FEU Data Location - BCSEA IR1 Alt Relief Response · 18 CCNP Cisco Certified Network Professional...

Diane Roy Director, Regulatory Services

Gas Regulatory Affairs Correspondence

Email: [email protected]

Electric Regulatory Affairs Correspondence Email: [email protected]

FortisBC

16705 Fraser Highway

Surrey, B.C. V4N 0E8

Tel: (604) 576-7349

Cell: (604) 908-2790

Fax: (604) 576-7074

Email: [email protected]

www.fortisbc.com

April 23, 2015

Via Email Original via Mail

B.C. Sustainable Energy Association c/o William J. Andrews, Barrister & Solicitor 1958 Parkside Lane North Vancouver, B.C. V7G 1X5 Attention: Mr. William J. Andrews Dear Mr. Andrews: Re: FortisBC Energy Utilities (FEU)

1

Application for Removal of the Restriction on the Location of Data and Servers Providing Service to the FEU, currently Restricted to Canada (the Application)

Response to the B.C. Sustainable Energy Association and Sierra Club of British Columbia (BCSEA) Information Request (IR) No. 1 on the Alternative Relief

On August 1, 2014, the FEU filed the Application referenced above. In accordance with British Columbia Utilities Commission Order G-26-15 setting out the Regulatory Timetable for the review of the Application, the FEU respectfully submit the attached response to BCSEA IR No. 1 on Alternative Relief. If further information is required, please contact the undersigned. Sincerely, on behalf of the FORTISBC ENERGY UTILITIES

Original signed by: Ilva Bevacqua

For: Diane Roy Attachment cc: Commission Secretary Registered Parties (e-mail only)

1 Comprised of FortisBC Energy Inc. (FEI), FortisBC Energy (Vancouver Island) Inc. and FortisBC Energy (Whistler)

Inc., amalgamated under FEI effective December 31, 2014.

B-11

mailto:[email protected]



http://www.fortisbc.com/

markhuds

REMOVE DATA LOCATION RESTRICTION

FortisBC Energy Utilities (consisting of FortisBC Energy Inc., FortisBC Energy (Vancouver Island) Inc. and FortisBC Energy (Whistler) Inc. (FEU, FEI or the Company)


Submission Date:

April 23, 2015

Response to B.C. Sustainable Energy Association and Sierra Club of British Columbia (BCSEA) Information Request (IR) No. 1 on Alternative Relief

Page 1

7.0 Topic: Source(s) of evidence 1

Reference: Exhibit B-8, p.1 2

“This evidence provides explanations of the concepts and methods by which the FEU 3

will store information outside Canada if the Alternative Relief is granted, and is 4

specifically focussed on the concepts of encryption and de-identification in the context of 5

this proceeding.” 6

7.1 Please provide the names and qualifications of the individuals responsible for the 7

evidence in Exhibit B-8. Please identify which specific portions of the evidence 8

the individual is responsible for, if applicable. 9

10

Response: 11

The following resources (titles included), which are all FEU employees, were used to provide 12

information for all sections regarding encryption for the Evidence on Alternative Relief: 13

Infrastructure Planning Specialist: 14

Master’s degree in Economics (Business Management), University of Economics, 15

Wroclaw, Poland, Production Economics and Organization/Business Management. 16

Computer Maintenance and Technology Diploma, Control Data Institute, Toronto, ON, 17

CCNP Cisco Certified Network Professional and CCNA Cisco Certified Network 18

Associate. 19

25 years of networking and security experience. 20

Infrastructure Planning Specialist: 21

CISA (Certified Information Systems Auditor) from ISACA organization (formerly known 22

as Information Systems Audit and Control Association). 23

CRISC (Certified in Risk and Information Systems Control) from ISACA organization. 24

CISSP (Certified Information Systems Security Professional) from (ISC)2 organization 25

(International Information Systems Security Certification Consortium). 26

CPA, CMA (Certified Professional Accountant (formerly Certified Management 27

Accountant)), from CPA Canada. 28

MBA (Master of Business Administration with Management Consulting Specialization) 29

from Royal Roads University. 30



Submission Date:

April 23, 2015


Page 2

BSc (Bachelor of Science, Mathematics and Computer Science) from Simon Fraser 1

University. 2

Over 5 years of experience focused on security and a total of 35 years of IT experience. 3

Technical Analyst: 4

Diploma in Network Engineering Technology from SAIT. 5

Microsoft Certified Technology Specialist for Microsoft Exchange 2010. 6

Cisco Certified Network Associate. 7

Cisco Certified Network Professional. 8

Certified Wireless Security Professional – certified skills in wireless security, 9

authentication, encryption, etc. 10

13 years of networking and security experience. 11

12

13

14

7.2 With reference to “the concepts and methods by which the FEU will store 15

information outside Canada if the Alternative Relief is granted,” have these 16

concepts and methods been produced by FEI on its own, or have they been 17

provided by potential vendors, or some combination? 18

19

Response: 20

The concepts and methods put forth in the Evidence on Alternative Relief are encryption and 21

de-identification, neither of which were created by the FEU nor have been provided by vendors. 22

Encryption and de-identification are industry standard practices. 23

24

25

26

7.3 Please provide the provenance of the document at Appendix A, including the 27

date and author(s) of the document. 28

29



Submission Date:

April 23, 2015


Page 3

Response: 1

The document was created by Fabio Martignon, Professor in Computer Science, Paris-Sud 2

University, Orsay, France. The document was created in August 1998 with the final update in 3

May 2002. It was included in the evidence to provide a fundamental description of the algorithm. 4

5



Submission Date:

April 23, 2015


Page 4

8.0 Topic: Encrypted information and personal information under PIPA 1

Reference: Exhibit B-8, p.1, p.4; FEI’s January 9, 2015, Sur-reply submission 2

“In Reply Submissions filed by the FEU in this proceeding, the FEU proposed the 3

following alternative relief: 4

The existing Data Restriction is rescinded and replaced with an order that: 5

a. directs that FEU data that meets the definition of “personal information” under 6

PIPA must be stored on servers located within Canada; 7

b. permits the FEU to store data that would otherwise meet the definition of 8

“personal information” outside of Canada if it is either (a) de-identified or (b) 9

encrypted; 10

c. confirms that data of any kind, customer or otherwise, that does not meet the 11

definition of “personal information” under PIPA is permitted to be stored outside 12

of Canada; and 13

d. permits the FEU to apply for specific exemptions from the revised Data 14

Restriction.” [Exhibit B-8, p.1] 15

16

“As stated in the FEU’s Reply Submission the OIPC has previously found that data that 17

is encrypted is not personal information and that encryption offers a reasonable level of 18

security of such information.” [Exhibit B-8, p.4] 19

FEI’s counsel states in FEI’s January 9, 2015, Sur-reply submission: 20

“10. The Privacy Commissioner has determined that personal information that is 21

encrypted is no longer “personal information”. In Order F09-21, the 22

Commissioner states: 23

[27] An encrypted PEN is also personal information as it is an identifying number 24

assigned to an individual, just as a PEN in unencrypted form is. However, if a 25

