1. Introduction
On November 25, 2021, British Columbia’s provincial legislature passed Bill 22-2021, making several amendments to the Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c. 165 (“FOIPPA”). FOIPPA is the legislation that governs BC’s public bodies’ storage, use, and dissemination of British Columbians’ personal information. A full list of public bodies subject to FOIPPA can be found here. Several of the amendments came into force immediately, including those:
- allowing public bodies to store British Columbians’ personal information outside of Canada (s. 33.1);
- prohibiting disclosure of information that may harm the rights of Indigenous people to control the disclosure and use of their culture and traditional knowledge (s. 18.1);
- creating new privacy offences and increasing maximum penalties (ss. 65.2 to 65.7); and
- imposing a new application fee for requests for information (s. 75(1)(a)).
Some details regarding these amendments were provided via Ministerial Orders and Directions on November 26, 2021. Perhaps of greatest interest to public bodies are the Directions issued by Minister of Citizen’s Services, Lisa Beare, regarding privacy impact assessments (“PIAs”).
PIAs are meant to evaluate the risks to personal information from actions taken by a public body. Minister Beare issued separate Directions for Ministry and non-Ministry public bodies, expanding the circumstances in which PIAs must occur and requiring a supplementary impact assessment should a public body wish to store personal information outside of Canada. Pursuant to these Directions, PIAs must be carried out on new enactments, projects, or programs for which no PIA has previously been conducted. They must also be carried out before implementing a “significant change” to an enactment, project, or program.
Two further amendments to FOIPPA were passed but have yet to come into effect. These amendments require public bodies to develop privacy management programs (s. 36.2) and report privacy breaches to affected individuals and to the Information and Privacy Commissioner (the “Commissioner”) (s. 36.3). These amendments will come into force by regulation, likely by the end of 2022.
2. Conducting Privacy Impact Assessments
Minister Beare’s Directions issued on November 26 replace previous Directions that were less clear with regards to when Ministries or other public bodies were required to conduct PIAs. As noted above, the Directions issued by Minister Beare state that the head of a public body must conduct a PIA:
- on a new enactment, system, project, program, or activity for which no PIA has previously been conducted; and
- before implementing a significant change to an existing enactment, system, project, program, or activity.
However, the Directions provide no clarification of the “significant change” threshold. The only changes that the Directions indicate will always be “significant” are changes in storage location where the information at issue is stored (or will be stored) outside of Canada.
Beyond this guidance, general directions for conducting a PIA do not significantly differ from previous Directions (with the exception of the requirement for “supplementary assessment” of foreign storage practices, discussed in the following section), nor do the templates available on the Government of BC website appear to have changed.
3. Storing of Personal Information Outside Canada
Prior to these amendments, FOIPPA imposed a data residency requirement upon public bodies preventing them from storing personal information on servers located outside of Canada. This was justified on the basis that servers in foreign countries may be subject to local laws allowing seizure and disclosure of personal data in circumstances and for purposes that offend Canadian privacy law.
However, this requirement had the effect of forcing all public bodies to store data with small local providers rather than large international providers and their cloud storage systems. Some argued that this unduly increased costs of storage while depriving public bodies of the better services and privacy protection offered by large service providers’ financial and technological resources. The new legislation does away with this residency requirement entirely, bringing FOIPPA in line with provincial privacy legislation in the rest of the western provinces as well as Ontario, New Brunswick, and PEI.
Under Minister Beare’s Directions, the head of a public body must conduct a PIA before disclosing or storing sensitive personal information outside Canada. This PIA must include a supplementary assessment focussed on risks associated with foreign storage. The Directions enumerate several factors that must be considered in this supplementary assessment, including:
- the likelihood of unauthorized collection, use, disclosure, or storage of personal information;
- the impact to an individual of unauthorized collection, use, disclosure, or storage of personal information;
- whether the personal information is stored by a service provider; and
- where the personal information is stored.
For each privacy risk identified in conducting this analysis, the head of the public body must identify a privacy risk response proportionate to the level of risk posed. The Directions suggest that such responses may include technical, security, administrative, or contractual measures. The ultimate outcome of the assessment will be a risk-based decision made by the head of the public body on whether to proceed with the initiative.
4. Requiring Privacy Management Programs
This requirement is not currently in force pending the implementation of regulations, and no draft regulations have been made public. During debate in the provincial legislature, Minister Beare stated that privacy management programs ensure “that public bodies have the necessary framework in place to meet their privacy obligations under FOIPPA”. The Office of the Information and Privacy Commissioner for BC (“OIPC”) sets out its own privacy management policies on its website, including its annual audit plan, personal information inventory, and privacy breach response protocol. This information might be of assistance to public bodies wishing to inform themselves of what will be expected of them when this provision comes into force.
