GitHub is primarily a code repository; however, avatars, photos, bios and many other elements associated to your account ARE personal information. It is also important that while you may intend to host a tool or service that involves more sensitive data, risks and restrictions apply.
While GitHub falls under the suite of tools offered through the BC Government’s agreements with Microsoft, GitHub states explicitly that their own Data Protection Agreement (DPA) supersedes any privacy terms held by Microsoft. Per the GitHub Enterprise agreement:
“Notwithstanding anything to the contrary in Customer’s volume licensing agreement (including these Product Terms and the DPA), the GitHub Privacy Statement available at https://aka.ms/github_privacy and the GitHub Data Protection Agreement at https://aka.ms/github_dpa will apply to Customer’s use of GitHub Offerings”
The GitHub DPA’s privacy controls include an agreement not to “use or otherwise process Customer Personal Data” for their own purposes, “pseudoanonimization and encryption,” regular technical audits, and immediate incident and access request notifications. On the other hand, GitHub states there are a number of cases in which data would be disclosed through their services, including legal requests, sub-processing (internationally), diagnostics, etc.
As a result, while GitHub is appropriate for some government and non-sensitive personal information, GitHub’s DPA is not currently sufficient for “sensitive personal information.”
Sensitive personal information has no set definition under the Freedom of Information and Protection of Privacy Act (FOIPPA) as personal information sensitivity will always be unique to your individual context. Your home address, for example, while definitely personal, might not be sensitive for most individuals, but would be for individuals with protective orders, or under witness protection. For that reason, sensitive personal information will always be contextual.
Nonetheless, there are several generally agreed upon categories of personal information that are usually accepted as being “sensitive” in any context. These include:
- personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
- trade-union membership;
- genetic data, biometric data processed solely to identify a human being;
- health-related data;
- data concerning a person’s sex life or sexual orientation;
- individual criminal or social service history;
- personal credit card information;
- social security numbers; and,
- driver’s license numbers.
To avoid the inclusion of such sensitive data, the following actions should be taken:
-
Reach out to the senior privacy analyst for our branch at cloud.securityprivacy@gov.bc.ca for introductory resources and information.
-
Contact your own Ministry Privacy Officer (MPO) to determine the sensitivity of your use case and to complete any necessary assessments (there is no PIA that covers all possible use cases, because every use case is going to be different; however, our team can provide some privacy assessments to use as a guide on request).
-
Document all the data elements you’ll need for your GitHub tool, service, or project.
-
Avoid any users linking to your GitHub projects using GitHub accounts that hold sensitive personal information. Your personal account may be linked to your BC Government account as long as none of the data you store is sensitive. For example, if you have payment card information, or a lot of personal family details associated to your account, it may be better to use an account set aside for business purposes.
-
Avoid sensitive personal information in the titles or descriptions of projects, and do not accept highly sensitive attachments through a GitHub application or repository.
-
Use a VPN or access from a BC Government network when possible.
Make sure you advise users of your GitHub services about “sensitive personal information.” The following model “collection notice,” will be a useful tool to make readily available to your users if you collect any personal information. You will have to modify it for your use case. It needs to be available, but not signed or otherwise associated with a specific individual.
“Your personal information, including your avatar or photo, your basic biographical information, and your opinions [and/or other elements as relevant] is collected through GitHub by [name of Ministry or program] for the purposes of [short phrase describing the purpose of your initiative, such as “tracking training progress,” or “collaborative project development,”] under sections 26(c) [the project’s purpose] and 26(e) [any additional purpose related to improvement of your service, such as surveys or polling] of FOIPPA. Please do not include any personal information you deem to be sensitive. If you have any questions about the collection, use, or disclosure of your personal information, please contact [role, not individual name, of someone on your team that can answer questions about why you’re collecting this info], [contact email, phone, address, etc.].”
Note that this notice is not required if you are not using any personal avatars, biographical information, or any other personal information. Note too that this statement will have to be modified in discussion with your MPO and will normally be significantly shorter once all the brackets are removed. Your MPO may also have a different statement that your Ministry or program prefers.
If you have any questions about the privacy best practices above, or any other cloud privacy question, please feel free to contact our privacy team at cloud.securityprivacy@gov.bc.ca.