2021
Government Tables Significant Updates to the Freedom of Information and Protection of Privacy Act
The provincial government has revealed the most significant changes to the Freedom of Information and Protection of Privacy Act (FIPPA) in a decade. We believe local governments will be pleased with several of the proposed amendments, while others will introduce new burdens.
Key highlights of those changes, found in Bill 22 – 2021: Freedom of Information and Protection of Privacy Amendment Act, 2021 (“Bill 22”), are outlined below.
Bill 22, which was tabled yesterday in the Legislative Assembly, can be found here: https://www.leg.bc.ca/parliamentary-business/legislation-debates-proceedings/42nd-parliament/2nd-session/bills/first-reading/gov22-1.
Repeal of the In-Canada Requirements for Personal Information
A welcome and significant change will be the repeal of section 30.1, which at present prohibits storage of or access to personal information outside Canada. This change will enhance local governments’ ability to adopt cloud-based technologies, which can help improve services while reducing costs.
We note, however, that a new section 33.1(1) will permit disclosure of personal information “outside of Canada only if the disclosure is in accordance with the regulations, if any, made by the minister responsible for this Act.” No information is available now about what the regulations might require, but we expect they will include a requirement to conduct a privacy impact assessment (PIA), and to protect personal information using technical or contractual measures, or both. If the required measures are tailored to risk—according to the sensitivity of the information involved, for example—we are reasonably confident that they will not get in the way of efficiency and innovation.
Fees for Access Requests
Public bodies will be able to charge “a prescribed application fee” to anyone making an access request. This will be in addition to the fees that already can be levied under section 75. Other Canadian laws provide for application fees, ranging from $5.00 to $25.00 for each request. These fees may help reduce the numbers of requests that are made.
Updates to Section 43 – Permission to Disregard Access Requests
There will be two new grounds for applying to the Information and Privacy Commissioner, under section 43, for permission to disregard access requests. One is where “the request is for a record that has been disclosed to the applicant or that is accessible by the applicant from another source”, and another is where “responding to the request would unreasonably interfere with the operations of the public body because the request…is excessively broad”. We are hopeful that this change will increase the chances of successfully applying for relief under section 43.
New Requirements for Privacy Management Programs
Local governments and other public bodies will have new duties in managing their privacy practices. A new section 36.2 will require public bodies to “develop a privacy management program for the public body…in accordance with the directions of the minister responsible for this Act.” No details are available at this time about what the directions will require.
Many public bodies have already implemented such programs, which the Office of the Information and Privacy Commissioner’s best-practices guidance has called for since 2013. While creating and implementing a program obviously will impose some operational burdens, such programs can help reduce the risks of privacy breaches and complaints about inappropriate practices.
New Privacy Breach Notification Requirements
Many privacy laws require public bodies to notify affected individuals of privacy breaches. This will soon be the case for BC’s local governments. A new section 36.3 will require public bodies to notify affected individuals, and the Information and Privacy Commissioner, of certain breaches. Section 36.3 will define “privacy breach” as “the theft or loss, or the collection, use or disclosure that is not authorized by this Part [3], of personal information in the custody or under the control of a public body.”
You will have to give notice “without unreasonable delay” if the privacy breach could reasonably be expected to result in “significant harm” to the individual, including identity theft or other harms described in section 36.3(2). The other kinds of harm are as follows: bodily harm; humiliation; damage to reputation or relationships; loss of employment, business or professional opportunities; financial loss; negative impact on a credit record; and damage to, or loss of, property.
New Mandatory Access to Information Exception
A new mandatory access to information exception, under section 18.1, will require public bodies to refuse to disclose information if the disclosure “could reasonably be expected to harm the rights of an Indigenous people to maintain, control, protect or develop cultural heritage; traditional knowledge; traditional cultural expressions; or manifestations of sciences, technologies or cultures. This prohibition does “not apply if the Indigenous people has consented in writing to the disclosure.” The term “Indigenous people” will be defined in Schedule 1 to FIPPA. Further, formal third-party notification under section 23 will apply to section 18.1 situations.
New Offence
Section 65.3 will create the following offence: “A person who wilfully conceals, destroys or alters any record to avoid complying with a request for access to the record commits an offence.”
Clarity Regarding Privacy Impact Assessments
On a lesser note, Bill 22 will clarify that section 69(5.3) requires non-ministry public bodies, including local governments, to conduct PIAs. The existing language of section 69(5.3) states that the “head of a public body that is not a ministry must conduct a privacy impact assessment in accordance with the directions of the minister”. This left uncertainty about whether there is a positive duty to conduct a PIA at all. The new language of section 69(5.3) will take care of this: it will provide that the “head of a public body that is not a ministry must conduct a privacy impact assessment and must do so in accordance with the directions of the minister”. Further, a new section 69(10) will authorize the minister to impose different PIA “directions for different categories of personal information.”
What’s Next?
In closing, we note that a special committee of the Legislative Assembly is embarking on a statutory review of FIPPA, and this process is likely to lead to even more recommendations for reform. Whether the government will implement any recommendations remains to be seen. In the meantime, we will update you on relevant Bill 22 developments as the Bill proceeds through the legislative process.
David Loukidelis & Amy O’Connor