Email Address:

Password:

Colleges cracking down on computing

The Chronicle of Higher Education September 14, 2007 Friday Fearing Prying U.S.

Eyes, Canada's Colleges Crack Down on Computing DAN CARNEVALE INFORMATION TECHNOLOGY; Pg.

23 Vol.

54 No.

3 1049 words The USA Patriot Act is having far-reaching effects on the kinds of data that wind up on some academics' computers in Canada.

Canadian colleges, responding to provincial laws passed in reaction to the Patriot Act, are preventing professors from entering the United States with students' private data on their laptops and limiting the locations of servers where academic data are stored.

The provincial privacy laws call on government institutions, including public colleges, to keep data in Canada and away from the potential prying eyes of U.S.

agencies given investigative powers under the Patriot Act.

Colleges are now coming to grips with these regulations, but they are finding compliance confusing because of different laws in several provinces, each open to various interpretations.

Attempts to play it safe are proving to be expensive for some colleges, possibly tripling the cost of data storage.

Not playing it safe could also be expensive: In one province violators face a $500,000 fine.

In Nova Scotia computer records containing private information -- such as people's names, addresses, ages, education records, or financial information -- cannot be transported across the border in a professor's laptop, or stored on servers located in the United States, university officials in Canada say.

British Columbia, in contrast, allows travel in certain situations, but generally requires that private information be stored only on computer servers within Canada's borders.

American companies, meanwhile, are discovering that, to keep doing business with Canadian colleges, they have to relocate some of their computer equipment into Canada.

"It has added layers of bureaucracy," says Karen Crombie, legal counsel at Dalhousie University, in Nova Scotia.

"And it's always frustrating when there's a new layer of bureaucracy." The Patriot Act has raised concerns in Canada because that law widely expanded the U.S.

government's ability to collect private information, including data stored on computers, in hopes of preventing terrorist attacks.

"Many Canadians are aware of the potential implications of the U.S.

Patriot Act," says Ian Forsyth, information and privacy coordinator at Simon Fraser University, in British Columbia.

"They are uneasy about how potential information could be used by the U.S.

government." So starting around 2004, three years after the passage of the Patriot Act, provinces began to clamp down.

Phil O'Hara, assistant director of academic computing at Dalhousie, says the new rules are already costing his institution thousands of dollars.

For example, the university used to store computer data on servers in New York City, he says, at a cost of $8,500 per year.

Buying servers to store information on the campus will cost almost three times as much, he says.

"The impact there is financially significant," Mr.

O'Hara says.

"We are erring on the side of considerable conservatism and do not want to be the first university to be made an example of." Even when data is stored on the campus, Ms.

Crombie says, the university has to be careful with American vendors that trouble-shoot software remotely for the institution.

It's a simple matter of blocking confidential data from their eyes, she says, but it is still an extra step that must be taken.

There are exceptions to these rules.

If professors are collaborating with institutions outside of Canada on research, then they can travel with the data and even store the information elsewhere.

Ms.

Crombie says such situations commonly arise with medical research, when confidential data from many patients at universities on both sides of the border are combined to look for patterns.

Such projects, however, must be approved by the university before they are allowed.

Some of the professors are not happy with the restrictions, she says.

But nobody wants to face any of the fines imposed by the law.

Alberta has its own privacy laws affecting colleges and other public institutions, but it is less restrictive than Nova Scotia, says Jo-Ann Munn Gafuik, access and privacy coordinator at the University of Calgary.

They are designed as recommendations for securing private data, she says, instead of outright prohibitions.

"Alberta tends to be that way -- use common sense and discretion," Ms.

Gafuik says.

"Because if you come down with a prohibition, you may have an impact that you didn't intend." But she already sees one potential consequence of the law that could cause trouble, she says.

The Alberta law requires that if any private data are compromised, the holder of that data has to notify the person affected as soon as possible.

But the Patriot Act forbids notification, for fear of tipping off would-be terrorists.

Someone in the United States who does business with a Canadian college may have no choice but to break either the U.S.

or Canadian law, depending on whether that person chooses to notify the college that information has been compromised under the Patriot Act.

"It just sets up a conflict of law," she says.

"That's the problem." Colleges were not the only ones that had to adjust.

Private companies also had to make some significant changes.

"Some companies initially were not prepared, just as we were not prepared," says Mr.

Forsyth, of Simon Fraser.

Companies such as Datatel, a firm in Virginia that sells business software for colleges, decided to put computer servers in Canada so they could keep their Canadian clients.

Some Canadian educational institutions are now hesitant to use Turnitin, an online plagiarism-detection service that compares students' term papers with others collected in a database.

For a Canadian college to use it, a student's paper would have to be shared across the national border with personal identifying information included.

On top of that, the student's paper would be added to the database kept in the United States.

John M.

Barrie, chief executive of iParadigms, which owns Turnitin, says the new Canadian privacy laws have not hurt the company's business.

But, he says, iParadigms will still be putting computer servers inside Canada by the end of this month.

As for universities, they are adapting.

"We get the usual sorts of grumbling," says Ms.

Crombie, of Dalhousie University.

But this is the new reality, she adds, and "people will have to change behavior." September 17, 2007 ENGLISH Newspaper Copyright 2007 The Chronicle of Higher Education All Rights Reserved