The AMS quietly released a CampusBase privacy impact assessment in December, a month and a half after execs promised to do so at the society’s annual general meeting in October.
Since its August 2020 launch, the CampusBase clubs website, running on the Campus Groups platform operated by Novalsys, has faced two privacy breaches that exposed student personal information.
When asked at the October 29 annual general meeting (AGM) if the AMS would commit to releasing a privacy impact assessment (PIA) of CampusBase, AMS VP Administration Sylvester Mensah Jr and President Cole Evans committed to doing so. Mensah confirmed that the AMS had conducted its own internal PIA. Evans again committed to this following the site’s second privacy breach in November.
Q: Will the AMS commit to releasing the privacy assessment for CampusBase?
— Ubyssey News (@UbysseyNews) October 30, 2020
Evans: The new records policy doesn't cover this. "We can absolutely do that."
Mensah: UBC did an assessment and the AMS did its own review. The AMS can share its internal review.
Under the related documentation section of the new PIA, dated December 11, 2020, the AMS wrote that no previous PIAs had been conducted on the CampusBase platform. UBC determined a PIA was not needed to integrate the CWL function, and the exchange of information for use was covered by the AMS Memorandum of Understanding on Student Data.
However, Mensah said that a PIA was completed in September based on the information they had at that point.
“The PIA was complete by that AGM meeting; however it was the case that there were new developments regarding the system and hence we were continuously revisiting the information we had in the PIA with our privacy officer and our chief technology officer to ensure that the necessary details were being included in the PIA,” he said.
The PIA outlines that the AMS does not collect the personal data used on CampusBase and an inventory of the personal information collected by CampusBase.
Security measures include Novalsys log data and weekly vulnerability scans as well as restricted backend access to select staffers in the AMS admin and finance offices, with access deactivated annually during staffing changes.
The PIA was developed while CampusBase launched, and Mensah said that the two privacy breaches that occurred later were technical issues that would not have been caught, even if they had done a PIA earlier.
“As an organization, we do believe we are fulfilling our obligation to students and the various policies and bodies that oversee our operations,” he said when asked whether he thought the AMS did its due diligence before launching the site.
While the provincial Freedom of Information and Protection of Privacy Act stipulates that public bodies must conduct a PIA when starting a project to see if it meets the act’s standards, private organizations such as the AMS fall under the Personal Information Protection Act (PIPA) and are not required to perform a PIA.
According to the Office of the Information and Privacy Commissioner of BC (OIPC), doing a PIA could still have benefits.
“While [private organizations] are not legally obligated to complete a PIA, they add value to your organization by addressing and documenting your legal requirements under PIPA,” an OIPC guidance document states. “They demonstrate due diligence and accountability in meeting a commitment to protect privacy and are considered a best practice for all organizations that collect, use, disclose and dispose of personal information.”
UBC did not conduct a PIA of the service, but at the AGM, Mensah said the university had conducted a privacy assessment of the Shibboleth/CWL integration with the service. Evans said the AMS would make the documents it had from UBC public, but has not done so.
The university did not provide a copy of the review to The Ubyssey, but spokesperson Matthew Ramsey said that it’s “not uncommon” for services to require CWL integration.
UBC’s review of the CampusBase CWL integration found that it was secure. However, this does not cover the security of student data.
“It’s not a UBC system. If the student data that the AMS has in CampusBase is exposed, that is the AMS’s responsibility. And they’re accountable for that,” Ramsey said.