5. Requiring Privacy Breach Notifications
The explicit statutory requirement under s. 36.3 for public bodies to notify affected individuals and the Commissioner upon discovering a breach is similarly not in effect pending the implementation of regulations. When it comes into effect it will bring BC in line with most other jurisdictions in Canada by explicitly requiring public bodies to report privacy breaches. In spite of the Commissioner’s objections, the provision does not contain an exception for notification that could compromise a criminal investigation.
FOIPPA defines “privacy breach” as the “theft or loss, or the collection, use or disclosure that is not authorised under Part 2 of FOIPPA of personal information in the custody or under the control of a public body”. The provision requires public bodies to notify an affected individual and the Commissioner of any breach that could reasonably be expected to cause significant harm to the individual. “Significant harm” is defined to include the risk of identity theft and “significant”:
- bodily harm;
- humiliation;
- loss of reputation or relationships;
- loss of employment, business or professional opportunities
- financial loss;
- negative impact on a credit record; or
- damage to, or loss of property.
An exception to the notification requirement exists for circumstances in which notification could reasonably be expected to result in harm to an individual’s safety or physical or mental health.
6. Prohibiting Disclosure Harmful to Indigenous Interests
Under section 18.1 of FOIPPA, heads of public bodies must receive written consent from an Indigenous people prior to disclosing “information that could harm the rights of [the] Indigenous people to maintain, control, protect, or develop” their cultural heritage, traditional knowledge, cultural expressions, or “manifestations of sciences, technologies or cultures”. In debate before the legislature, Minister Beare provided the example of sensitive information provided to support land settlements or treaty negotiations as falling under s. 18.1.
This provision seeks to protect traditional Indigenous knowledge and culture by forcing public bodies to engage with impacted Indigenous peoples when contemplating disclosure of harmful information. However, this provision is unclear regarding who can provide consent on behalf of the impacted Indigenous people, and therefore who public bodies should engage with when seeking consent.
In defining “Indigenous peoples”, FOIPPA adopts the definition of “aboriginal peoples” in the Constitution Act, 1982, which defines aboriginal peoples as the “Indian, Inuit, and Metis” peoples of Canada. This provides no assistance in determining which individuals or leadership entities can provide consent (e.g. First Nations vs. broader historical entities or traditional governing bodies vs. those created by the Indian Act). To be fair, this is hardly an issue exclusive to FOIPPA – the question of who can provide meaningful consent on behalf of an Indigenous people is a complex issue that public bodies have been struggling with for decades.
7. Implementing New Offences
The new legislation implements several privacy offences, including:
- wilfully misleading, obstructing, or failing to comply with the Commissioner or an adjudicator carrying out their duties or exercising their powers under FOIPPA (s. 65.2);
- wilfully concealing, destroying, or altering any record to avoid complying with an access request (s. 65.3);
- collecting, using, disclosing, or failing to notify of unauthorized disclosure of personal information as required by Part 3 of FOIPPA (s. 65.4(1) and 65.4(2)(a)-(d); and
- dismissing, suspending, demoting, disciplining, harassing, otherwise disadvantaging, or denying a benefit to an employee for (i) reporting a contravention of FOIPPA; (ii) refusing to take an action in contravention of FOIPPA; or (iii) taking actions required to prevent another person from contravening FOIPPA (s. 65.4(e)). This provision similarly applies to penalization of employees who are expected to take any of these actions.
The prohibition against collecting, using, or disclosing personal information in contravention of Part 3 of FOIPPA is designed to prevent “snooping”, a term for unauthorized access to personal information. It is similar to anti-snooping provisions currently in force in Saskatchewan and each of the Territories. However, the wording of the provision has been criticized by the Commissioner for failing to prohibit “viewing” or “accessing” personal information. Such wording is included in anti-snooping provisions in Alberta, Newfoundland, and Prince Edward Island, each of which prohibits unlawful access or attempts to access personal information. In a similar vein, Ontario’s privacy legislation prohibits making requests for access to personal information under false pretenses.
Under s. 65.6, the maximum fine for a person or partnership committing any of the above offences is set at $50,000. However, upon conviction of an offence under ss. 65.3 or 65.4, a corporation may face a fine of up to $500,000. A 1-year limitation period is set for offences under ss. 65.3 and 65.4 that begins to run on either the date that the offence occurred or the date on which the Minister of Citizen’s Services learned of the act or omission (if the Minister certifies the date on which they learned of it).
If you have any questions about the article please contact Karen R. Zimmer.