Committee (SIRC), an independent review body that provides reports to Parliament regarding CSIS activities: “Moreover, all government departments and agencies — to say nothing of Canada’s close allies - are becoming more technologically integrated. Governments across the ‘Western world have responded and adapted, further integrating formerly separate intelligence capacities. As the technological barriers between information systems and previously stove-piped databases continue to fall, the sharing of data has become not merely possible, but routine. (Reference: SIRC Annual Report 2012-2013, supra at p 10, Tab 5)” 61The memorandum goes on to state that intelligence sharing among allied states has accelerated since 9/11 and identifies the following international and domestic instruments which facilitate this activity: ()) UN Resolutions and Conventions including Resolution 1373 and the Europe Convention on Cybercrime (the “Budapest Convention”); (ii) Bilateral mutual legal assistance treaties of which Canada is currently signatory to 40, including one with the U.S.; (iii) Section 17(1)(b) of the CSIS Act; (iv) Proceeds of Crime (Money Laundering) and Terrorist Financing Act; and (vy) UKUSA Agreement signed by the United States, Canada, Great Britain, Australia and New Zealand (also known as “Five Eyes” or ECHELON interception system). ‘The memorandum indicates that all of the above instruments authorize the sharing of personal information with United States and other foreign government authorities. In light of the foregoing, the memorandum concludes that the many methods by which the personal information of Canadians may be collected and 62shared means that it does not matter where the electronic data is stored because such data can be lawfully accessed and shared with U.S. and other foreign governments even when it is stored in Canada. Dalhousie submits, therefore, that I should come to the same conclusion as board member Carrier in Lakehead University v. L.ULF.A. (2009), 184 L.A.C. (4"") 338, that, “One should consider e- mail communications as confidential as are postcards.”. In its oral submissions at the hearing, Dalhousie emphasizes the stepped approach which led to its decision to contract with Microsoft for email and calendaring services. First, it looked at the possibility of upgrading from within but concluded that it would take a lot of time to accomplish, be too expensive and difficult to maintain going forward, Consequently, in December of 2008, it issued an RFQ for email and calendaring services with the stipulation that these services be hosted in Canada. The RFQ led to a consulting arrangement with one of the bidders but that arrangement proved to be unsuccessful, Finally, in January of 2011, the RFP was issued for a communications and productivity platform to host email and calendaring services. Unlike the RFQ, the RFP did not stipulate that the hosting environment was to be in Canada. Four bids were received and ultimately it came down to a contest between Microsoft and Google. Following an extensive evaluation process, Microsoft was chosen as the preferred service provider. The 63next step was to conduct an impact analysis for students and alumni and, subsequently, for employees. After reviewing the employee impact analysis, and meeting with Mr. Fischer and the Vice-presidents, Dr. Traves gave the go-ahead to negotiate with Microsoft. It took almost a year to negotiate the contracts and Dalhousie says it achieved the best language it could with respect to the protection of personal information from surveillance and disclosure. Dalhousie argues that it is important in this context to bear in mind that email and calendaring services are “work tools” not “personal use tools”. It says that privacy interests should not, therefore, weigh too heavily in the balance. Likewise, so Dalhousie contends, consideration should be given to the fact that, in the legacy system, users were bypassing the space limits on storage by forwarding their emails to Gmail and Hotmail accounts, both of which are stored outside Canada. Dalhousie notes as well that it has maintained internal systems which are run on campus and used for Human Resources, Financial Services and the Registrar's office. Taking all of these factors into account, Dalhousie submits that, on any reasonable balancing approach, the privacy interests at stake here do not outweigh the interest in having an efficient and cost- effective system.Not surprisingly, Dalhousie’s interpretation of Section 5(2) is very different from the Union's. It acknowledges that the Patriot Act was a focal point of discussion when PIIDPA was passed but it notes that there is no express purpose or object clause in the legislation. Dalhousie also observes that the exception in 5(1)(c) and 5(2) has a purpose which should be given effect to in accordance with its terms. Dalhousie contends that the Union’s interpretation of the exception ignores the discretion conferred on the head of the public body in considering whether or not to allow storage of personal information outside of Canada. Dalhousie emphasizes that the head “has the last word on this issue and no other approval is required”. It says that the adjective “necessary” qualifies the “requirements of the public body’s operation”. It asserts that email and calendaring