The amendments to the Freedom of Information and Protection of Privacy Act (FIPPA) late last year ushered in a new era for the BC public sector, providing BC public bodies with the flexibility to store personal information outside of Canada. While this is a significant step forward from the previous “data residency” rules, which prohibited access and storage of personal information outside of Canada except in limited circumstances, this new regime presents public bodies with new challenges to navigate.
The new more permissive regime
In the aftermath of the FIPPA amendments, public bodies have been presented with a far more permissive legislative framework.
With respect to access, the stringent restrictions on access to personal information by individuals located outside of Canada have been entirely removed from FIPPA. As a result, public bodies are now able to, for example, allow contractors and consultants located outside of Canada to remotely access personal information stored in a public body’s internal systems or other Canadian-based servers. Under the previous rules, this type of access was limited to narrow circumstances, such as where an electronic system was being implemented or required maintenance, as opposed to access for day-to-day operations.
As for the restrictions on disclosure of personal information outside of Canada, these data residency rules have been overhauled. Rather than prohibiting this practice in all but the narrowest circumstances, FIPPA now permits public bodies to disclose personal information outside of Canada where that disclosure is in accordance with the regulations. The current regulations, the Personal Information Disclosure for Storage Outside of Canada Regulation, require public bodies to undertake a privacy impact assessment for any initiatives where sensitive personal information is disclosed for storage outside of Canada.
What is “sensitive” personal information?
Despite setting out a path to authorizing the storage of sensitive personal information outside of Canada, the regulations do not provide any guidance as to what type of personal information is considered “sensitive”. As a result, public bodies are required to look beyond FIPPA and its regulations to fill this gap.
Generally speaking, certain types of personal information will almost always be considered sensitive, such as medical, financial, genetic and biometric information. However, the Canadian Privacy Commissioner’s recently issued Interpretation Bulletin, which provides a helpful guidance even if it is not directly applicable to FIPPA, notes that “any personal information can be sensitive depending on the context”. For example, otherwise innocuous information, such as data included in software tracking logs, could be sensitive if it reveals details about personal activities or preferences.
Ultimately, the regulations put the onus on public bodies to assess the sensitivity of all personal information at the outset of any initiative that may involve the storage of personal information outside of Canada.
PIAs and Risk-Based Decision Making
Where a public body is exploring an initiative involving storage of sensitive personal information outside of Canada, the regulations require the public body to undertake an assessment of the initiative in a Privacy Impact Assessment (PIA) conducted under section 69 of FIPPA. In connection with the FIPPA amendments, new directions on conducting PIAs for Ministries and Non-Ministry Public Bodies have been put in place.
Each of these documents contains directions on how the “disclosure for storage” assessment must be conducted. In particular, public bodies are required to identify privacy risks, and any mitigation measures, associated with the disclosure outside of Canada, including by examining the following factors:
- the likelihood of occurrence of an unauthorized collection, use, disclosure, or storage of personal information;
- the impact to an individual(s) of an unauthorized collection, use, disclosure, or storage of personal information;
- whether the personal information is stored by a service provider; and
- where the personal information is stored.
With respect to the final bullet, and the broader obligation to make reasonable security arrangements to protect personal information, BC public bodies now need to review the legal protections (or lack thereof) afforded to personal information under the laws of the country in which it is stored. As the BC Privacy Commissioner noted in a recent guidance document, a public body will not likely be able to meet its section 30 obligations where personal information is “processed or stored in a jurisdiction that does not respect the rule of law, has no privacy laws, or those laws are inadequate.”
Upon completion of the above assessment, the directions require the public body to make a risk-based decision as to whether or not to proceed with storing that sensitive personal information outside of Canada.
The changes to the access and storage provisions of FIPPA have opened up exciting opportunities for the BC public sector to take advantage of technology and service offerings that would not have been available under the previous rules. However, the new rules, and in particular those relating to storage, require public bodies to exercise due diligence and assess risk in a manner that was not required under the prior Canada-only regime.
If you have any questions about the new access and storage rules, or about FIPPA more generally, feel free to reach out to a member of our Privacy Team.