PEN is encrypted and an applicant does not have the key and is thus not able to 26

link an encrypted PEN back to an individual student, the encrypted PEN is not in 27

my view information about an identifiable individual and is thus not personal 28

information. In such a case, because there is no unique identifier in the form of 29

the PEN, the information associated with the encrypted PEN is not information 30

about an identifiable individual and is thus not personal information. [Emphasis 31

added by FEI counsel.] 32

8.1 Does FEI agree that in Order F09-21 a Senior Adjudicator, not the BC 33

Information Privacy Commissioner, approved an access request under the 34

Freedom of Information and Privacy Act for certain student records with the 35



Submission Date:

April 23, 2015


Page 5

students’ Personal Information Number in encrypted form and without the 1

encryption key? 2

3

Response: 4

Pursuant to both the Freedom of Information and Protection of Privacy Act and the Personal 5

Information Protection Act (PIPA) the BC Information and Privacy Commissioner has the ability 6

to delegate any “duty, power or function of the commissioner under this Act” (please refer to 7

sections 49 and 43 respectively). Order F09-21 was issued by a Senior Adjudicator under 8

delegated authority from the BC Privacy Commissioner. 9

10

11

12

8.2 Does FEI agree that in Order F09-21, the requester had a statutory right to 13

access to the requested records, subject to reasonable measures to protect the 14

privacy of personal information? Does FEI agree that this is quite different than a 15

situation in which the would-be recipient has no statutory right to access to the 16

subject information and the organization in possession of the information has an 17

obligation under PIPA s.34 to make reasonable security arrangements to prevent 18

unauthorized access? 19

20

Response: 21

The FEU’s purpose of the reference to Order F09-21 was to provide evidence regarding the 22

OIPC’s analysis and thoughts on encryption. The different circumstances of the decision do not 23

negate the fact that OIPC has stated that encrypted information that does not have a unique 24

identifier is not personal information. 25

26

27

28

8.3 Does FEI agree that Order F09-21 was not a decision under PIPA? 29

30

Response: 31

Yes. The provisions of PIPA and the Freedom of Information and Protection of Privacy Act are 32

very similar and accordingly, often those decisions are instructive and cited in the context of 33

both pieces of legislation. 34



Submission Date:

April 23, 2015


Page 6

1

2

3

8.4 Does FEI agree that the Adjudicator in Order F09-21 does not purport to 4

conclude that encrypted data is not “personal information” as defined in PIPA? 5

6

Response: 7

Please refer to the responses to BCSEA Alt. Relief IRs 1.8.2 and 1.8.3. 8

9

10

11

8.5 Please confirm that the April 4, 2014 letter from the BC Information and Privacy 12

Commissioner to two B.C. Government administrators [Exhibit B-8, Appendix D] 13

concludes with the following caveat: 14

“While this letter discusses the implications of government's proposed use of 15

tokenization generally, it does not provide an opinion on any specific program or 16

activity. Its contents will not bind me with respect to any specific matter that may 17

come before me, including any complaint or investigation.” [pdf p.75 of 148] 18

19

Response: 20

Confirmed. 21

22

23

24

8.6 Does FEI assert that the BC Information and Privacy Commissioner has ruled, as 25

a matter of law, that data that is encrypted is not “personal information” as 26

defined under PIPA? If so, please provide full references. 27

28

Response: 29

No. 30

31

32

33



Submission Date:

April 23, 2015


Page 7

8.7 Does FEI agree that there is an internal inconsistency in the statement “data that 1

is encrypted is not personal information and that encryption offers a reasonable 2

level of security of such information”? Does FEI agree that if (if) encrypted data is 3

not personal information under PIPA then PIPA does not require any level of 4

security for such information and therefore encryption cannot be a “reasonable 5

level of security for such information”? 6

7

Response: 8

The FEU do not agree that there is an internal inconsistency as noted in the question. 9

Encryption itself is a form of protection or security. When personal information is encrypted the 10

information is transformed from regular text into ciphertext, which means it cannot be 11

deciphered. As a result, this information that cannot be deciphered is no longer personal 12

information as it is no longer information about an identifiable individual. The personal 13

information still exists in that it may be transformed back into regular text with an encryption key; 14

however, the encrypted data itself is not considered personal information. Encryption is a way 15

to protect and secure the information. 16

17

18

19

8.8 Does FEI agree that a general rule that encrypted data is not “personal 20

information” would be absurd and contrary to the purposes of PIPA, because 21

such a rule would mean that PIPA would not prevent an organization from 22

publicly disclosing both encrypted data and the encryption key? 23

24

Response: 25

Please also refer to the response to BCSEA Alt. Relief IR 1.8.7. In addition to the response to 26

BCSEA Alt. Relief IR 1.8.7, if an organization publically disclosed an encryption key, then the 27

data would no longer be encrypted and there would be an unauthorized disclosure of personal 28

information. 29

30

31

32

8.9 Does FEI agree that a general statement that encrypted data is not within the 33

legal definition of “personal information” under PIPA is meaningless without a 34

definition of the type of encryption contemplated? Does FEI agree that some 35



Submission Date:

April 23, 2015


Page 8

simple forms of encryption, such as ROT13, would not likely be considered 1

reasonable security arrangements for protecting personal information? 2

3

Response: 4

The FEU did not state that “encrypted data is not within the legal definition of ‘personal 5

information’”. Rather, the FEU stated that the OIPC has previously found that encrypted data 6

(where the data does not include a unique identifier) is not personal information. 7

The FEU are recommending encryption and de-identification standards that are recognized as 8

secure by independent authorities. Please refer to Section 2.2 How Encryption Works and 3.2 9

How D-Identification Works in the Evidence on Alternative Relief (Exhibit B-8). 10

11

12

13

8.10 Does FEI agree that in Exhibit B-8, Appendix C, Appendix D, Appendix E 14

Appendix F and Appendix G the concepts of encryption and of de-identification 15

including tokenization are discussed as methods of preventing undesired 16

disclosure of the subject information, and not as mechanisms by which 17

information is stripped of legal privacy protection? 18

19

Response: 20

The FEU agree that the concepts of encryption and de-identification of information (including 21

tokenization) are methods of preventing undesired disclosure of information. The FEU do not 22

agree that these concepts and methods ‘strip the information of legal privacy protection’, but 23

rather submit that the concepts and methods assist in protection of personal information. 24

25

26

27

8.11 Does FEI agree that in the context of the Commission’s consideration of the 28

Application, encryption and de-identification are best understood as techniques 29

aimed at preventing undesired disclosure of the subject information, rather than 30

as mechanisms that transform the legal status of the subject information under 31

PIPA (from “personal information” to not “personal information”)? 32

33



Submission Date:

April 23, 2015


Page 9

Response: 1

The purpose of including the reference to the OIPC analysis regarding encryption and de-2

identification in both the FEU submission and evidence was not to “transform the legal status of 3

the subject information”, but rather to address the privacy-related concerns raised by 4

intervenors and to provide confirmation that the administrative body whose mandate it is to 5

protect personal information has found that these two methods assist in the protection of 6

personal information. 7

8

9

10

8.12 With reference to the four components of FEI’s proposed Alternative Remedy, 11

does the wording imply that encrypted or de-identified information is not 12

“personal information” as defined under PIPA. 13

14

Response: 15

No, the proposed Alternative Relief would permit the FEU to store data outside of Canada that 16

would otherwise meet the definition of “personal information”, if it is either (a) de-identified or (b) 17

encrypted. The proposed Alternative Relief is not seeking for the Commission to make a 18

determination as to whether information is personal information or not. 19

20

21

22

8.13 Is FEI asking the Commission to make a ruling that encrypted or de-identified 23

information is not “personal information” as defined under PIPA? Is so, what is 24

the Commission’s authority to do so? If not, if the Alternative Remedy was 25

approved how would the Commission, FEI, the intervenors and customers know 26

whether “FEU data that meets the definition of “personal information” under 27

PIPA” was required to be stored within Canada or was allowed to stored outside 28

of Canada if it was encrypted or de-identified? 29

30

Response: 31

As stated in the response to BCSEA Alt. Relief IR 1.8.12, the FEU in the Alternative Relief 32

sought are not seeking for the Commission to make a ruling whether or not certain information 33

is personal information. 34



Submission Date:

April 23, 2015


Page 10

“Personal information” is a defined term under PIPA, information is either personal information 1

or it is not. The FEU’s proposed Alternative Relief is to store ‘personal information’ within 2

Canada unless it is either encrypted or de-identified, in which case the FEU would be able to 3

store such data outside of Canada. If the Alternative Relief was approved by the Commission, 4

the FEU already have such systems, policies, procedures and controls in place that would 5

ensure encryption or de-identification of personal information prior to it being stored outside of 6

Canada. The Commission, interveners and customers can rest assured that the FEU’s 7

information systems are appropriately configured, and the FEU have policies and procedures in 8

place to protect personal information. This is an ongoing business requirement that the FEU 9

manage today, regardless of where the data is stored. Please also refer to Section 2.2 in the 10

Evidence on Alternative Relief (Exhibit B-8) for evidence that the FEU have been ensuring the 11

security of sensitive information through secure encryption for several years. 12

13

14

15

8.14 Please provide a modified wording of the Alternative Remedy that would be 16

suitable if the Commission did not rule or agree that encrypted or de-identified 17

information is legally outside the definition of “personal information” in PIPA. 18

19

Response: 20

The FEU do not believe that modified wording is necessary as the FEU are not seeking for the 21

Commission to determine whether encrypted or de-identified information constitutes personal 22

information. The Alternative Relief that has been proposed is to allow the FEU to store personal 23

information on servers outside of Canada so long as that information is either encrypted or de-24

identified. 25

26

27

28

8.15 Is it FEI’s intention that the phrase “FEU data that meets the definition of 29

“personal information” under PIPA” incorporates the contextual factors informing 30

the meaning of “personal information” in the statute such as B.C. jurisdiction, the 31

FEU being an “organization” under the Act, the purpose of the Act (s.2) as it 32

informs the definition of “personal information,” the application of the Act (s.3) 33

including the exclusions set out in s.3(2), the definitions of “contact information” 34

and “work product information” referenced in the definition of “personal 35

information”? 36

37



Submission Date:

April 23, 2015


Page 11

Response: 1

It is the FEU’s intention that any information that would be considered “personal information” as 2

defined under PIPA would either be stored on servers located in Canada, or that if that 3

information was stored outside of Canada then it will be encrypted or de-identified. The FEU 4

are unsure of what it would mean to incorporate sections 2 and 3 of PIPA into the definition of 5

“personal information”. 6

7

8

9

8.16 Please confirm that the thrust of FEI’s evidence in Exhibit B-8 is that reasonable 10

security arrangements to prevent unauthorized access to protected information 11

must include encryption or de-identification of such information when it is stored 12

beyond the organization’s own servers. If not, please explain. 13

14

Response: 15

The FEU confirm that reasonable security arrangements for the protection of personal 16

information may include encryption or de-identification when and if that information was to be 17

stored outside of Canada. 18

19

20

21

8.17 Please explain fully how PIPA applies to FEI, independent of the data location 22

requirement and the Application. 23

24

Response: 25

PIPA is the British Columbia private sector privacy legislation. As an organization operating in 26

British Columbia, the FEU are required to comply with PIPA, irrespective of the location where 27

data is stored. 28

29

30

31

8.17.1 In FEI’s view, does FEI’s PIPA s. 34 obligation to make reasonable 32

security arrangements regarding personal information apply to FEI’s 33



Submission Date:

April 23, 2015


Page 12

storage of personal information located on servers outside of FEI’s own 1

servers, (a) within Canada and (b) outside of Canada? If not, why not? 2

3

Response: 4

Yes, the FEU’s obligation under section 34 of PIPA to make reasonable security arrangements 5

to prevent unauthorized access to personal information would apply to the storage of personal 6

information both within Canada and outside of Canada as the legislation does not make a 7

distinction based on location of where personal information is stored. 8

9

10

11

8.18 If FEI is subject to PIPA s.34 regarding the FEU data that is “personal 12

information” as defined in PIPA, does the Alternative Remedy amount to the 13

same thing as the original remedy? 14

15

Response: 16

The original remedy sought by the FEU was to remove the restriction to store data (including 17

non-personal and personal information) currently limited to Canada. Removing the data 18

location restriction would allow the FEU to determine the most appropriate location to store its 19

data. The Alternative Relief would allow the FEU to store non-personal data outside of Canada 20

and would require that if personal information is to be stored outside of Canada, the FEU ensure 21

that such information is either encrypted or de-identified. 22

If encryption or de-identification of personal information when stored outside Canada is ordered 23

and imposed as a condition for the FEU’s data location by the Commission, then the 24

Commission will have the power to supervise the compliance of such an order as in any other 25

circumstances where the Commission can properly exercise such power. 26

27

28

29

8.18.1 Is the only difference between the Alternative Remedy and the original 30

remedy that under the Alternative Remedy FEI’s obligation to use 31

encryption or de-identification of personal information would be 32

supervised and enforced by the Utilities Commission under the Utilities 33

Commission Act, in addition to the Information and Privacy 34

Commissioner under PIPA? 35

36



Submission Date:

April 23, 2015


Page 13

Response: 1

Please refer to the response to BCSEA Alt. Relief IR 1.8.18. 2

3

4

5

8.19 Please categorize the types of individuals, information about whom would be 6

included within the “FEU data that meets the definition of “personal information” 7

under PIPA.” For example, the types of individuals would presumably include 8

account holders, past account holders, applicants for service, and FEI 9

employees. What other categories of individuals does the FEI data include 10

personal information for? For example: contact individuals for incorporated 11

account holders, contact individuals for individual account holders (where the 12

account is one name and FEI interacts with another individual about the 13

account), contractors, past employees, applicants for employment, individual 14

business contacts of FEI employees, etc.? 15

16

Response: 17

“Personal information” is defined in section 1 of PIPA as: 18

"personal information" means information about an identifiable individual and includes 19

employee personal information but does not include 20

(a) contact information, or 21

(b) work product information; 22

This would include information about: 23

individual customers, past customers, customers applying for service; 24

employees, past employees, new job applicants; and 25

contractors if they are sole proprietorships, or otherwise not incorporated. 26

27 This would not include information regarding corporations, contact information of individuals or 28

work product information. It should be clarified that “contact information” as defined in the PIPA 29

is restricted to contact information of an individual at his/her place of business. 30

31

32



Submission Date:

April 23, 2015


Page 14

1

8.20 Please provide an estimate of the total number of individuals whose personal 2

information as defined in PIPA would be within the FEU (or FEI) data to which 3

the proposed data location condition would apply. Please provide a breakdown 4

by the categories of types of individuals identified in the previous IR. 5

6

Response: 7

Please refer to the response to BCSEA Alt. Relief IR 1.8.19, where the FEU describe the 8

information about three groups of individuals that may be “personal information” subject to the 9

PIPA. 10

individual customers, past customers, customers applying for service; 11

employees, past employees, new job applicants; and 12

contractors if they are sole proprietorships, or otherwise not incorporated. 13

14 There is no realistic way for the FEU to provide the estimated number as requested without any 15

limitations or qualifications. 16

17

18

19

8.21 Is it FEI’s view that in the PIPA definition of “personal information” the word 20

“individual” means a natural person? If not, please explain and provide 21

references. 22

23

Response: 24

Yes. 25

26

27

28

8.22 Please confirm that ratepayers that are not “individuals” are not individuals 29

regarding whom the definition of personal information in PIPA applies. 30

Alternatively, or if the answer is not a simple affirmative, please explain. 31

32

Response: 33

Confirmed. 34



Submission Date:

April 23, 2015


Page 15

1

2

3

8.22.1 For clarity, please confirm that in FEI’s proposed data location condition 4

the phrase “FEU data that meets the definition of “personal information” 5

under PIPA” does not include information about an account holder that 6

is a corporation or some other incorporated or unincorporated legal 7

entity that is not an individual. Alternatively, please explain. 8

9

Response: 10

Confirmed. 11

12

13

14

8.23 For each rate class, please provide an estimate of the numbers and percentage 15

of account holders that (a) are, and (b) are not, individuals to whom the PIPA 16

definition of personal information applies. 17

18

Response: 19

Please refer to the table below which outlines FEI’s forecasted customer count by segment for 20

2015 and the percentage each segment represents of the total number of customers: 21

22

However, as explained in the responses to BCSEA Alt. Relief IRs 1.8.19 to 1.8.22, not all 23

customers in each rate class will meet the “personal information” definition under the PIPA. 24

25

26

FEI Customer Count by Segment for 2015*

2015 Number

% of Total

Customers

Residential 885,355 90.5%

Commercial 91,821 9.4%

Industrial 1,057 0.1%

Total 978,233 100.0%

*Forecast data



Submission Date:

April 23, 2015


Page 16

1

8.23.1 If this information is not available, how would FEI determine what 2

account holder information would be subject to the proposed data 3

location restriction? 4

5

Response: 6

As stated in Section 5.1 in the Evidence on Alternative Relief (Exhibit B-8), the FEU would 7

review each project which included storage of information outside of Canada to determine 8

whether personal information is included in such data. The FEU would complete a security 9

assessment in the normal course and if personal information is included, the FEU would also 10

complete a privacy impact assessment to determine whether encryption or de-identification 11

should be used, or whether the information should continue to reside in Canada. 12

13

14

15

8.23.2 If this information is not available, how would the Commission 16

determine what account holder information would be subject to the 17

proposed data location restriction? 18

19

Response: 20

If the Commission imposes a condition such that the personal information will not be stored 21

outside Canada unless it is encrypted or de-identified, the Commission has the same tools as 22

now to monitor the compliance of the current condition. 23

24

25

26

8.24 Is it FEI’s view that there are no privacy concerns regarding any FEU data that is 27

not “personal information” as defined in PIPA? 28

29

Response: 30

The term “privacy” under the PIPA by definition relates to an individual; accordingly, there are 31

no privacy concerns regarding information of a corporation or partnership. 32

The FEU may owe confidentiality obligations to its customers, service providers, contractors and 33

business partners that are other corporate entities; however, there are no privacy concerns 34

under the PIPA. 35



Submission Date:

April 23, 2015


Page 17

1

2

3

8.25 Please confirm that FEI’s Privacy Policy applies to all ratepayers, whether they 4

are individuals or not. Alternatively, please explain. 5

6

Response: 7

The Privacy Policy applies to the collection, use, and disclosure of “personal information” as that 8

term is defined under the PIPA. It is not intended or required to apply to other information 9

collected, used or disclosed by the FEU. 10

11

12

13

8.25.1 For clarity, please confirm that FEI’s Privacy Policy is not limited to 14

“personal information” as defined under PIPA. Alternatively, please 15

explain. 16

17

Response: 18


20

21

22

8.26 Does FEI agree that FEI ratepayers that are not individuals whose personal 23

information is protected under PIPA have an expectation of privacy regarding 24

information about them in the possession of FEI? If not, please explain. 25

26

Response: 27

The privacy protection under PIPA does not extend to a corporation or other legal entities. It 28

only applies to individual human beings. 29

30

31

32

33



Submission Date:

April 23, 2015


Page 18

8.27 Please confirm that under the Alternative Remedy scenario, ratepayers that are 1

not individuals would have less privacy protection than would ratepayers who are 2

individuals. 3

4

Response: 5


To be clear, if the Commission grants the Alternative Relief, customer information that does not 7

meet the definition of “personal information” under PIPA could be stored outside of Canada. 8

9

10

11

8.27.1 If confirmed, what would be justification under the Utilities Commission 12

Act for this differential treatment? 13

14

Response: 15

Encryption or de-identification is not a type of service offered by the FEU to its customers. It is 16

security measure to be implemented by the FEU, if the Commission approves either the Primary 17

or the Alternative Relief sought, when “personal information” that meets the definition under 18

PIPA is to be stored outside Canada. 19

Moreover, protection of privacy is governed by PIPA. Granting the relief sought, whether the 20