are necessary requirements of the University’s operation, so that condition of the exception has been satisfied. Dalhousie agrees that the discretion conferred on the head has to be exercised reasonably. However, it maintains that the discretion is essentially a subjective one and that the reasonableness standard must be tempered accordingly. In this regard, Dalhousie refers to Brown and Evans, Judicial Review of Administrative Action in Canada, looseleaf (Canvasback Publishing: Toronto, ON, 2010), at para. 14:5422, where the learned authors state: 65“Where there are no objective limitations, such as where the legislation provides ‘in the opinion of the deputy head” or where there is ‘reason to believe,’ or where it contains a requirement that something must be ‘shown to the satisfaction of the Board,’ it is sometimes referred to asa grant of ‘subjective’ discretion. And in those instances, the ability of a court to review is limited, although the recipient cannot, of course, exercise discretion in a way that is inconsistent with the objects of the legislation In the case at hand, Dalhousie submits that Dr. Traves, in deciding whether or not to allow storage of or access to personal information outside Canada, considered that such storage or access was for the purpose of meeting the necessary requirements of the University and that such storage and access was made subject to restrictions and conditions which he considered to be advisable. Consequently, Dalhousie submits the exercise of Dr. Traves’ discretion was reasonably exercised in a manner that was not inconsistent with the objects of PIIDPA. Turning to Section 9(1) of PIIDPA, Dalhousie maintains that the Union is reading it too broadly and that, on the Union’s interpretation, no storage outside Canada would be permissible. In short, Dalhousie says that, if the Union's interpretation of Section 9(1) is adopted, then it will “eat up” the exception in Section 5(1)(c) and 5(2). 66Dalhousie submits that there are two plausible interpretations of Section 9(1). ‘The first is that it imposes an absolute prohibition against actual disclosure of personal information outside of Canada. The second is that it imposes a duty of care which could be breached even if no actual disclosure had occurred. At its very highest, the duty of care would be to take all reasonable steps to avoid disclosure. Dalhousie submits that the Union has not established a breach of Section 9 on either interpretation, It has offered no evidence of any actual breach nor has it alleged or established a breach of a standard of care. Dalhousie disagrees with the Union’s proposed definition of “disclosed” which would include making personal information vulnerable to disclosure, whether or not it is actually collected or viewed. In Dalhousie’s opinion, an actual disclosure is required in order to constitute a breach of Article 9(1). Further, Dalhousie argues that every privacy statute and the concept of protection of privacy is about balancing interests. It says that it is impossible to eliminate the risk of disclosure of the content of emails and calendaring services, regardless of where the information is stored. Accordingly, the object of PHDPA. is to limit and control the risk of disclosure. 67In this context, Dalhousie refers to Ontario (Ministry of Labour) v. Sheehan’s Truck Centre Inc., 2011 ONCA 645, where it was held that neither the Occupational Health & Safety Act nor the regulations made thereunder “seek to achieve the impossible — entirely risk-free work environments”. Dalhousie also refers to Lakehead University, supra, where it was stated that email communications are no more confidential than postcards and Twentieth Century Fox Film Corporation, 2006 CanLII 37938 (BC IPC) (October 26, 2006), which includes, at para. 85, the following observations: “Of course, no one can, as the complainant put it, ‘assure the security of personal information. PIPA requires no assurances in the nature of guarantees—it requires organizations to take ‘reasonable’ security measures to protect personal information. Personal information routinely crosses borders in the ordinary course of commerce, but this does not necessarily decrease its security. The geographic location of personal information, which may change throughout the lifecycle of a transaction, is far from determinative of threats to the security of personal information. Personal information may be at risk in British Columbia and be better protected elsewhere.” Accordingly, Dalhousie submits that Section 9(1) should not be interpreted in a way that imposes an impossible obligation on a public body ~ i.e., to make certain or guarantee that there will be no disclosure of personal information — in circumstances where the head of a public body, in the reasonable 68exercise of the discretion accorded him or her under Section (2), has allowed storage of personal information outside Canada. To do so would, so Dalhousie argues, run afoul of the presumption that the provisions of legislation are meant to work together to form a rational, internally consistent framework. (See Sullivan, Construction of Statutes, 5 ed (Markham, Ont: LexisNexis Canada, 2008), pp. 223-225.) For all of the above reasons, Dalhousie submits that no breach of Section 5(1) or 9(1) of PIIDPA has been established and that, accordingly, the grievance should be dismissed. The issues to be determined are as follows: (1) Did Dalhousie breach Section 5(1) of PIIDPA by failing to ensure that personal information in its custody or under its control was stored only in Canada and accessed only in Canada? 