FortisBC Energy Utilities

Transcription

1 B-13 FortisBC Energy Utilities Application for Removal of the Restriction on the Location of Data and Servers Streamlined Review Process June 12, 2015

2 Agenda Introduction (Dennis Swanson) Purpose of the Application Customer Benefits Approval Sought Topics Raised (Monic Pratch & Tim Swanson) Foreign Ownership/Unauthorized Access Privacy Security Risks and Mitigation Assessment Process Going Forward Questions/Discussion - 2 -

3 Purpose of the Application Remove the Data Restriction so the FEU can: meaningfully explore, pursue and implement opportunities that could benefit customers take advantage of technology developments in recent years operate information systems requirements in the most efficient and cost effective manner be treated the same as other private sector organizations under the Personal Information Protection Act (PIPA) and Personal Information Protection and Electronic Documents Act (PIPEDA) have operational consistency across FortisBC utilities - 3 -

4 Customer Benefits Consider technologies and services to serve customers efficiently and cost-effectively (i.e. third party vendors which store data or provide services) Pursue potential opportunities to reduce information systems capital investments, operating and support requirements Access cross-jurisdictional industry information and improve collaboration and service offerings Would not be practical, efficient or cost-effective to bring forward discrete applications for exemption - 4 -

5 Approval Sought Rescind the existing data restriction Grant a new Order that: permits the FEU to store data about customers that would otherwise meet the definition of personal information outside of Canada if it is either (a) de-identified or (b) encrypted confirms that data of any kind, customer or otherwise, that does not meet the definition of personal information under PIPA is permitted to be stored outside of Canada permits the FEU to apply for specific exemptions from the revised order - 5 -

6 Topics Raised Foreign Ownership / Unauthorized Access Privacy Security Risks and Mitigation - 6 -

7 Foreign Ownership / Unauthorized Access Foreign Ownership: Fortis Inc. is Canadian Owned and Controlled Foreign Ownership of the FEU no longer an issue As a result no foreign jurisdiction able to compel data disclosure Unauthorized Access No greater risk of unauthorized access to data whether it is stored inside or outside of Canada Same security protection for data no matter where it is stored International borders do not increase data protection - 7 -

8 Privacy Privacy concerns are appropriately addressed by the Office of the Information and Privacy Commissioner and the FEU s robust Privacy Management Program o o Compliance with PIPA/PIPEDA Comprehensive body of knowledge, guidance and directions that provide best practices - 8 -

9 Security Current Security Practices Experienced Industry standards and good practices Regular auditing and testing of controls Encryption Latest standards used Not new to the FEU Keys held in the FEU data centres Tested De-identification Personal information removed Re-identification keys held in the FEU data centres in Canada - 9 -

10 Risks and Mitigation Decryption Risk Keys always held in FEU data centres in Canada Would require keys to decrypt data Re-identification Risk Re-identification information kept in FEU data centres in Canada Would require keys to re-identify data Incident Management Policies and procedures in place Risk is no greater regardless of whether the data is stored inside or outside Canada we manage this risk today

11 Assessments Current Security Assessment (SA) and Privacy Impact Assessment (PIA) Process Have reliable assessment tools in place Have been doing this for years Perform assessment review Have current well established business process The project does not move forward if it cannot meet SA and PIA requirements

12 Going Forward if Approval is Granted Continue to apply the same rigour around security and privacy Continue to perform PIAs and SAs Encrypt and de-identify sensitive data before it leaves the FEU Maintain encryption keys and de-identification tables at all times in the FEU s possession on servers in Canada Contractually require vendors to meet the FEU s requirements

13 Questions / Discussion