Bill 22: Amendments to the Freedom of Information and Protection of Privacy Act
BC’s Freedom of Information and Protection of Privacy Act RSBC 1996, c 165 (“FIPPA”) governs how public bodies collect, use and disclose the personal information of individuals. FIPPA also establishes an individual’s right to access records in the custody or control of a public body. The purpose of FIPPA is to hold public bodies accountable for their information practices by making security arrangements against unauthorized access, collection, use, disclosure or disposal of information (OIPC, Guide to Access and Privacy Protection under FIPPA).
On November 25, 2021, Bill 22, Freedom of Information and Protection of Privacy Amendment Act, 2021 (“Bill 22”) became law, bringing into force significant amendments to FIPPA. The stated purpose of Bill 22 was to strengthen government accountability and transparency, enhance public sector privacy protections, and increase information sharing with Indigenous peoples while limiting harmful disclosure. The Government’s position was that Bill 22 would help BC’s public sector keep pace with advancements in technology and provide the level of service that people expect in the digital era. However, some aspects of Bill 22 were the subject of fierce debate and solicited critique from the Information and Privacy Commissioner for British Columbia (the “Commissioner”). Key concerns include the substance and timing of key regulations which may impact data residency and data linking, as well as the imposition of a new $10 application fee for access to information requests made under FIPPA.
Although FIPPA does not directly apply to private sector entities, the amendments will impact businesses and organizations who provide services or products to public bodies in BC which are governed by the legislation. This article will focus on these potential impacts. Most significantly, Bill 22 creates uncertainty as to how changes surrounding data residency and privacy management will impact service providers to public bodies in BC.
What are the principal changes?
The following are the key changes to FIPPA brought in by Bill 22:
- requiring each public body to develop a privacy management program;
- requiring each public body to notify an affected individual and the Commissioner if a privacy breach could reasonably be expected to result in significant harm to the individual;
- repealing the prohibition on the storage and access to personal information outside of Canada;
- introducing new privacy offences and penalties that apply to individuals, service providers and their employees and associates; and
- allowing authorities to charge an application fee for access to information requests.
Section 25 of Bill 22 creates a requirement that public bodies notify affected individuals, and the Commissioner, if such individuals’ personal information is subject to theft or loss, or unauthorized collection, use or disclosure when it is in the custody or under the control of a public body. A notification is required if the privacy breach is expected to result in significant harm to the individual, including identify theft, significant bodily harm, humiliation, damage to reputation or relationships, or financial loss. The method of making a notification is left to regulations which have yet to be enacted.
Data residency
Prior to Bill 22, FIPPA required that personal information in the custody or control of a public body be stored and accessed only in Canada, subject to limited exceptions. This requirement effectively prohibited a public body from engaging a service provider without a data centre in Canada. This restriction greatly limited the ability of public bodies to leverage the technological innovations of foreign businesses to better serve British Columbians. In response to the ongoing COVID-19 crisis, the Minister of Citizens’ Services had previously issued a Ministerial Order under section 33.1(3) of FIPPA relaxing the territorial restrictions on the foreign access to and storage of personal information. The effect of this Order was to allow public bodies to deliver digital services using remote access tools throughout the pandemic.
Taking these changes further, Bill 22 repealed the data residency requirements and now public bodies may disclose and store personal information outside of Canada. We expect additional data residency requirements in respect of specific types of personal information to be brought into force as regulations under FIPPA in 2022. We note that as of writing this bulletin, no draft regulations have been published.
This change greatly expands public bodies’ ability to leverage a broader set of tools and technologies. However, leaving additional data residency rules subject to regulation has been challenged in parliamentary debates, with the Commissioner expressing concern that this may leave British Columbians with no protection and no opportunity for public consultation.
Offences
Bill 22 makes it an offence for a person to: (a) wilfully mislead, obstruct or fail to comply with the Commissioner in handling personal information of individuals; (b) wilfully conceal, destroy or alter records to avoid compliance with a request for access; or, (c) wilfully fail to comply with the collection, use, disclosure or notification requirements under FIPPA. The penalties for being convicted under these new offences include fines of up to $50,000 for an individual and up to $500,000 for corporations. Bill 22 also provides for director and officer liability for such offences; if a corporation commits an offence, an officer, director, or agent of the corporation who authorizes, permits or acquiesces in the commission of the offence also commits an offence, whether or not the corporation is prosecuted for the offence.
Conclusion
With the passing of Bill 22, the BC government has made fundamental amendments to FIPPA. Importantly for service providers, these amendments will open the door for foreign businesses to more easily bid on public sector contracts in British Columbia. They also introduce new privacy breach and privacy management requirements that may increase public confidence in the government as a result of more stringent regulation. It is important for service providers working with public bodies in British Columbia to monitor the legislative progress of the accompanying regulations, as they are likely to introduce additional requirements that will likely affect the permissible scope of activities.
This article provides only general information about legal issues and developments, and is not intended to provide specific legal advice. Please see our disclaimer for more details.