69(2) Did Dalhousie breach Section 9(1) of PIIDPA by failing to ensure that personal information in its custody or under its control is disclosed outside Canada only as permitted pursuant to Sections 9, 10 and 11? Having considered the evidence, the relevant statutory provisions and submissions of the parties, I have come to the conclusion that no breach of either Section 5(1) or 9(1) of PIIDPA has been established. My reasons for so finding are set out below. While I have dealt separately with each of the issues, they are, in my opinion, quite closely related. Alleged Breach of Section 5(1) For convenient reference, Section 5 is reproduced in full below: “Information to be stored and accessed in Canada 5(1) A public body shall ensure that personal information in its custody or under its control and a service provider or associate of a service provider shall ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada, unless (a) _ where the individual the information is about has identified the information and has consented, in the manner prescribed by the regulations, to it being stored in or accessed from, as the case may be, outside Canada; 70(b) where it is stored in or accessed from outside Canada for the purpose of disclosure allowed under this Act; or (©) the head of the public body has allowed storage or access outside Canada pursuant to subsection Q. ‘The head of a public body may allow storage or s outside Canada of personal information in its custody or under its control, subject to any restrictions or conditions the head considers advisable, if the head considers the storage or access is to meet the necessary requirements of the public body's operation. (3) Where the head of a publie body makes a decision pursuant to subsection (2) in any year allowing storage or access outside Canada, the head shall, within ninety days after the end of that year, report to the Minister all such decisions made during that year, together with the reasons therefor. (4) Inproviding storage, access or disclosure of personal information outside Canada, a service provider shall only collect and use such personal information that is necessary to fulfill its obligation as a service provider, and shall at all times make reasonable security arrangements to protect any personal information that it collects or uses by or on behalf of a public body.” [emphasis added] As previously indicated, it was conceded by Dalhousie that its contract with Microsoft allows personal information of employees and other users of its email and calendaring systems to be stored outside Canada. It is also not in dispute that the “head of the public body”, in this case Dr. Traves in his capacity as President of Dalhousie, allowed the storage outside Canada as contemplated in 1subsection (c). The only real issue is whether, in doing so, Dr. Traves failed to comply with Section 5(2). T agree with the Union that Section 5(2), as well as all other provisions in PIIDPA, should be guided by the purpose of the legislation. The Union says that purpose is to safeguard the personal privacy of Nova Scotians against U.S. surveillance by preventing storage, access and disclosure of such information outside Canada. However, it is clear from Section 5 that it does not absolutely prohibit storage of or access to personal information outside Canada. Rather, it is a qualified prohibition which is subject to express exceptions. It would have been a simple matter, of course, to make the prohibition absolute but the Legislature did not see fit to do so. Instead, it crafted what it obviously considered to be appropriate exceptions and those exceptions must be applied in accordance with their terms. To do otherwise would defeat the intent of the Legislature. In short, the exceptions have a purpose too and it would be improper to read them out of the legislation or construe them so strictly as to deprive them of any real meaning. As indicated in my preliminary decision, Section 5(2) confers a fair measure of discretion on the head of the public body. It provides that the head “may” allow storage of and access to personal information outside Canada if the 2head “considers the storage or access....is to meet the necessary requirements of the public body’s operation”. It also provides that the head may allow such storage or access subject to any restrictions or conditions that “the head considers advisable”. ‘The word “may” is clearly permissive in this context and the words “considers” and “considers advisable” plainly indicate that the discretion conferred on the head is largely subjective in nature. The effect is the same as if the Legislature had used the words “in the opinion of the head”. This does not mean, however, that the discretion conferred on the head is totally unfettered. Indeed, that was the basis of Dalhousie’s jurisdictional objection that was argued and failed. Both parties now agree that the discretion conferred on the head in Section 5(2) must be exercised reasonably. The question is how to apply the standard of reasonableness in relation