Primary or Alternative Relief, in the Application will not remove the FEU’s obligation under PIPA 21

with respect to the collection, use and disclosure of personal information and the FEU will 22

remain under the legislative jurisdiction of provincial privacy commissioners with respect to this 23

information. 24

25

26

27

8.28 Please confirm that within the FEU data that is subject to the existing data 28

location restriction there is information that is “personal information” under PIPA. 29

30

Response: 31

Confirmed. 32



Submission Date:

April 23, 2015


Page 19

1

2

3

8.29 At the present time, is the FEU data coded or organized in such a way that 4

“personal information” under PIPA is distinguished from data that is not “personal 5

information” under PIPA? 6

7

Response: 8

No, data is not specifically coded or organized within systems or databases in such a way to 9

specifically identify it as personal. The systems and/or databases that contain personal 10

information are recognized as having personal information and there are a number of steps that 11

have been taken to ensure compliance with PIPA and the FEU’s Privacy Policy. 12

13

14

15

8.29.1 If so, how? 16

17

Response: 18

Please refer to the response to BCSEA IR Alt. Relief 1.8.29. 19

20

21

22

8.29.2 If not, how does FEI ensure that the PIPA requirements are met 23

regarding personal information under PIPA? Is all of the FEI data, 24

including both PIPA personal information and other information, 25

handled in a manner that would meet the PIPA requirements? 26

27

Response: 28

The FEU have a comprehensive privacy management program in place which includes 29

appropriate policies, processes and training. The FEU also have a Chief Privacy Officer whose 30

role includes answering privacy related questions and evaluating privacy implications of 31

projects, responding to access requests, meeting with various departments to offer additional 32

support and guidance. In addition, the FEU have regularly scheduled privacy audits which are 33

completed by the FEU internal audit team. Each of the various components of the privacy 34



Submission Date:

April 23, 2015


Page 20

management program assists in ensuring that the FEU remain compliant with the privacy 1

legislation. 2

3



Submission Date:

April 23, 2015


Page 21

9.0 Topic: Servers within Canada 1


“In Reply Submissions filed by the FEU in this proceeding, the FEU proposed the 3

following alternative relief: 4

The existing Data Restriction is rescinded and replaced with an order that: 5

a. directs that FEU data that meets the definition of “personal information” 6

under PIPA must be stored on servers located within Canada; ...” 7

[underline added] 8

9.1 Does FEI intend the phrase “must be stored on servers located within Canada” to 9

have the same meaning as the existing data location restriction? If any difference 10

is intended, please explain it. 11

12

Response: 13

The FEU are not sure how to answer this question other than to say that the FEU intend that the 14

words “data … must be stored on servers located within Canada” have their ordinary meaning. 15

16



Submission Date:

April 23, 2015


Page 22

10.0 Topic: Encryption and de-identification 1


“Encryption and de-identification are methods intended to address the privacy and 3

security concerns with storing personal information outside of Canada raised in this 4

proceeding.” 5

10.1 Are the concepts and methods of encryption and de-identification by which the 6

FEU will store information outside Canada if the Alternative Relief is granted 7

ones that FEI contemplated at the time of the August 1, 2014 application (Exhibit 8

B-1), or are these concepts and methods new in FEI’s development of the 9

application? 10

11

Response: 12

The concepts and methods of encryption and de-identification are standard practices that were 13

contemplated prior to the August 1, 2014 application. The encryption methods contemplated 14

have been in use at the FEU for many years as stated in Section 2.1, Definition in the Evidence 15

on Alternative Relief (Exhibit B-8). 16

17

18

19

10.2 If the Commission was to grant the relief FEI originally requested, would FEI 20

implement the encryption and de-identification methods discussed in Exhibit B-8 21

in storing the subject information outside Canada? 22

23

Response: 24

Yes. 25

26

27

28

10.3 Please list and describe the various privacy and security concerns intended to be 29

addressed by the encryption and de-identification methods discussed in Exhibit 30

B-8. 31

32



Submission Date:

April 23, 2015


Page 23

Response: 1

The privacy and security concerns intended to be addressed by the Alternative Relief were 2

referenced by the FEU and have been described in detail on pages 3-5 of the FEU Application 3

for Removal of the Restriction on Location of Data and Servers dated August 1, 2014 (Exhibit B-4

1); pages 3 -5 of the Final Submissions of the FEU dated December 4, 2014; and page 3 of the 5

FEU Reply Submissions dated December 18, 2014. 6

7



Submission Date:

April 23, 2015


Page 24

11.0 Topic: FEU use of encryption 1


“The FEU have been using encryption for many years. As a result, the FEU are very 3

familiar with the use of encryption as a means of securing and protecting sensitive data.” 4

11.1 Have the FEU been using encryption for many years regarding all of the 5

information subject to the existing data location restriction? 6

7

Response: 8

The existing data location restriction does not specify personal information. It is for all FEU 9

data. The FEU do not currently store any data, as per the restriction, outside of Canada. 10

Encryption is applied to customer data accessible via customer portals. Please refer to Section 11

2.2, How Encryption Works in the Evidence on Alternative Relief (Exhibit B-8). 12

13

14

15

11.1.1 Do the FEU now use encryption regarding all of the information subject 16

to the existing data location restriction? If so, is it the same form of 17

encryption that FEI says would be used for the FEU data (or some 18

portion of it) stored outside Canada? 19

20

Response: 21

Please refer to the response to BCSEA Alt. Relief IR 1.11.1. Please also refer to Section 2.2, 22

How Encryption Works in the Evidence on Alternative Relief (Exhibit B-8). 23

24

25

26

11.2 If the FEU do not now use encryption for some (or all) of the information subject 27

to the existing data location restriction, please explain why not. Is it because of 28

cost? Speed? Other factors? 29

30

Response: 31




Submission Date:

April 23, 2015


Page 25

1

2

3

11.3 What factors do the FEU use in deciding which information is subject to 4

encryption and which is not? 5

6

Response: 7

The FEU use Privacy Impact Assessment, Security Assessment and Risk Assessments to 8

determine whether certain information is subject to encryption. Please refer to Section 4, The 9

Information at Issue in the Evidence on Alternative Relief (Exhibit B-8). 10

11



Submission Date:

April 23, 2015


Page 26

12.0 Topic: Commitment 1


“The FEU have will further mitigate this concern about foreign governments accessing 3

personal information by ensuring that all information that may be stored outside of 4

Canada is encrypted or de-identified and ensuring that any sort of encryption key, index 5

or crosswalk table would be stored within Canada.” (p.9) 6

12.1 Please confirm this commitment, for greater certainty. 7

8

Response: 9

Confirmed. 10

11



Submission Date:

April 23, 2015


Page 27

13.0 Topic: TLS 1


“TLS [Transport Layer Security] is used to encrypt confidential data sent over an 3

insecure network such as the Internet and is considered an industry standard for 4

encryption.” 5

13.1 Does FEI currently send any portion of the data that is subject to the existing 6

data location restriction over an insecure network such as the Internet without 7

