BC Ministry relaxes data residency requirements under FIPPA

On March 26, 2020, the Minister of Citizen’s Services issued an order under section 33.1(3) of the Freedom of Information and Protection of Privacy Act (FIPPA) relaxing certain requirements under FIPPA during the COVID-19 crisis.

FIPPA ordinarily requires public bodies to access and store personal information only within Canada except in limited circumstances.  That requirement restricts public bodies in their ability to use cloud service tools that store or route information outside of Canada.

The Order provides public bodies with greater latitude to use online and cloud service tools for the purposes of complying with public health recommendations concerning social distancing during the COVID-19 outbreak.  The Order also authorizes health care bodies to share personal information for purposes related to managing and responding to the COVID-19 pandemic.

Who the Order Applies to

The Order applies to all public bodies who are governed by FIPPA.  This includes public sector institutions including: ministries, schools, health authorities, hospitals, municipalities, regulatory bodies and many social services and crown corporations and their service providers.

The Order does not apply to or change the status quo for private sector organizations who are governed by the Personal Information Protection Act.

Scope of the Order

The Order enables public bodies to use online and cloud service tools that store information outside of Canada for the purposes of complying with public health directions during the COVID 19 crisis.

The Order applies when:

  • The third-party tools or applications are being used to support and maintain the public body’s programs or activities.
  • The tools or applications are supportive of public health recommendations and requirements to minimize the transmission of COVID-19; and
  • Any disclosure of personal information is limited to the minimum amount of personal information reasonably necessary for the performance of the duties of the public body’s employees and officers.

The Order and Public Health

The Order also contains express provisions related to storage of and access to personal information by health care bodies.  While the Order does not create any new authorities for health care bodies to share information, it does support the ability of health care bodies to be more flexible in the tools and methods they use to deliver and coordinate health care services during the pandemic.

Under the Order, health care bodies are authorized to access and store information inside and outside Canada for the following purposes:

  • to communicate with individuals respecting COVID-19;
  • to support the public health response to COVID-19; and
  • to coordinate care during the COVID-19 pandemic.

Duration of the Order

The Order extends only until June 30, 2020 (unless extended or rescinded), and was enacted only for the purposes of supporting public bodies in their efforts to facilitate remote working and service delivery arrangements during the COVID-19 crisis.

Practical Effects

Practically speaking, this order will enable front-line health care providers to use and deploy pandemic-related information quickly and to coordinate the delivery of care efficiently in  responses to the COVID-19 pandemic.

It will also allow B.C. public bodies that provide services (e.g. schools and post-secondary institutions) to utilize a broader array of online learning platforms as a result of the suspension of in-classroom learning due to the need for social distancing.

Finally, it will help support the remote work being done by thousands of employees of public bodies who are complying with the PHO’s recommendations for social isolation and social distances.

The Order Does not Diminish Data Security Obligations

 The Order does not eliminate a public body’s obligations to ensure that the personal information it collects and maintains is secure against risks such as loss, theft, unauthorized collection, use or disclosure.  Accordingly, even when cloud-based tools are used in reliance on the Order, public bodies must still ensure that third party providers have appropriate data security practices in place.  Employees should also be instructed about how to use such tools in a way that is compliant with this broader privacy obligation. Click here for information on privacy practices for employees working remotely.

Note to our Readers: Information regarding COVID-19 is rapidly evolving. We are working to bring you up-to-date articles as the legal issues develop and to keep our previous posts updated. Given that the legal issues related to COVID-19 are constantly changing, if you are looking for legal advice or are dealing with an issue in relation to COVID-19, please contact your Harris lawyer or a member of our COVID-19 response team: Sari Wiens, Ilan BurkesNicole Toye or Jessica Fairbairn.

To read our most recent articles and other updates on COVID-19, visit our COVID-19 Updates page.