to the exercise of a statutory discretion where, as here, the language confers what Brown and Evans note is “sometimes referred to as a grant of subjective discretion”. In Nova Scotia Government Employees Union and Civil Service Commission (Mulvaney) (unreported) (March 13, 1987), the issue was whether or not the employer had violated the collective agreement by denying education leave. The governing provision of the collective agreement stated that the Bemployer “may” grant education leave if, “in the opinion of the Employer”, the leave was needed to enable the applicant to more adequately fill his or her present position. The employer argued that my jurisdiction was limited to examining the manner in which it reached its decision and forego any examination of the ion. I rejected that argument, stating in part: “...ln my view, that would be a partial abdication of my responsibility to ensure that the agreement is applied and enforced in accordance with its terms. This doesn’t mean, of course, that my role is to second-guess the Employer or jon merely because I would have reached a different decision if it were mine to make. Ultimately, it is for the adjudicator to determine whether or not education leave has unreasonably been denied; however, in making that determination, the adjudicator must have regard to the terms of the agreement and defer to the Employer's judgment to the extent required therein, Hence, where an agreement confers a discretionary decision-making authority on an employer, an adjudicator should only interfere with the exercise of that discretion where the employer has miscondu procedural sense or has made a decision which is patently unreasonable...” [p. 41] It is important to note that Nova Scotia Court of Appeal commented on the above passage in a subsequent case involving the same parties (Nova Scotia Civil Service Commission and Nova Scotia Government Employees Union (Martin Wexler and R. Lorne MacDougall, Q.C.) (1993), 123 N.S.R. (2d) 217). The Court observed that the term “patently unreasonable” had a technical meaning related to 74curial deference and should not be used in the context of determining whether or not an employer’s decision was unreasonable. Notwithstanding this caveat, the Court expressly endorsed the test which I had adopted for the purpose of determining reasonableness ~ namely, “imposing on the union the burden of proving, on a balance of probabilities, that the employer’s decision was unreasonably arrived at or obviously wrong.”. The Court added that an unreasonable decision is “one that a reasonable personal possessed of the facts and exercising common sense would not reach”. 1 am not persuaded that the Union has met the burden of proving, ona balance of probabilities, that Dr. Traves’ decision to allow storage and access outside Canada of personal information in Dalhousie’s email and calendaring. systems was unreasonable. Put somewhat differently, I am satisfied that Dr. Traves’ decision was one which “a reasonable person possessed of the facts and exercising common sense” could reach. It is readily apparent from the record that Dr. Traves’ decision came at the end of a lengthy process, the object of which was to arrive at the best solution to the ongoing problems with Dalhousie’s legacy email and calendaring systems. Without reviewing all of the steps taken along the way, the initial RFQ issued inDecember of 2009 included a requirement that the email and calendaring services be hosted in Canada. However, the RFQ did not produce a successful bidder. The subsequent RFP issued in January of 2011 dropped the requirement for hosting in Canada but left that option open. Of the four bids received, none proposed hosting the services entirely in Canada. The competition was narrowed down to Microsoft and Google and, following a thorough evaluation process, Microsoft was chosen as the preferred provider. The potential problems this created in terms of PIIDPA were expressly recognized and addressed as best they could be before Dr. Traves gave the go-ahead to negotiate with Microsoft, and subsequently during the negotiation process itself. I am satisfied on the evidence that the contract that Dalhousie negotiated with Microsoft contained the strongest language it could realistically achieve with respect to the protection of personal information from surveillance and disclosure. It is a given, of course, that Dalhousie and Microsoft could not contract out of FISA and any attempt on their part to do so would have been invalid. Before Dr. Traves authorized negotiations with Microsoft, he had reviewed the impact statement prepared with respect to student and alumni in June of 2011 and the impact statement with respect to employee email and calendaring services prepared in November of 2011. The following excerpts from the latter 16impact statement shed considerable light on the reasonableness of Dr. Traves’ decision: “Employee Email and Calendar Tools Impact Statement Executive Summary Email and calendar tools are key to the successful and efficient operation of the University. These tools are used extensively by Dalhousie University employees to communicate with other members of the Dalhousie community and beyond, and form a useful part of our learning and teaching, research and administrative processes. Unfortunately the