Last week, the BC Government introduced new legislation that, if passed, represents a significant change to the way in which BC public bodies process access to information requests and in relation to their obligations to protect personal information.
Bill 22, the Freedom of Information and Protection of Privacy Amendment Act, 2021, makes a number of significant changes to the Freedom of Information and Protection of Privacy Act (FOIPPA). As Bill 22 is still being debated by legislators (and in the press), the following is a high-level overview of some of the key changes to FOIPPA based on the information that has been made available to date:
ACCESS TO INFORMATION
- FOI Request Application Fees – Public bodies will be permitted to charge an application fee to anyone submitting an information request. While the permitted application fees will be set by regulation, it has been widely reported that the maximum fee will $25 per application. Further, if a public body elects to charge an application fee, the 30 day time limit for responding to an information request will not start until the applicant has paid the fee or the public body elects to waive the fee.
- Metadata Excluded from Information Requests – Bill 22 has clarified that the scope of information that is required to be disclosed by public bodies in response to information requests by excluding metadata from disclosure. As a result, public bodies will no longer be required to provide applicants with metadata associated with records, which often includes the author name and the dates and times that a record was created or edited.
- Disclosure Harmful to Indigenous People – Public bodies must refuse to disclose information where the disclosure could reasonably be expected to harm the rights of an Indigenous people to maintain, control, protect or develop cultural heritage, traditional knowledge, traditional cultural expressions or manifestations of sciences, technologies or cultures.
- Additional Grounds to Disregard Information Requests – While FOIPPA already included a provision that allowed public bodies to request the Privacy Commissioner to authorize them to disregard information requests in certain circumstances, that section has been updated with new grounds to request authority to disregard. In particular, public bodies can now ask for authorization to disregard an information request where:
- the request is for a record that has already been disclosed to the applicant or that is accessible from another source; or
- responding to the request would unreasonably interfere with the operations of the public body because the request is excessively broad.
PROTECTION OF PRIVACY
- Changes to Data Residency Requirements – The Bill removes the provisions:
- prohibiting the storage and access of personal information outside of Canada; and
- relating to foreign demands for disclosure.
Access and storage of personal information outside of Canada, as well as disclosure of personal information to recipients outside of Canada, will now only be permitted in accordance with the regulations, which have not been released to date.
- Prohibition on unauthorized collection, use and disclosure of personal information – The Bill includes an express prohibition on unauthorized collection, use or disclosure of personal information by an employee, officer or director of a public body or an employee or associate of a service provider. This change is of particular importance in the context of the new privacy offences provisions noted below.
- New Privacy Offences Provision – The previous offenses provision in FOIPPA will be replaced with a more extensive list of offenses, which now include the following:
- making false statements to, or misleading or obstructing, an adjudicator;
- wilfully concealing, destroying or altering any record to avoid complying with a request for access to the record; and
- the above-mentioned unauthorized collection, use and disclosure of personal information.
The maximum fine for individuals who are convicted of an offence have increased to $50,000, while the maximum fine for a corporation will remain at $500,000.
- Application to Service Providers – Bill 22 has clarified that the full suite protection of personal information provisions in Part 3 of FOIPPA will apply to service providers and their employees.
- Mandatory Privacy Breach Notification – Public bodies will be required to notify the Commissioner of any theft, loss or unauthorized collection, use or disclosure of personal information where the breach “could reasonably be expected to result in significant harm to the individual”, such as identity theft or significant bodily harm or financial loss. This change brings BC public sector privacy laws into line with both federal and other provincial privacy laws, as well as foreign laws like GDPR.
- Privacy Management Programs – Bill 22 will require all public bodies to develop a privacy management program in accordance with the directions of the minister responsible for FOIPPA. As no draft directions have been released to date, it is unclear what additional steps, policies or procedures public bodies will be required to put in place to satisfy this new requirement.
- Privacy Impact Assessments – Bill 22 clarifies that all public bodies, regardless of whether it is a ministry or non-ministry public body, will be required to conduct privacy impact assessments, and must do so in accordance with the directions of the minister responsible for FOIPPA. While the amendments allow the responsible minister to give different directions for different categories of personal information, the scope of this mandatory PIA requirement is unclear at this stage as no draft directions have been made available.
One matter that is notable by its absence is that the Bill does not extend the ambit of FOIPPA to include subsidiary entities of public bodies (e.g. wholly owned, private subsidiaries).
Bill 22 appears to create some efficiencies and opportunities for public bodies, particularly in relation to the relaxation of data residency rules and a likely decrease in the number of information requests through the imposition of application fees. However, the full impact of the changes will only be able to be assessed once the Bill is finalized, and the associated regulations and ministerial orders are issued.
As shown in the Bill, the changes to FOIPPA can be difficult to follow. We have created a “blacklined” version of FIPPA, which shows the changes in context. To obtain a copy, please email the author at email@example.com.
If you have any questions about these changes or in respect of FOIPPA more generally, please contact a member of our Privacy or Higher Learning practice groups.