TLS encryption? 8

9

Response: 10

All data is subject to the existing data location restriction. Please refer to the response to 11

BCSEA Alt. Relief IR 1.11.1. The FEU apply TLS encryption when sending sensitive data over 12

an unsecured network. Please also refer to Section 2.2, How Encryption Works in the Evidence 13

on Alternative Relief (Exhibit B-8). 14

15

16

17

13.1.1 If so, please describe what types of information is involved. 18

19

Response: 20


22

23

24

13.1.2 If so, please explain why TLS is not used. Is some other form of 25

encryption used? 26

27

Response: 28


30



Submission Date:

April 23, 2015


Page 28

14.0 Topic: AES and TLS 1


“In the case where the FEU would store sensitive information outside the FEU data 3

centres and network, the data would be encrypted prior to exiting the FEU data centres 4

and network. ...In any case AES encryption is applied to the data prior to leaving FEU 5

data centres and network, and the keys are always kept in the FEU data centres. This 6

ensures the data that would be stored outside FEU data centres and network is 7

completely unintelligible.” 8

14.1 Is the encryption FEI says would be implemented in the Alternative Remedy 9

scenario limited to transport layer security? 10

11

Response: 12

No. The FEU would use any current AES level encryption type. Specific types of encryption 13

should not be specified. The FEU believe that any AES level encryption that is considered 14

current, and recognized as such, by independent bodies, should be considered acceptable. 15

Please refer to Section 2.2, How Encryption Works in the Evidence on Alternative Relief (Exhibit 16

B-8). 17

18

19

20

14.1.1 In the Alternative Remedy scenario, would FEI implement, or require 21

implementation of, encryption at the application layer? 22

23

Response: 24

Encryption may be applied at the application layer if the FEU’s applications were to be hosted 25

outside of Canada. Some hosted applications may not be encrypted at the application layer. 26

Any sensitive data generated by a hosted application would require encryption. 27

28

29

30

14.2 More generally, does the encryption FEI says would be implemented in the 31

Alternative Remedy scenario provide anonymity regarding the traffic between FEI 32

and the third-party out-of-Canada server? If not, why not? 33

34



Submission Date:

April 23, 2015


Page 29

Response: 1

The encryption method the FEU are recommending in the Evidence on Alternative Relief would 2

provide anonymity between the FEU data center and third-party out-of-Canada servers by 3

ensuring any customer and/or employee identity credentials as well as data are encrypted. 4

5



Submission Date:

April 23, 2015


Page 30

15.0 Topic: Encryption cost 1

Reference: Exhibit B-8, pp.3-4 2

“AES encryption is designed to be cost effective. Encryption keys cost approximately 3

$50 annually. The FEU currently has approximately 80 such keys. The number varies 4

depending on the number test and development systems being used. Encryption itself is 5

provided by the operating system on a server with no incremental cost. A dedicated 6

encryption server, or appliance as it is commonly referred to, is approximately $10,000 7

onetime cost. Third party services often include an encryption appliance to be kept in the 8

customer data centre as part of their service.” 9

15.1 What is FEI saying about the cost of AES encryption in relation to the Alternative 10

Remedy? Is FEI saying that requiring encryption of individuals’ personal 11

information under the Alternative Remedy is not so costly as to preclude approval 12

of the Alternative Remedy compared to the Original Remedy? 13

14

Response: 15

There may be incremental costs associated with encrypting or de-identifying personal 16

information. The estimated costs are the $10,000 one-time cost for a dedicated AES encryption 17

server, plus the annual cost of encryption keys. Currently, encryption keys cost approximately 18

$50 annually and most new services would require 3 keys. The FEU believe that such costs are 19

reasonable if the Commission determines that the Alternative Relief should be granted. 20

It should be noted that the costs estimated above are not necessary costs that would be 21

incurred in all cases. Dedicated encryption servers and/or additional keys may not be required 22

in every case to utilize third party services hosted outside the FEU data centres. 23

24

25

26

15.1.1 If so, should the Alternative Remedy be modified to include encryption 27

for information about ratepayers that are not individuals? 28

29

Response: 30

Please refer to the response to BCSEA Alt. Relief IR 1.8.19 for a discussion on the application 31

of the PIPA definition of “personal information”. 32

33

34



Submission Date:

April 23, 2015


Page 31

1

15.1.2 If so, should the Alternative Remedy be modified to include encryption 2

for all FEU data to be stored outside of Canada? 3

4

Response: 5

No. The FEU is recommending that data containing personal information be encrypted or de-6

identified. There may be cases where FEU data, such as schematics and drawings, must be 7

sent and temporarily stored by vendors that could be providing engineering or manufacturing 8

services. In these cases the data would not be necessarily stored in an encrypted format. 9

However, any vendor that would be used would be subject to the confidentiality language 10

included in the FEU’s third party contracts. 11

12

13

14

15.2 Please confirm that there is no difference in the cost of implementing encryption 15

for information about individuals compared to the cost of implementing encryption 16

for information about corporate and other non-individual customers. Alternatively, 17

please explain. 18

19

Response: 20

Confirmed. 21

22



Submission Date:

April 23, 2015


Page 32

16.0 Topic: Foreign government access 1


“The issue of a foreign government accessing the encryption key is discussed below in 3

section 3.3.2.” 4

16.1 Is FEI asserting that the only way for a foreign government to obtain access to 5

FEI information that is encrypted and stored on a server located in the foreign 6

jurisdiction is to obtain the encryption key? 7

8

Response: 9

Yes, to the best of the FEU’s knowledge. The likelihood of a foreign government, or anyone, 10

breaking the encryption being used and recommended by the FEU without having access to the 11

key is addressed in the Evidence on Alternative Relieve Section 2.3 (Exhibit B-8), and for all 12

intents and purposes is considered to be nearly impossible. 13

14



Submission Date:

April 23, 2015


Page 33

17.0 Topic: Foreign government access 1

Reference: Exhibit B-8, section 3.3.2, Foreign Governments; Appendix D 2

The evidence provides a quote from an April 4, 2014 letter from the BC Information and 3

Privacy Commissioner to two B.C. Government administrators. 4

17.1 Please confirm that FEI’s quote from the letter omits the following paragraph 5

contained in the letter: 6

“There are numerous examples going back decades where American courts 7

have ordered the production of records by American companies where those 8

records are held by foreign subsidiaries.8 Any company or agency that is within 9

the reach of American legal processes and that has effective access to the 10

requested information can be compelled by American law to provide such 11

information. It is also conceivable that a foreign agency such as the United 12

States Federal Bureau of Investigation could compel a company to produce 13

records where the information relates to criminal or national security matters, and 14

the company has access to the information being sought. The test in these 15

instances is whether the American company has practical control of or a legal 16

right to obtain therecords.9” 17

18

Response: 19

Confirmed. 20

21

22

23

17.2 Does FEI agree that the omitted paragraph supports a legitimate concern that 24

FEU data stored in the United States would in certain circumstances be subject 25

to access by American agencies under American legal processes? 26

27

Response: 28

No, the FEU do not agree. 29

The paragraph noted in the question specifically references “American companies where those 30

records are held by foreign subsidiaries”. The FEU are neither American companies nor foreign 31

subsidiaries of an American company. 32

The April 4, 2014 letter from the BC Information and Privacy Commissioner does not state or 33

suggest that a foreign government has been successful at obtaining an encryption or de-34