email and calendar tools currently provided by Dalhousie are dated, with limited functionality, have an increasing risk of unreliability and are costly to operate. With the maturation and viability of cloud computing services, a number of very large cloud computing service providers including Microsoft and Google offer very attractive email and calendar solutions that are robust, highly innovative and financially appealing. In June 2011, the President approved the decision to move to Microsoft's Office 365 cloud computing service for students and alumni with a target implementation date starting in February, 2012. Operationally, there is no desire to have more than one solution for the Dathousie community. This impact statement focusses on the benefits and risks associated with implementing Office 365 email and calendaring for employees (additional Office 365 services may be considered in the future following a similar impact analysis). Microsoft’s Office 365 (email and calendar) for employees presents significant opportunities for Dalhousie but as with any opportunity there are many benefits and risks. The key is to ensure that decision makers clearly understand these impacts and that adequate mitigation and management plans are identified to reduce the risk exposure to an acceptable level. Benefits of deploying Office 365 (email and calendar) to employees include: 1© Provides a state-of-the-art suite of tools that are intuitive to use, fully integrated, functionally rich and virtually limitless storage capacity. This encourages wider adoption and use of the solution by employees thus enabling improved personal productivity, increased collaboration opportunities and process improvement; In addition to providing employees with substantial improved tools and capabilities, Office 365 (email and calendar) generates an economic advantage to Dalhousie of $552K and hard cost cash flow savings of $660K when compared to the status quo (Net Present Value savings over 5 years, see ‘Tables 2, 3 and 4); © Replaces Meeting Maker and NotifyLink and provides users with a full featured web client enabling access to email and calendars from anywhere using virtually any device connected to the Intemet; © Fully integrates with existing desktop MS Office tools (Word, Excel, PowerPoint, Outlook, OneNote); * Supports many elements of Dalhousie’s Strategie Focus; © Improves business continuity by leveraging the vendor's enterprise scale, fault tolerant, redundant system architecture; Enables the implementation of best practices related to data security, protection and management through the application of improved and more granular data security controls and monitoring; and + Streamlines ITS operations by redueing the ‘number of locally hosted servers and the associated hardware, software licensing and overhead costs such as electricity and cooling. The biggest drawback of cloud computing solutions is that the University no longer directly manages the systems that 8process and maintain the user data. The servers hosting the solution are geographically dispersed and could be located anywhere in the world. As a result, there © Perceived increased risk of unauthorized or accidental disclosure of user data; © Additional due diligence effort required to ensure compliance with Nova Scotia and Canadian laws related to protection of personal information; * Additional due diligence effort required to ensure protection of confidential and institutional information; and © Total reliance on the vendor to deliver an accurately functioning solution that meets system availability and performance expectations, and to diligently operate and maintain effective data security, protection and integrity controls. ‘These impacts raise concerns over the data security and business continuity of cloud computing solutions. However, when compared to Dalhousie’s current email and calendaring systems, Office 365 (email and calendar) provides far more comprehensive and robust security rols, and the system is significantly more reliability ic] (up time approaching 99.99% of the time). [emphasis added] As part of this impact statement, detailed risk mitigation and management plans have been developed focussing on the following key strategies: © Implementing an ongoing best practices education program for users outlining the risks associated with email communication and using secure, Canadian-based repositories to store and manage fidential, highly sensitive or personal information. «As part of the ITS due diligence process (and confirmed as contractual obligations) confirmation that the vendor: 79- maintains robust data security, protection and integrity controls and practices; - meets system performance and reliability standards; = preserves strong business continuity plans, processes and capability; allows Dalhousie to periodically audit or review the effectiveness of these controls, plans and processes; and ~ assist Dalhousie in meeting its e-discovery obligations and forensic investigations. © Dalhousie is to maintain a viable strategy to expeditiously migrate the service in the event the relationship with Microsoft unfavourably changes (eg. unacceptable price increases, non- performance, government imposed changes or laws, changes to privacy policies, etc.). © Ensuring Dalhousie’s ability to comply with