A (re)introduction to FIPPA and how your familiarity with private sector privacy laws will only take you so far (alas, not far enough).


This series is designed to get you (re)acquainted with the Freedom of Information and Protection of Privacy Act, or FIPPA for short, in all of its wonder and complexity (we do not subscribe to FOIPOP…though admit it has a ring to it).

In this, the first of our series, we’ll give a run-down of FIPPA and, importantly for those of you in the private sector, or those new to the public sector (especially after a stint on the private side), how it differs from private sector privacy regulations.

As the name suggests, FIPPA is divided into two distinct components:

  • freedom of information (issues concerning this are commonly referred to as “FOI” issues); and
  • the protection of privacy (issues concerning this commonly referred to as “FIPPA” issues… POP hasn’t taken hold (so far)).

Those of you with experience in the private sector will be familiar with many of the concepts covered by the protection of privacy component, being similar to BC’s private sector focused Personal Information Protection Act (PIPA).  However, the freedom of information component is unique to the public sector.

The FOI provisions of FIPPA are based on the principles of transparency and accountability, and provide the public with a right to request and obtain records held by “public bodies”, a term that includes higher learning institutions (and other public sector organizations).  When a higher learning institution receives an “FOI request”, the institution has a duty to make reasonable efforts to assist applicants, which may include directing them to where the information identified in their request is already publicly available.

If the information is not already public, the institution should carefully consider the types of information and records that FIPPA exempts from disclosure, which includes by way of a few short examples:

  • policy or task force recommendations and legal advice;
  • information that, if disclosed, would be harmful to the financial or economic interests of the institution or the business interests of a third party (like a supplier or service provider); and
  • information that would be harmful to personal privacy, such as student information, an individual or public safety.

In terms of a response, FIPPA requires institutions to make every reasonable effort to assist applicants and respond without delay, though the initial time limit to respond is 30 days (which may extended).

As for the protection of privacy, FIPPA prescribes the rules for the collection, use and disclosure of personal information by public bodies, including higher education institutions.  Although the rules are broadly similar to the requirements imposed on the private sector, there are significant differences.  For example,

  • All data breaches must be disclosed to the Privacy Commissioner (though mandatory data breach notification comes into force for the private sector on November 1, 2018).
  • All personal information to be accessed and stored in Canada, subject to very limited exceptions.
  • Institutions are not always required to obtain the consent of individuals when collecting personal information, as FIPPA provides alternative grounds for collection, such as for the purpose of planning or evaluating a program or activity. In any case, institutions are required to inform individuals of the purpose for collecting their information, the legal authority for doing so and the contact details of someone that can answer their questions about collection.

One similarity between the public and the private sector regulations in BC is that it is provincial law that applies in both areas – meaning BC’s FIPPA and BC’s PIPA. This is also the case in Alberta and Quebec, where provincial law applies to both areas. Elsewhere in Canada, the public sector is governed by provincial law, and the private sector is governed by federal law (the Personal Information Protection and Electronic Documents Act (PIPEDA)), which is why many in the private sector say things like “we comply with all applicable provincial and federal privacy laws”.  In BC, that’s nice to hear, but complying with the provincial laws is what we care about.

This overview glosses over much of the detail and most of the nuances in FIPPA.  However, we had to leave something for the coming weeks in our series, so we hope you stay tuned!  In the meantime, if you have any questions about FIPPA or you have a topic of interest related to FIPPA that you would like us to cover during this series, feel free to reach out to Michal Jaworski or Jeff Holowaychuk.