Submission Date:

April 23, 2015


Page 34

identification key or other data from a Canadian owned and controlled company; nor are the 1

FEU aware of any such case. 2

3

4

5

6

Following the quote about foreign government access to information within Canada 7

(such as a crosswalk table or more generally) FEI states: 8

“This issue may have been more of a concern when the original order was 9

granted by the BCUC as the FEU at the time were a Canadian subsidiary of an 10

American parent company. Currently, the FEU are entirely owned and controlled 11

by a Canadian parent company (Fortis Inc.) and accordingly, this risk has been 12

largely alleviated.” 13

17.3 Please confirm that under the Alternative Remedy, FEU data that is not “personal 14

information” as defined under PIPA would be allowed to be stored in the United 15

States without either encryption or de-identification. 16

17

Response: 18

Confirmed. The FEU would encrypt or de-identify any personal information that would be stored 19

outside Canada. Please refer to Section 2.2 How Encryption Works in the Evidence on 20

Alternative Relief (Exhibit B-8). There are cases where the FEU data may not be encrypted as 21

described in the response to BCSEA Alt. Relief IR 1.15.1.2. 22

23

24

25

17.3.1 Please confirm that such FEU data would be directly accessible to U.S. 26

agencies under U.S. law, independent of the potential reach of U.S. law 27

to information located within Canada. 28

29

Response: 30

The FEU cannot confirm this statement. 31

32

33



Submission Date:

April 23, 2015


Page 35

1

17.4 Regarding FEI’s argument that the FEU being entirely owned and controlled by a 2

Canadian parent company largely alleviates “this risk”: 3

4

17.4.1 Please confirm that this argument does not apply to information stored 5

in the U.S., such as by an information technology service provider on 6

contract with FEI. 7

8

Response: 9


11

12

13

17.4.2 Please confirm that this argument, on its terms, applies only to any FEI 14

information located within Canada, such as encryption keys or de-15

identification crosswalk tables. 16

17

Response: 18

The statement was made to address a concern that may exist when the original data restriction 19

was imposed. At that time, the FEU were owned by Kinder Morgan, an American company. 20

However, this has since changed. 21

To the extent that this question asks about the ownership or control of the encryption keys, 22

please refer to the response to BCSEA Alt. Relief IR 1.17.2. 23

24

25

26

17.4.3 Please confirm that Fortis Inc. has material assets located in the U.S. 27

28

Response: 29

Regardless whether Fortis Inc. owns assets in the United States or elsewhere, Fortis Inc. is a 30

Canadian owned and controlled corporation. Attachment 17.4.3 provides information on Fortis 31

Inc.’s holdings. 32

33

34



Submission Date:

April 23, 2015


Page 36

1

17.4.4 Is FEI confident that American legal processes would not be effective in 2

obtaining access to encryption keys or de-identification crosswalk tables 3

located within Canada regarding FEU encrypted or de-identified data 4

located with the U.S. If so, please provide the evidence on which FEI 5

bases its confidence. 6

7

Response: 8

The encryption keys will be located in Canada; thus, a U.S. court will not have jurisdiction to 9

issue an order compelling a Canadian company to perform or not to perform certain acts in a 10

legal action that arises in Canada. 11

Additionally, the FEU have not seen any case law or suggestions from the Office of the 12

Information and Privacy Commissioner that this has been or will be the case. 13

14

15

16

17.5 Please provide any evidence FEI has that data owned by a Canadian company 17

and stored in encrypted or de-identified form in the United States is not 18

accessible by U.S. agencies under U.S. legal processes. 19

20

Response: 21

Please refer to the response to BCSEA Alt. Relief IR 1.17.4.4. 22

23



Submission Date:

April 23, 2015


Page 37

18.0 Topic: De-Identification 1


FEI provides explanations of “one-way non reversible cryptography” (pages 5-6) and 3

“field removal” (pages 6-7). FEI says about “field removal” that “A recipient of the data 4

set has no way of recovering the deleted fields.” 5

18.1 Please confirm that “one-way non reversible cryptography” and “field removal” 6

would typically be used in the course of deliberately providing data to a third 7

party for the third party’s use while effectively obliterating the content of certain 8

portions of the data to which the third party is not intended to have access. 9

10

Response: 11

It is confirmed that when the above mentioned measures are used, the intent is to limit the third 12

party’s access to the information. 13

14

15

16

18.2 Please confirm that “one-way non reversible cryptography” and “field removal” 17

are not methods that would be central to the security and privacy component of 18

any FEI system of storing FEI data outside of Canada. 19

20

Response: 21

One way or non-reversible cryptography would be used for specific cases. Please refer to 22

Example 5 of the Evidence on Alternative Relief (Exhibit B-8). One way or non-reversible 23

cryptography would not be a primary method of storing FEU data outside of Canada. 24

25

26

27

18.2.1 If not confirmed, please explain. If the data location restriction was 28

removed, does FEI intend to have FEU data processed outside Canada 29

(not just stored outside Canada)? If so, please fully explain and provide 30

examples. 31

32

Response: 33




Submission Date:

April 23, 2015


Page 38

19.0 Topic: De-identification 1

Reference: Exhibit B-8, Appendix C, “De-identification Protocols: Essential for 2

Protecting Privacy 3

“One of the most effective ways to protect the privacy of individuals is through strong de-4

identification. Despite suggestions to the contrary, de-identification, using proper de-5

identification techniques and re-identification risk management procedures, remains one 6

of the strongest and most important tools in protecting privacy.” 7

19.1 Why do the authors of the Appendix C document emphasize de-identification as 8

a means of protecting privacy, rather than encryption? 9

10

Response: 11

The purpose of the paper was to discuss de-identification specifically, not to write about each of 12

the various ways of protecting privacy. This is evidenced by the following two quotes from 13

paper itself: 14

“One of the most effective ways to protect the privacy of individuals is through strong de-15

identification….” (at page 1, emphasis added) 16

“The purpose of this paper is to clarify what it means to properly de-identify personal 17

information, to underscore the value of strong de-identification, to interpret research 18

which has been used to call into question the value of de-identification in the protection 19

of privacy, and to emphasize the conclusions that may properly be drawn from this 20

research.” (at page 2) 21

22



Submission Date:

April 23, 2015


Page 39

20.0 Topic: Encryption versus de-identification 1


FEI proposes to choose at its discretion between encryption and de-identification. 3

