By Sean Marzinzik
FIPPA is the privacy legislation that governs public bodies in B.C. and the provincial government announced changes to the Freedom of Information and Protection of Privacy Act (“FIPPA”) on October 18, 2021. Bill-22 includes several noteworthy proposed amendments.
Change to requirement to keep personal information in BC
The law in the province under FIPPA currently requires public bodies to store and access personal information in Canada unless a specific exemption applies. Barring permission from the individual, the exemptions permitting access and disclosure of personal information outside of Canada are typically limited in scope and narrow.
However, since the onset of COVID-19, the Ministry of Citizen Services has continuously issued and re-issued a ministerial order overriding the data localization requirements set out in FIPPA in order to allow public bodies to use technologies aimed at combating the pandemic that would otherwise not meet the requirements set out in FIPPA.
Bill-22 proposes to change this permanently by allowing public bodies to disclose personal information outside of Canada in accordance with any regulations made by the minister. The regulations are not yet known but the government has stated that its intent is to the increased use of digital technologies.
Interestingly, it is worth pointing out that the privacy rights of Indigenous peoples are preserved such a disclosures reasonably expected to harm the rights of an Indigenous people in respect of cultural heritage, traditional knowledge, traditional cultural expressions or manifestations of sciences, technologies or cultures are prohibited. Public bodies will continue to be able to overcome this requirement by obtaining the Indigenous peoples’ consent in writing.
Fees for Access requests
The amendments will also allow public bodies to charge application fees for access requests unless the request is for personal information.
Mandatory breach reporting
The proposed amendments would create a statutory obligation for public bodies to report privacy breaches with a risk of “significant harm” to affected individuals in additional to the Office of the Information and Privacy Commissioner. Such a requirement does not currently exist under FIPPA.
The proposed changes introduced by Bill-22 is the provincial government’s latest attempt to allow public bodies to use modern technology by providing greater flexibility under the legislative framework.
However, this does not mean that employers or employees should deviate from best practices regarding the protection of personal information. Employers should continue to review and follow their policies relating to the privacy of their staff and client’s personal information.
Please contact one of the employment lawyers at Kent Employment Law should your organization have any questions on this or any other employment matter.