e- discovery laws. Purpose of this Document Under Dalhousie’s Policy for the Protection of Personal Information from Access Outside Canada, the decision to approve the purchase of a product or service that permi storage or access to personal information outside of Canada rests with the responsible Vice- President/President. To this end, the Vice-President Finance and Administration and President must have the confidence that this is the best and most secure option available to meet necessary requirements of Dalhousie. To assist with this decision, the Steering Group is responsible to: © understand the benefits, risks and mitigation plans associated with implementing the Office 365 (email and calendar) solution; make recommendations; support and help execute risk mitigation strategies accepted and implemented by the University; and 80# act as change champions and actively contribute to the change management efforts associated with the implementation of Office 365. curity The vintage and non-integrated nature of Dalhousie’s existing communication tools makes it impossible to apply security controls that are up to the standard provided by the large scale commercial vendors. ‘The reality is that the mainstream cloud solutions provide superior, up-to-date data security, but the larger influence on the effectiveness of any security system is how people use the solution, [emphasis added] Risks ‘The following is a summary of the major risks associated with deploying Office 365 (email and calendar) for employees: © Loss of direct management and control of the systems that process and maintain the user data. The servers hosting the solution are geographically dispersed and could be located anywhere in the world. As a result, there is increased risk of: - unauthorized or accidental disclosure of user information; - unauthorized or inappropriate use by the vendor of information about users or usage trends; - users being subjected to unwanted services and solicitations such as advertisements; = access to user data by foreign legal authorities; - unauthorized retention of user data; inability to independently fix services failures; ¥ to independently access data on demand; - inability to independently restore lost or corrupted data. 81# Increased due diligence efforts to ensure compliance with Nova Scotia and Canadian laws ated to protection of personal information; ‘¢ Increased due diligence efforts to ensure protection of confidential and institutional information; and Reliance on vendor to: = deliver an accurately functioning solution and meet system availability and performance expectations; nntly operate and maintain effective data security, protection and integrity controls; ~ respect data ownership rights; - disclose information regarding suspected or real security breaches; and ~ execute corrective or restorative actions as required. ‘These risks raise concerns over the data security and business continuity of cloud computing solutions. However, when compared to Dalhousie’s current email and calendaring systems, Office 365 (email and calendar) provides far more comprehensive and robust security controls, and the system is significantly more reliability [sic] (up times approaching 99.999% of the time). These risks also raise concems of confidentiality. However, in respect to email messages, the following underlying premise must be kept in mind: Email is a communication tool provided to faculty and staff for use in their university roles. It is assigned to the individual employee for use in messaging, making calendar arrangements and communicating with colleagues, students and anyone else in the course of performing their duties. Although there is a perception that email does and should provide a high level of confidentiality, it is fundamentally a communication between two or more parties and by definition cannot be considered confidential since the sender has no control over the use of the data by or actions of the recipient(s). Regardless of whether an email system is cloud or on-premise based, messages are discoverable in legal proceedings, system administrators can access 82email items while performing maintenance duties, data is transmitted over public-facing networks, and messages are received on any number of user-owned devices with unknown levels of security controls. The reality is that email is not and should not be considered a confidential form of communication. Other electronic tools such as secure data repositories are available and should be used to communicate confidential and highly sensitive information. Any email solution needs to be accompanied with best practices outlining when it is appropriate to use email as a communication tool and when more secure ways to share confidential information are required.” [bold and italics in original] It is apparent from the above excerpts that, contrary to the Union’s submission, cost was not the only important factor in Dalhousie’s decision to contract with Microsoft. Robustness, functionality and enhanced security were also significant factors. So too was the fact that email is not a confidential form of communication and that other systems were being retained or put in place to be used for the communication of confidential or otherwise sensitive information. Consequently, while I accept that cost played a role in Dr. Traves’ decision, it was by no means the only factor. In any event, I am satisfied that cost is a legitimate consideration when assessing the reasonableness of Dr. Traves’ decision. A present value savings of approximately $2 million over five years represents a significant benefit even for a large university and is entitled to be given some weight in the decision-making process. 