The NDP government’s new proposal to allow British Columbians’ private data to be stored outside Canada is “exceedingly troubling,” the province’s information and privacy commissioner said Oct. 18.
The NDP government has unveiled Freedom of Information and Protection of Privacy Act (FIPPA) amendments it said will help people access services faster while strengthening privacy protections.
“We’re making changes today to keep pace with advancements in technology and provide the level of service that people expect in the digital era,” Minister of Citizens’ Services Lisa Beare said.
Information and Privacy Commissioner Michael McEvoy called the changes the first set of comprehensive amendments to FIPPA in at least the last decade. Some, though, raise red flags for him, including the control of document destruction.
“It is imperative that our laws keep pace with public demand for greater accountability on the part of our public bodies,” he said. “It is also important that the personal information those bodies collect from our citizens be properly protected in light of rapidly evolving digital technologies.
“The amendments go some ways to strengthen privacy protections by mandating new requirements for privacy management programs, mandatory breach notification, so-called ‘snooping offences,’ and privacy impact assessments,” McEvoy said. “These are welcome advances that put public bodies in a better position to safeguard our privacy.”
Among the changes are:
- updating FIPPA’s data-residency provisions so public bodies can use modern tools while continuing to protect personal information;
- enhancing public-sector privacy protections and increasing accountability by implementing mandatory privacy-breach reporting;
- introducing a modest application fee for non-personal freedom of information (FOI) requests; and
- demonstrating the province’s commitment to diversity, inclusion, reconciliation and equity by increasing information sharing with Indigenous peoples, adding Indigenous cultural protections and removing non-inclusive language.
Further, enhancements to mandatory breach reporting will require privacy management programs and clarify requirements for public bodies’ privacy impact assessments. Proposed amendments will increase penalties and also introduce new penalties including those for knowingly accessing information without authorization.
As well, said the ministry in a news release, data-residency requirement changes will bring СÀ¶ÊÓƵ in line with other jurisdictions by removing restrictions preventing access to digital tools and technologies.That means data will not be required to be stored in СÀ¶ÊÓƵ
That has raised concerns in the past when there were fears legislation in countries where data was stored could allow those countries to seize such data. A primary example cited in such fears was the U.S. Homeland Security Act.
The government said the residency change would allow public bodies “access to technologies and streamline service delivery for public bodies. For example, greater access to cloud-based services will improve СÀ¶ÊÓƵ’s post-secondary institutions’ ability to attract students by allowing them to use cloud-based education tools offered outside of СÀ¶ÊÓƵ”
The government allowed such outside uses starting at the start of the COVID-19 pandemic to allow for virus data sharing and for students to use online learning tools. The allowance was made under a 2020 ministerial order.
McEvoy is not keen on the residency change. He calls it “exceedingly troubling . . . that government now proposes to allow public bodies to send British Columbians’ personal information outside Canada without explaining how they will properly protect it.”
“Without concrete alternative protections for people’s data, the government is effectively asking the Legislative Assembly for a blank cheque to eliminate the current restrictions on public bodies accessing and storing people’s personal information outside of Canada,” McEvoy said.
СÀ¶ÊÓƵ Tech Association CEO Jill Tipping doesn’t share the commissioner’s concerns.
“This is a positive development from government that СÀ¶ÊÓƵ’s tech industry welcomes,” Tipping said. “The changes to СÀ¶ÊÓƵ’s data residency requirements will allow local companies to leverage cutting-edge technology to help СÀ¶ÊÓƵ’s public sector deliver the modern tools that citizens expect with the privacy protections they need.”
Jennifer Burns, associate vice-president, information technology and chief information officer, University of British Columbia also approved the changes.
“They will substantially increase the privacy and security of personal data with more robust and resilient services by allowing us to select the most secure and effective solutions,” she said.
Vancouver Coastal Health also welcomed the data residency change.
“These changes not only provide more flexibility and opportunity to implement the best available technologies to improve health-care services, but they also enable us to access the most robust technology solutions to secure sensitive health-care data and protect patient privacy.”
McEvoy also expressed concerns about protecting government records from destruction.
“While making it an offence to wilfully destroy records to avoid complying with an access request is a welcome change, greater clarity is needed to capture improperly destroying a record before someone specifically requests it,” McEvoy said.
And, he’s also concerned about the government proposal to exclude from the public’s right of access, information deleted by a public body as well as public bodies for the first time being allowed to charge a flat upfront fee for access to records.
“Finally, while I support some of the proposed changes, this is a lost opportunity for government to promote greater accountability and transparency, especially by the bill’s failure to provide comprehensive oversight of record destruction and inattention to longstanding calls for reform of advice and recommendations exceptions,” McEvoy said.