This policy establishes the data governance framework governing all client engagements undertaken by Null&Void Analytics Inc. It reflects the privacy legislation, sectoral standards, and Indigenous data sovereignty principles applicable to our practice areas in British Columbia and Canada.
This Data Governance Policy ("Policy") governs the collection, processing, storage, transmission, and disposition of all data handled by Null&Void Analytics Inc. ("Null&Void") in the course of providing analytics consulting services to clients.
This Policy applies to: all client engagements regardless of sector; all data processed on behalf of clients; all personnel, contractors, and subcontractors engaged by Null&Void; all technical systems and infrastructure used in the delivery of services; and all deliverables produced under client engagements.
Null&Void operates across healthcare, justice, Indigenous services, transit, government, and private enterprise sectors in British Columbia and Canada. Each sector carries specific legislative obligations and governance standards that are reflected in this Policy.
All data handled by Null&Void is classified according to the following framework. Classification determines required technical controls, access restrictions, retention periods, and disposition procedures.
Personal health information, Indigenous community data under OCAP governance, judicial and correctional records, personal information of minors, biometric data, and any data subject to court order or legal privilege. Requires encryption at rest and in transit, strict access logging, PIA completion, and client-approved data handling procedures specific to the engagement.
Personal information under FOIPPA/PIPEDA, financial records, employee data, commercially sensitive business data, and unpublished government policy information. Requires encryption at rest and in transit, role-based access controls, and retention in client-controlled infrastructure.
Aggregate, de-identified, or anonymized operational data; project documentation; technical specifications; and internal business information not falling into Class 1 or 2. Requires standard access controls and secure storage but does not require PIA.
Published government data, open datasets (e.g., GTFS feeds), publicly available statistics, and information explicitly released by the data owner for public use. No special handling required beyond standard data quality controls.
Null&Void adheres to the following principles in all data collection activities:
All client data is stored and processed within Canada. Null&Void does not transfer client data outside of Canada without explicit written authorization from the client. For BC government, health authority, and First Nations engagements, all data processing occurs within British Columbia unless the client expressly agrees otherwise in writing.
All client data is stored and processed within the client's own Azure tenant or on-premise infrastructure — never in Null&Void's Azure subscription. Null&Void develops and tests in isolated environments using synthetic or appropriately anonymized data. Production client data is accessed only through client-controlled systems with client-issued credentials.
All Class 1 and Class 2 data must be encrypted at rest using AES-256 or equivalent and in transit using TLS 1.2 or higher. Encryption keys are managed by the client or their designated key management service. Null&Void does not hold encryption keys for client data.
For First Nations engagements, data custody (physical possession of storage media or cloud account ownership) rests with the Nation. Where a Nation requires on-premise storage, Null&Void designs and deploys infrastructure on hardware located within Nation boundaries and owned by the Nation. Null&Void does not retain copies of First Nations community data after engagement completion.
All healthcare engagements involving personal health information require: (a) a completed Privacy Impact Assessment reviewed by the client's privacy officer before data pipeline development begins; (b) explicit documentation of all data elements to be collected, their PHIA classification, and their intended use; (c) row-level security implemented in all analytical systems to limit individual access to only the patient data within their authorized scope; and (d) a data breach response plan developed collaboratively with the client before go-live.
All justice sector engagements require: (a) data retained exclusively in BC Azure Government Cloud or equivalent government-approved infrastructure; (b) full audit logging of all data access, with log retention as specified by the client's records management policy; (c) chain-of-custody documentation for all data extracts; and (d) express client authorization before any data is used in model training or validation.
All First Nations engagements require: (a) a governance framework established with the Nation before any technical work begins, addressing all four OCAP dimensions; (b) explicit Nation approval for every data element collected, stored, or processed; (c) Nation-controlled data custody at all times; (d) no sharing of community data with third parties, including government agencies, without Nation-issued written authorization for each specific disclosure; (e) complete data return or destruction upon engagement completion with written confirmation; and (f) capacity building and knowledge transfer to Nation-employed or Nation-designated staff as a project deliverable.
All transit authority and government engagements require full FOIPPA compliance, storage within BC or Canada as required by the client's information management policy, and data handling in accordance with the client's existing records schedules and retention requirements.
Null&Void does not retain client data beyond the term of the engagement unless explicitly contracted to do so. Upon engagement completion or termination: all client data in Null&Void's possession is returned to the client or securely destroyed within 30 days; destruction is performed using NIST SP 800-88 compliant methods for digital media; Null&Void provides written confirmation of destruction upon client request; and all development and test environments containing client data are decommissioned.
For Class 1 data, written destruction confirmation is provided as standard practice without requiring a client request.
In the event of a confirmed or suspected privacy breach involving client data: Null&Void will notify the client within 24 hours of discovery; notification will include the nature of the breach, data elements potentially affected, approximate number of individuals impacted (if determinable), and immediate containment actions taken; Null&Void will cooperate fully with the client's breach investigation and reporting obligations to regulators; and Null&Void will implement remediation measures as directed by the client and as required by applicable legislation.
Null&Void maintains a documented Incident Response Plan that is reviewed and updated annually.
This Policy is reviewed annually and updated as required by changes in applicable legislation, sectoral standards, or Null&Void's practice areas. Clients with questions or concerns regarding this Policy should contact [email protected].
All Null&Void personnel and subcontractors are required to acknowledge this Policy before commencing work on any client engagement.