83‘The Union’s interpretation of Section 5(2) puts a somewhat different twist on the test of reasonableness. It argues that personal information of Nova Scotians held by public bodies should only be allowed to be stored or accessed in the United States where such storage or access is strictly necessary (i.e., “cannot be dispensed with”). I do not concur with this interpretation. The phrase in which the word “necessary” appears reads as follows: “...jffthe head considers the storage or access is to meet the necessary requirements of the public body's operations.” ‘As can be seen, “necessary” is used as an adjective to describe “requirements”. It is not used as a noun and does not qualify the words “storage or access”, which is the way the Union urges it should be read. If the Legislature had intended to only allow storage or access outside Canada where it was absolutely necessary, then it presumably would have so stated. Instead, the language chosen by the Legislature indicates that the head of a public body can allow storage or access outside Canada if he or she considers that such storage or access is to meet the necessary requirements of the public body’s operation. Consequently, I find that the Union’s interpretation on this aspect of Section 5(2) stretches the plain meaning of the actual language beyond acceptable limits. 84The Union places considerable emphasis on the fact that all but a few Canadian universities host email and calendaring services with in-Canada storage for faculty and staff. Consequently, it asserts that Dalhousie can operate in a similar fashion and that it is not necessary for its email and calendaring services to be hosted outside Canada. Given that I do not accept the Union’s interpretation of “necessary requirements”, this is not a pivotal issue. However, I note that the Union’s own evidence indicates that four Canadian universities no longer host staff and faculty locally and that quite a few other Canadian universities use Cloud- based services for student accounts. If the Union’s interpretation of Section 5(2) was upheld, Dalhousie would be precluded from using the Cloud for all user accounts, including students. This is because PIIDPA makes no distinction between user categories and applies to all personal information in the public body's custody or under its control, irrespective of the user group. For all of the above reasons, I conclude that the Union has not met the burden of establishing that Dr. Traves, when he approved the acquisition of Cloud- based email and calendaring systems for Microsoft, exercised the discretion conferred on him by Section 5(2) in an unreasonable manner. Balancing all of the legitimate considerations at play, Dr. Traves’ decision was one which a reasonable person possessed of the facts and exercising common sense could reach. 85Alleged Breach of Section 9(1 For convenience, Section 9 is set out in full below: “Disclosure outside Canada 9(1) A public body shall ensure that personal information in its custody or under its control and a service provider or associate of a service provider shall ensure that personal information in its custody or under its control is disclosed outside Canada only as permitted pursuant to this Section, (2) A public body, service provider or associate of a service provider may disclose outside Canada personal information in its custody or under its control (a) _ in accordance with this Act; (>) where the individual the information is about has identified the information and consented, in writing, to its disclosure inside or outside Canada, as the case may be; (©) inaccordance with an enactment of the Province, the Government of Canada or the Parliament of Canada that authorizes or requires its disclosure; (@) in accordance with a provision of a treaty, ‘arrangement or agreement that () authorizes or requires its disclosure, and (ii) is made under an enactment of the Province, the Government of Canada or the Parliament of Canada; (©) to the head of the public body, if the information is immediately necessary for the performance of the duties of the head; 86oO (g) (a) @ @ (ky a to a director, officer or employee of the public body or to the head of the public body, if the information is immediately necessary for the protection of the health or safety of the director, officer, employee or head; to the Attorney General or legal counsel for the public body, for use in ci proceedings involving the Government of the Province or the public body; for the purpose of () collecting moneys owing by an individual to Her Majesty in right of the Province or to a public body, or Gi) making a payment owing by Her Majesty in right of the Province or by a public body to an individual; for the purpose of (@ Ticensing or re vehicles or drivers, or (ii)__ verification of motor vehicle insurance, motor vehicle registration or drivers’ licences; where the head of the public body determines that compelling