The AMS hopes to update its privacy policies and improve communication after club representatives expressed low confidence in CampusBase to keep their information secure.
On January 12, the VP Administration’s office presented the results of a clubs survey to AMS Council which reported “room for improvement” in student confidence about privacy on CampusBase, the database for AMS clubs.
This comes as 57 per cent of the 137 survey responses cited “privacy and security of personal information” as their highest priority for a site like CampusBase.
‘Distrust among students’ about CampusBase
According to Thunderbird Marching Band president Luis Nogales, his club rarely uses CampusBase.
“The website being gated behind SSC CWL login seems like a good step in protecting the info on CampusBase, but I do not trust that any sensitive info there is safer than [...] in a locked Google Drive,” wrote Nogales in a statement to The Ubyssey. “ For that reason, we try to store the bare minimum of student info on CampusBase and do not require any of our members to use their account.”
AMS Associate VP Administration Ben Du attributed low student trust in CampusBase to its rocky launch in August 2020.
In a major breach of privacy, CampusBase displayed 40,000 students’ personal emails. This violated the BC Personal Information Protection Act (PIPA), which forbids private institutions such as the AMS from disclosing personal information without consent. It then took the AMS over a month to release a Privacy Impact Assessment for CampusBase — a document which assesses privacy risks, and outlines safeguards.
The AMS also leaked contact information by CCing (rather than BCCing) student email addresses in an email to students in the AMS Pen Pal program in November — a mistake which has occurred two other times in the past two years.
“I think the accumulation of those events created a bit of distrust among students around how secure CampusBase can be,” said Du in an interview with The Ubyssey.
Pathways towards privacy protection
The AMS accomplished a step towards information security in November, when all AMS data fully transferred to Canadian servers.
US servers previously hosted CampusBase’s data, but have since moved the data to servers in Canada.
“There was some unease among students around data being hosted outside of Canada,” said Du. “All newly-generated data within the platform is now stored in Canada. That’s new, but [the transfer] wasn’t well publicized.”
The AMS’s next step is to clearly communicate with clubs about the data transfer and about AMS privacy safeguards in general.
The communication plan includes social media postings and a potential module about privacy and CampusBase in the mandatory orientation for all AMS club executives.
The AMS will also work on making the Private Impact Assessment (PIA) about CampusBase more accessible to students. The PIA details the protection policies for student’s personal information on CampusBase. The only personal information on CampusBase is a student’s surname, preferred name, email and student number.
“The main goal of the PIA is really to help us find ways to effectively protect privacy,” said Du. ”The PIA also helps us identify, evaluate and manage the risks associated with the type of personal information that we collect.”
The report recommends that the AMS establish a regular review cycle to make sure the PIA stays up to date. However, Du was uncertain about when those reviews might happen.
“We're going to not only focus on being proactive in terms of the safeguards that we do implement but also communicating to the students so that everybody is aware that we are trying to be as careful as possible,” said Du.
This article has been updated. A pervious version said the AMS was in violation of FIPPA amendments for using US servers to store CampusBase data. As a private institution, the AMS does not need to comply with these amendments.
This article has been updated further to say that the leak of 40,000 student emails on CampusBase in August 2020 was in violation of PIPA, not FIPPA.
Share this article
