On October 18, 2021, the Provincial government introduced Bill 22: the Freedom of Information and Protection of Privacy Amendment Act, 2021. The Bill was introduced in the Legislature by the Honourable Lisa Beare, the Minister of Citizens Services, who explained that the Bill’s purpose is to modernize the Freedom of Information and Protection of Privacy Act, which has not been updated within the last decade. Notably, Bill 22 includes provisions that amend British Columbia’s data residency requirements, impose obligations on public bodies to create a privacy management program, and incorporate mandatory breach reporting obligations.
The proposed and most notable changes to the Freedom of Information and Protection of Privacy Act (the “Act”) set out in the Bill are as follows:
- Proposed Repeal of Foreign Access and Storage & Foreign Demands for Disclosure
One of the most significant aspects of the Bill, is that it proposes the repeal of the existing prohibition on the storage of and access to personal information outside of Canada, first enacted in 2004, and the obligation to report foreign demands for disclosure. This will significantly enhance the ability of public bodies to engage in cloud computing or internet based initiatives where the internet service provider does not currently operate or store data in Canada. However, the Bill also makes clear that further regulations will be issued governing the circumstances in which trans-border flows of personal information may take place. Accordingly, we can expect that trans-border data flows, while not prohibited, would under the Bill continue to attract greater obligations in order to address the increased risk.
- Privacy Management Program and Privacy Impact Assessments
The Bill creates new obligation on public bodies to develop a “privacy management program”. While most public bodies already have a privacy management program in place, the Bill makes clear that the Minister of Citizen’s services would have the ability to specifically prescribe terms as to the nature, scope and requirements of such programs.
The Bill also potentially broadens the obligation of non-ministry public bodies to conduct privacy impact assessments (PIAs). Where previously, the Act only made PIA’s mandatory for non-ministry public bodies in connection with data-linking initiatives and common and integrated programs, the Bill would give the Minister authority to instruct non-ministry public bodies not just how to perform a PIA, but when to do so.
- Privacy Breach Reporting
The Bill also seeks to enact long expected obligations to notify individuals of and report privacy breaches if they could “reasonably be expected to result in significant harm” to affected individuals, including in the event of bodily harm, humiliation, reputational damage, financial loss, credit record impacts, and damage to or loss of property. These changes mirror legislative changes that have already been enacted by the federal and other provincial governments in Canada.
- Changes to the Access Provisions of the Act
The Bill creates several new and significant changes to the freedom of information access provisions of the Act, some of which seek to reduce the overall burden on public bodies. These include:
- Excluding a right to make access requests for some categories of records, such as those available to the public for purchase, those that do not relate to the business of the public body, those comprising metadata, and records that have been lawfully deleted by an employee of a public body.
- Creating a new mandatory exception to disclosure and an obligation to consult under Part 2 of the Act, for information that could reasonably be expected to harm the rights of an Indigenous people to maintain their cultural heritage or traditional culture expression;
- Expanding the circumstances in which public bodies may ask the Commissioner under section 43 to authorize the public body to ignore a request, including for requests that are excessively broad;
- Expanding the authority of public bodies to charge fees for access requests, including the ability to charge a new “application fee” in a prescribed amount;
- Making it an offence to willfully evade access requests, including by concealing, destroying or altering any record to avoid complying with an access request.
The Bill also speaks to the obligations under sections 70 and 71 of the Act to make information available to the public without a request. It adds an ability for public bodies to sever records made available to the public without a request, provided that the document includes a statement disclosing the fact of, nature and reasons for the severing. This means that public bodies can choose to make records publicly available even if only part of the record is to be disclosed.
- Information Sharing with Indigenous Government Entities
The Bill provides new provisions authorizing the disclosure of personal information to Indigenous governing entities. Such provisions should increase the quality of data available to and streamline the ability of governmental bodies to work collaboratively with Indigenous government entities by facilitating the sharing of personal information with them.
- New Privacy Offences
The Bill also creates new privacy offences, including by making it an offence to collect, use or disclose personal information “willfully” in violation of the Act. Liability is imposed both at the personal and corporate or institutional level, and allows for fines of up to $50,000 for individuals and $500,000 for corporations.
The Information and Privacy Commissioner of British Columbia has already issued a statement commenting on the changes, and expressing reservations about, among other things, the proposed repeal of British Columbia’s data residency laws without clear controls in place to ensure the protection of personal information that public bodies would, under the terms of the Bill, now be permitted to store and access outside of Canada.
It remains to be seen what additional changes may be incorporated as the Bill proceeds through second and third reading. Additionally, some of the significant new changes proposed by the Bill will be informed by ministerial directions and regulations still to be developed and promulgated.
Stay tuned. . . .
If you have any questions about this article, please contact Suzanne Kennedy.