circumstances cexist that affect anyone's health or safety; so that the next of kin or a friend of an injured, ill or deceased individual may be contacted; or in accordance with Section 10 or 11 (3) Inaddition to the authority pursuant to this Section, a public body that is a law enforcement agency may disclose personal information in its custody or under its control to 87(@) another law enforcement agency in Canada; or (6) alaw enforcement agency in a foreign country under an arrangement, a written agreement, a treaty or an enactment of the Province, the Government of Canada or the Parliament of Canada. (4) The head of a public body may allow a director, officer or employee of the public body to transport personal information outside Canada temporarily if the head considers it is necessary for the performance of the duties of the director, officer or employee to transport the information in a computer, a cell phone or another mobile electronic device.” Section 9(2)(I) incorporates Sections 10 and 11 which contain further permissible disclosures of personal information outside Canada for research, archival and historical purposes, subject to certain limitations which are not material here. I agree with the Union that none of the disclosures permitted by Sections 9(2), 9(3), 10 and 11 apply in the present circumstances and Dalhousie does not contend otherwise. This being the case, it follows, so the Union submits, that Dalhousie has breached Section 9(1) by failing to ensure that personal information in its custody or under its control is not disclosed outside Canada. In this context, the Union interprets “disclosed” to mean making personal information 88,vulnerable to collection by U.S. surveillance authorities, regardless of whether it is ever collected or actually viewed by anyone. I disagree with the Union’s interpretation. In my opinion, the word “disclosed” means actual disclosure, not a potential disclosure or vulnerability to disclosure. For there to be a breach of Section 9(1), it must be established that personal information in the custody or under the control of a public body has been disclosed to someone outside Canada. The ordinary meaning of the verb “disclose” is “to expose to view, to reveal, to make known”. This meaning is reflected in Sections 9(2), 9(3), 10 and 11 which all detail circumstances in which public bodies may actually disclose personal information outside Canada. Furthermore, if the Union’s interpretation of Section 9(1) was accepted, it would effectively negate Sections 5(1)(c) and 5(2). Assume, as I have found in the present case, that the head of a public body has properly allowed storage of personal information outside Canada pursuant to these sections. It is clear from the evidence that, once storage of personal information in the United States is allowed, then such information is subject to disclosure in accordance with 89U.S. law. Consequently, regardless of the contractual protections put in place as between the public body and the service provider, U.S. authorities can lawfully compel disclosure pursuant to FISA. The Legislature was undoubtedly aware of, this when PIIDPA was enacted and, in any event, is presumed to have been so aware. Yet, if the Union’s argument based on Section 9(1) were to prevail, it would mean that any public body which allowed storage of personal information outside Canada in accordance with Sections 5(1)(c) and 5(2) would nevertheless be in breach of Section 9(1). This is because storage in the United States carries with it an inherent and unavoidable risk of disclosure under FISA. | am satisfied that it was not the Legislature’s intention, when enacting Section 9(1), to nullify Sections 5(1)(c) and 5(2). Support for this conclusion is also found in Section 5(4) which imposes an obligation on service providers storing personal information outside Canada to “make reasonable security arrangements to protect any personal information that it collects or uses by or on behalf of a public body”. The requirement for “reasonable security arrangements” reflects the reality that it is not possible to guarantee protection of personal information stored outside Canada. The Union’s interpretation of Section 9(1), however, amounts to just that — a guarantee or unconditional assurance that personal information stored in the United 90States will not be subject to disclosure to U.S. authorities in accordance with U.S. law. Such iron-clad protection is not possible — Dalhousie could not insist upon it and Microsoft could not provide it. Finally, it must be observed that email communications are far from being completely secure, even when hosted within Canada. They are subject to various forms of interception, hacking, sharing, etc. The comparison of emails to postcards, although perhaps somewhat of an exaggeration, is not inapt. Certainly, any person who entrusts personal information to email, particularly their work email, cannot do so with a high expectation of privacy. In light of the foregoing, I find that the Union has not established a breach of Section 9(1) of PIIDPA. In the result, the grievance is dismissed. I would be remiss if I did not express my thanks to counsel for their excellent oral and written presentations. o1DATED at Halifax, Nova Scotia, this 26" day of August, 2015. Co BRUCE OUTHOUS! 92