On October 18, 2021, Bill 22, the Freedom of Information and Protection of Privacy Amendment Act, 2021, was introduced in the Legislative Assembly and is now at first reading.
The Bill seeks to make changes to British Columbia’s public sector privacy law, the Freedom of Information and Protection of Privacy Act (“FIPPA”) including loosening of the requirement that British Columbia public bodies, and service providers to those public bodies, keep personal information within Canada.
We have created a blackline of FIPPA showing the proposed changes, available here. We summarize the key proposed amendments below.
Summary of main proposed changes
Processing of personal information outside of Canada
Currently, personal information held by bodies subject to the law must remain within Canada, as there are restrictions in place to restrict the flow of the personal information outside of Canada.
The Bill proposes repealing the provisions prohibiting the storage and access outside of Canada, while the provisions regarding the disclosure of personal information would also be repealed, but re-enacted in a single section, where a requirement is added that disclosures to recipients outside of Canada be in accordance with regulations. These proposed regulations will seek to establish the measures that must be taken by public bodies in respect to programs, projects and systems in which personal information is disclosed outside of Canada. (sections 17 and 21)
Privacy management programs
Public bodies would now be required to develop a privacy management program in accordance with the directions of the minister, which is a new requirement. (section 25)
Privacy breach notification
New privacy breach notification requirements have also been proposed under the Bill. If a privacy breach involving personal information in the custody or under the control of a public body occurs, the public body will be required to notify without unreasonable delay, the affected individuals if the privacy breach could reasonably be expected to result in significant harm to the individual. Parameters for the assessment of significant harm are listed and include identity theft or significant:
(i) bodily harm,
(iii) damage to reputation or relationships,
(iv) loss of employment, business or professional opportunities,
(v) financial loss,
(vi) negative impact on a credit record, or
(vii) damage to, or loss of, property.
A notification to the commissioner will be required if the privacy breach could reasonably be expected to result in significant harm, and the commissioner may notify affected individuals.
This accords generally with the “real risk of significant harm” test found in the federal private sector privacy law and Alberta’s private sector privacy law, both of which have had mandatory reporting and notification provisions for some time now.
Clarification of Privacy Impact Assessment requirements
The Bill clarifies the existing requirements for privacy impact assessments by requiring that they be conducted by all public bodies and ministries to determine if a current or proposed enactment, system, project, program or activity meets or will meet the requirements under the law. (section 38)
A similar clarification is made for health care bodies. Privacy impact assessment will be required in relation to health information banks in the custody or under the control of health care bodies, and health information-sharing agreements to which the health care bodies are parties. (section 39)
The Bill specifies in all instances that these privacy impact assessments will need to be conducted in accordance with the directions of the minister.
New exception for the disclosure of personal information that may harmful to interests of an Indigenous people
In addition to changes to the terminology used in relation to Indigenous people and governments and the changes to non-inclusive language, an exception to the disclosure of personal information was added in respect to the rights of an Indigenous people, where the public body may refuse to disclose some information if it could reasonably be expected to harm rights of an Indigenous people to maintain, control, protect or develop Indigenous people’s cultural heritage, traditional knowledge, traditional cultural expressions or manifestations of sciences, technologies or cultures. (section 9)
Expanded bases on which to disregard access or correction requests
Upon request, the commissioner may authorize the public body to disregard an individual’s access or a correction request because it is frivolous or vexatious, because it is for a record that has been disclosed to the applicant or that is accessible by the applicant from another source, or because responding to the request would unreasonably interfere with the operations of the public body due to it being either excessively broad, repetitious or systematic. (section 27)
Application fee for freedom of information requests
Currently, a public body may require that an individual making a request pay fees, depending on the circumstances. However, the Bill now allows a public body to require that an individual making a request for access to non-personal information pay a flat fee for the application. (section 44)
A new Part is added to the Bill specifically for offences, which include new offences under FIPPA. Offences under the Bill include to:
- wilfully mislead, obstruct or fail to comply with commissioner;
- to wilfully evade access provisions; and
- specified privacy offences.
The specified privacy offences include:
- The deliberate and unauthorized collection, use or disclosure of personal information, as well as the deliberate failure to notify the head of a public body of unauthorized disclosure as required by the Act, by an individual, other than an individual who is a service provider or an employee or associate of a service provider;
- The deliberate and unauthorized collection, use or disclosure of personal information, and the deliberate failure to notify the head of a public body of unauthorized disclosure as required by the Act, by a service provider, an employee or an associate of a service provider, as well as if a service provider or an employee or associate of a service provider dismisses, suspends, demotes, disciplines, harasses or otherwise disadvantages an employee, or denies the employee a benefit, because the employee has done, or the employer believes that the employee will do, anything described in the whistleblower protection provision under the Act;
- If an employee or an associate of the service provider commits any of the offences, the service provider commits an offence.
A defence to the offences specific to service providers, employees of service providers and associates of service providers in included in the Bill, when the person charged can demonstrate that due diligence was exercised to avoid committing the offence.
If a corporation commits an offence to wilfully evade access provisions or a privacy offence, an officer, director or agent of the corporation who authorizes, permits or acquiesces in the commission of the offence also commits an offence, whether or not the corporation is prosecuted for the offence. (section 35)
The penalties are significantly increased for individuals as well as service providers, including partnerships that or individuals who are service providers.
A person who commits an offence to wilfully mislead, obstruct or fail to comply with the commissioner will be liable on conviction to a fine of up to $50,000.
A person who commits an offence to wilfully evade the access provisions or commits a privacy offence will be liable on conviction, to a fine of up to $50,000 for individuals and service providers (that are not corporations) or to a fine of up to $500,000 for corporations.
The time limits to commence a prosecution remain the same and are limited to one year after the date on which the act or omission that is alleged to constitute the offence occurred, or if the minister issues a certificate described in the provision, the time limit for prosecution is one year after the date on which the minister learned of the act or omission. (section 37)
For more information about Denton’s data expertise and how we can help, please see our Transformative Technologies and Data Strategy page and our unique Dentons Data suite of data solutions for every business, including enterprise privacy audits, privacy program reviews and implementation, data mapping and gap analysis, and training in respect of personal information.