British Columbia Modifies Data Residency Requirements in Response to COVID-19

Print Friendly, PDF & Email

British Columbia has temporarily modified its Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c.165 (“FIPPA“) to lift a requirement that personal information handled by public sector agencies, and service providers to those public sector agencies, be kept in Canada.

Under the Order, made on March 26, 2020, “health care bodies”, the Province and certain provincial health-related authorities and ministries may now disclose personal information inside or outside of Canada in accordance with s. 33.2(a) and (c) of FIPPA on the condition that the disclosure is necessary:

a. for the purposes of communicating with individuals respecting COVID-19,
b. for the purposes of supporting a public health response to the COVID-19 pandemic, or
c. for the purposes of coordinating care during the COVID-19 pandemic.

A similar provision now allows a public body to disclose personal information inside or outside of Canada in accordance with s. 33.2(a) or (c) of FIPPA “through the use of third-party tools and applications” on the condition that the disclosure is for the following purposes:

a. the third-party tools or applications are being used to support and maintain the operation of programs or activities of the public body or public bodies,
b. the third-party tools or applications support public health recommendations or requirements related to minimizing transmission of COVID-19 (e.g. social distancing, working from home, etc.), and
c. any disclosure of personal information is limited to the minimum amount reasonably necessary for the performance of duties by an employee, officer or minister of the public body.

For the purposes of the Order, “third-party tools and applications” includes “any software developed and maintained by a third party and which is used to enable communication or collaboration between individuals.”

Note that this section is not limited to health providers, but applies to broader public bodies. In its new release on the changes, the British Columbia government contemplates both health services public bodies as well as educational institutions:

British Columbia has the strictest privacy and data-residency laws in Canada. It is one of only two Canadian provinces with legislation requiring the personal information of its citizens to be stored in and only accessed from within Canada. The ministerial order temporarily permits health-care bodies like the Ministry of Health, the Ministry of Mental Health and Addictions, and health authorities to use communication and collaboration software that may host information outside of Canada. The order also enables B.C. schools and post-secondary institutions to provide online learning for students who have been displaced due to the need for physical distancing.

There are some limits and conditions on this new ability to move personal information outside of Canada. For instance, a public body is prohibited from relying on these new provisions unless it is satisfied that with respect to the information disclosed:

a. the third-party application is reasonably secure in compliance with s. 30 of FIPPA; and
b. the public body makes all reasonable efforts to remove personal information which is collected, used or disclosed using a third-party application from the third-party application as soon as is operationally
reasonable and the public body retains and manages the information, as required by law.

The Order will remain in effect until June 30, 2020 and may be rescinded or extended at that time.

Extension to response time to access requests for public bodies

In another development, the Privacy Commissioner of British Columbia has issued a decision extending the period by which public bodies must respond to access requests.

Given the COVID-19 situation, the Privacy Commissioner concluded “that it is fair and reasonable to, under s. 1 0(2)(b) of FIPPA [to] grant the head of each public body in British Columbia permission to extend the time provided under FIPPA to respond to a request for access to records”.

There are conditions here as well:

  1. This permission applies only to requests for access to records that a public body receives between March 1, 2020 and April 30, 2020.
  2. An extension of time under this permission must not exceed 30 days from the later of:
    (a) the date on which the time for response provided in s. 7(1) of FIPPA ends; or
    (b) if an extension is made under s. 10(1) of FIPPA, the date on which that extension ends.

An extension made under this permission is in addition to any extension of time that a public body is authorized to make under s. 10(1) of FIPPA. A public body may also apply to the Privacy Commissioner for further permission to extend the time for response.

For more information about Denton’s data expertise and how we can help your business manage privacy and information during the COVID-19 pandemic, please see our Transformative Technologies and Data Strategy page and our unique Dentons Data suite of data solutions for every business.