20.1 How would the choice be made, by what criteria, by according to what risk 4

assessment factors? 5

6

Response: 7

As stated in Section 3.3.1 Re-identification in the Evidence on Alternative Relief (Exhibit B-8), 8

the FEU would complete requirements analysis and risk assessments on all projects which 9

involve encryption or de-identification. The FEU would use the results of the individual project 10

requirements analysis and risk assessment to choose between the use of encryption versus de-11

identification on a case-by-case basis. The FEU require the flexibility to make the appropriate 12

choice based on the results of the assessment of each individual initiative, given the specific 13

circumstances, as one method may be more suitable or appropriate than the other. As stated in 14

the Evidence on Alternative Relief (Exhibit B-8), Section 5.1 Implementing the Alternative Relief, 15

the FEU require the discretion to employ the right method (encryption vs. de-identification) for 16

the right circumstance, as well as allow the FEU to adopt “best practices” or industry standards 17

as they evolve. 18

19

20

21

20.2 In FEI’s view, is de-identification generally more secure that encryption? 22

23

Response: 24

No. Properly applied they are both considered secure. 25

26

27

28

20.3 Why, in FEI’s view, should the Commission not be empowered to approve FEI’s 29

proposed choice between encryption and de-identification? 30

31

Response: 32

Please also refer to the response to BCSEA Alt. Relief IR 1.20.1. Encryption and de-33

identification serve different functions and have different costs. It would not be appropriate for 34



Submission Date:

April 23, 2015


Page 40

the Commission to approve the use of one over the other as the use of encryption versus de-1

identification can be specific to the circumstance. The FEU require the ability and flexibility to 2

analyse and review the project assessments (Privacy Impact, Security and Risk) to determine 3

the most appropriate method on a case-by-case basis. Please also refer to Section 5.2 4

Potential Benefits in the Evidence on Alternative Relief (Exhibit B-8). 5

6

7

8

20.4 Please summarize, perhaps in a table, the pros and cons of encryption versus 9

de-identification as methods of making reasonable security arrangements for 10

storage of FEI data outside Canada. Please address cost, speed, effectiveness, 11

and any other relevant factors. 12

13

Response: 14


In regards to cost, effectiveness and speed of encryption, please refer to Section 2.2 How 16

Encryption Works and Section 2.3 Encryption and Risk in the Evidence on Alternative Relief 17

(Exhibit B-8). 18

In regards to cost and effectiveness of de-identification, please refer to Section 3.2 How De-19

Identification Works and Section 3.3 De-Identification Risk in the Evidence on Alternative Relief. 20

In regards to speed of de-identification it would generally not be an issue or deciding factor. 21

Both de-identification and encryption methods that the FEU would consider would be designed 22

to be efficient in regards to performance. 23

24



Submission Date:

April 23, 2015


Page 41

21.0 Topic: Scope of information protected by security arrangements 1

Reference: Exhibit B-8 2

21.1 If the Commission is inclined to remove the existing data location restriction, 3

should the Commission replace it with a requirement that all FEI data stored 4

outside of Canada must be properly encrypted or de-identified? If not, why not? 5

6

Response: 7

The FEU believe that the existing data location restriction can be removed based on the 8

reasons articulated in the Application and evidence in this proceeding. However, if the 9

restriction or condition as noted above is imposed, the FEU believe that the encryption or de-10

identification would only apply to “personal information” that meets the definition under the PIPA 11

if such information is to be stored outside Canada. A blanket request for encryption and de-12

identification of all information stored outside of Canada is not reasonable or practical because: 13

1. the concern that has been raised in this proceeding is with the privacy and security of 14

customer information; 15

2. the FEU are seeking permission to do what other private sector organizations in British 16

Columbia are lawfully permitted to do under PIPA; and 17

3. as summarized and argued in the FEU’s submissions of December 4, 2014, the FEU 18

currently have and will continue to have measures and processes in place that ensure 19

the protection of customer information where necessary. 20

21



Submission Date:

April 23, 2015


Page 42

22.0 Topic: Commission review 1

Reference: Exhibit B-8, pp.7-8 2

“The FEU currently complete risk assessments on all projects which involve significant 3

amounts of personal information. In the context of a project that would involve de-4

identification, the FEU would (1) assess the re-identification probability as part of a 5

security assessment; (2) have appropriate privacy and security provisions in place within 6

any contracts involving this data; (3) assess any motivation for the vendor or service 7

provider to want to use the data for another purpose and again, ensure there are 8

appropriate contractual provisions in place prohibiting this; and (4) complete a privacy 9

impact assessment to review and assess the sensitivity of the information itself.” 10

22.1 If the existing data location restriction is lifted with terms and conditions, how 11

does FEI propose to satisfy the Commission that the terms and conditions will 12

be, and are being, met? 13

14

Response: 15

The Commission has tools and means within its jurisdiction to monitor and enforce compliance 16

with its directives and conditions that form part of its decisions and orders. The treatment of a 17

data location restriction or condition, which is a part of Commission order, would be the same. 18

19

20

21

22.2 If FEI goes ahead with an information technology outsourcing project, what form 22

of review by the Commission does FEI anticipate? 23

24

Response: 25

As the FEU have explained in Exhibit B-3, BCUC IR 1.2.2, the FEU do not currently have any 26

plans to host servers outside Canada, but wish to have the data restriction removed so that they 27

can meaningfully explore such opportunities. 28

If the Alternative Relief is granted, to the extent that the “outsourcing project” requires only 29

exemptions from certain conditions imposed by the Commission, as stated in the proposed 30

Alternative Relief, the FEU will apply for Commission approval as and when required. 31

If the Primary or Alternative Relief is granted, depending on the nature and type of “outsourcing 32

project” and if necessary, the FEU may seek approval from the Commission. For example, to 33

the extent that the “outsourcing project” requires a significant investment or other circumstance 34



Submission Date:

April 23, 2015


Page 43

such that it may trigger other regulatory requirements (e.g., an application for a Certificate of 1

Public Convenience and Necessity), the FEU would follow the necessary regulatory process. 2

3



Submission Date:

April 23, 2015


Page 44

23.0 Topic: FEI and FEU 1

Reference: Exhibit B-8 2

23.1 For the record, please confirm that references to FEI after January 1, 2015 are 3

the same as references to the FEU before that date. 4

5

Response: 6

Confirmed. Effective December 31, 2014, the FEU (comprised of FEI, FEVI and FEW) were 7

amalgamated and the amalgamated entity carries on business under the name of FortisBC 8

Energy Inc. (FEI). 9

Attachment 17.4.3

FEU Data Location - BCSEA IR1 Alt Relief Response · 18 CCNP Cisco Certified Network Professional...

Documents

Transcript of FEU Data Location - BCSEA IR1 Alt Relief Response · 18 CCNP Cisco Certified Network Professional...