June 15, 2017
Sent via email Letter L-13-17
Ms. Diane Roy
Vice President, Regulatory Affairs
FortisBC Energy Inc.
16705 Fraser Highway
Surrey, BC V4N 0E8
gas.regulatory.affairs@fortisbc.com
Re: FortisBC Energy Inc. – Request for Confirmation from British Columbia Utilities Commission regarding Applicability of Order G-161-15 for Microsoft Azure Active Directory Services
Dear Ms. Roy:
On April 10, 2017, FortisBC Energy Inc. (FEI) filed a letter with the British Columbia Utilities Commission (Commission) requesting confirmation regarding the applicability of Order G-161-15 for Microsoft Azure Active Directory Services.
In Order G-161-15 dated October 13, 2015, which approved FEI’s application for removal of the restriction on the location of data servers providing service to FEI (Data Location Decision), the Commission determined that employee information must be either encrypted or de-identified if such data is to be stored on servers located outside of Canada. For the purposes of Order G-161-15 and as proposed by FEI, employee information means information of or about FEI’s employees, as proposed by FEI.[1]
In its letter dated April 10, 2017, FEI submits that the Azure Active Directory, hosted by Microsoft on servers located in the United States and Canada, will store and manage the company’s electronic directory listing of active employees, which includes only work-related contact information, such as employee name, position name, job title, department, business email address, business phone and fax numbers, and business address. No employee personal information would be stored by the Azure Active Directory service. FEI refers to the British Columbia Personal Information Protection Act (PIPA), which states:
“personal information” means information about an identifiable individual and includes employee personal information but does not include
(a) contact information, or
(b) work product information;
“contact information” means information to enable an individual at a place of business to be contacted and includes the name, position name or title, business telephone number, business address, business email or business fax number of the individual;
FEI also refers to a similar definition of “personal information” under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) which excludes a class of “business contact information” from the PIPEDA. As a result, FEI states it does not believe that the directives of the Data Location Decision are applicable to the company’s intended use of Azure Active Directory because the information being stored is “contact information” under PIPA or “business contact information” under PIPEDA and is therefore excluded from the application and requirements of these acts.
In the proceeding which resulted in the Data Location Decision and Order G-161-15, the meaning of employee information was explored in the context of PIPA.[2] By this letter of clarification, the Commission clarifies that employee information for the purposes of Order G-161-15 is to be consistent with PIPA and therefore, the directives in Order G-161-15 do not apply to work-related employee contact information. FEI has the discretion to store such information in a format that it considers appropriate.
The Commission notes that in the Data Location Decision, it was not intended that FEI would need to be seeking Commission-approval or clarification for specific proposals on a case-by-case basis. During the proceeding, FEI stated it would not be practical, efficient or cost-effective to bring forward discrete applications for exemption since the cost savings from a potential project would be offset by the time and cost to prepare an application to the Commission for a project. Given FEI’s letter regarding the Microsoft Azure Active Directory service and the prior Commission letter L-29-16 dated November 8, 2016 responding to FEI on the ENERGY STAR Portfolio Manager Program, the Commission is concerned whether the directives approved in Order G‑161‑15 are sufficient. If FEI has further requests for the Commission to consider for approval or clarification related to a specific project, FEI is requested to outline whether variances to the Data Location Decision directives are warranted.
Original Signed By:
Patrick Wruck
Commission Secretary
LC/nd
cc: FEU 2015 Data Location Restriction Removal Registered Parties
[1] While FortisBC Energy Utilities (FEU) was the original applicant, the companies that comprised FEU were amalgamated on December 31, 2014 and the amalgamated entity carries on business under the name FortisBC Energy Inc. (FEI).
[2] FEU Application for Removal of the Restriction on the Location of Data and Servers Providing Service to the FEU, currently Restricted to Canada, Exhibit B-9, FEU Response to Commission IR No. 1 on Alternative Relief, BCUC IR 2.0.