Continuing the cloud conversation

Part II

This is the second part of our two-part conversation with Dwight Fischer, Dalhousie’s chief information officer and assistant vice-president of Information Technology Services. When we left the conversation, we were discussing how individuals’ idea of privacy is changing as they do more and more of their work on-the-go, with mobile devices, wireless connections and services such as Gmail and Hotmail.

It’s more than just a changing “perception” of privacy that’s at play when considering outsourcing email or other services data. We have legal obligations towards privacy and data security.

Yes. Nova Scotia is one of three provinces in Canada, along with Alberta and British Columbia, that passed stricter privacy legislation after the U.S. Patriot Act. [ed. note: He’s referring to PIDPA, the Personal Information Disclosure Prevention Act]. That does place limits on what we can do with information, specifically with regards to U.S.-owned servers. However, if it can be demonstrated that a viable Canadian alternative does not exist or is cost-prohibitive to use, exceptions may and have been made.

There seems to be this fear that if we outsource our data to an American company, the U.S. government can just walk in and get information if they want. David Fraser [McInnes Cooper partner and expert in cross-border law and intellectual property] talks about this a lot, and makes an important point: the Canadian government can do this too. And if the American government really wants our data under the status quo, and has a just cause to do so, they’ll do so through the Canadian government.

The whole fear of the United States government walking into these companies and getting your information is overstated.However,if they want it and they have just cause, they can get it already.

But we can’t just throw up our hands and say, ‘We can’t do anything about this, let’s just abandon privacy.’

No, but we have to come to terms with how little of what we do is truly “sensitive” information that needs to be held to such a strict standard. If we were so concerned about it, we wouldn’t be using email, we wouldn’t be using Blackberries and iPhones. If you look at all of the communications in your email box, how much of it is sensitive, versus how much is mundane, ordinary communications?

We’re asking the wrong questions. Rather than worrying about who is looking at our private email, the question should be ‘What are we sending in email that is so private and sensitive?’ For instance, if you are sending student grades, or highly sensitive documents, you may want to rethink to whom and how you are sending them. We cannot control the security of that transmission once you hit ‘send.’

Just as important: despite our best efforts, is that data on our end really as secure as it could be if we had a top-tier, world-class professional organization looking after it, rather than a university with IT resources stretched in innumerable directions and priorities?

So you’re saying that these companies can offer better security than we can?

Absolutely. This is nothing against our IT staff, but these companies have small armies of the best IT and security experts in the world. They’ve got more phishing resources, more virus research, and more incentive to stay abreast of the trends and competition.

All of that said, we realize that there are still many who may be skittish about using these services. As we look at them, we will provide an ‘opt-out’ solution, either through a simple email and messaging or the ability, for students, to enter an email of choice. Those details will need to be arranged, but we also realize they are very important to some.

Additionally, we are developing an enterprise document repository for the sensitive materials that should not be conveyed in email. This is part of an overall strategy to help protect and maintain much of our core work and research data.

The University of Alberta just announced its arrangement with Google, the first major Canadian university to do so. How closely are you watching that deal?

Very closely. And it’s not just us—every university CIO in Canada is taking notes. The University of Toronto is in negotiations with a provider for student email. University of New Brunswick, Université de Montréal...they’re all looking in this direction to see if it can work for them. And hundreds of U.S. schools are already there. We’re hardly on our own in considering this option.

And Alberta is one of the three provinces that has strict privacy legislation. Now, it’s not the same legislation as ours, but the U of A’s arrangement with Google—which took 15 months to negotiate, doing the due-diligence—provides us with a good starting point should we go down the external provider path.

They’re estimating that the change will end up saving the university $2 million.

Exactly, and that’s the other point here—cost savings. We do use open-source e-mail software at Dal, but we have to maintain and upgrade it. Our biggest hard cost is storage. When we had that large email seize-up happen two years ago, we purchased an additional $300,000 in storage. To keep pace with what people need, we’d need another $300,000 in the next year. Then there are services we have to pay for like Notify Link and Meeting Maker, which costs us a combined $75 per person per year, just to link our calendar system with their mobile devices.

Yet the real cost is what we’re not doing! For example, we could be providing more support and innovation in the classroom, video conferencing, research and data, mining data for improved information services, better web pages and tools to help people manage it effectively. We’d like to avoid having our IT staff babysitting older technologies when new ones are needed; not chasing hordes of phishing, malware and other lascivious internet crap that has evolved to the be bane of some IT staff's role; not having to tell people their storage capacity is tapped; not needing an IT professional to help you connect to email and calendar and hope it all keeps working. No, we need our smart and talented IT staff focused on more valuable technologies.

Our strategy is to start playing more to the new and less to the old. Technology change occurs too fast. Your IT staff should be positioned middle- to leading-edge—not bleeding, but leading—if we are to deploy and utilize technologies that differentiate Dalhousie University.

So what is the decision process for selecting a new email and communications system?

An RFP review team currently reviewing vendor proposals. We’ll be using feedback from a campus survey and weighting the features most desired against them. Once finalists are selected, we will bring them to campus for information sessions for everyone to attend. We expect to provide the President’s team of senior administrators with recommendations by end of April.