Proposed Changes to FIPPA: Two Steps Forward, One Step Back

Proposed Changes to FIPPA: Two Steps Forward, One Step Back

On October 18th, 2021, the British Columbia government introduced a bill (“Bill 22”) to amend the Freedom of Information and Protection of Privacy Act (“FIPPA”).[1] Bill 22 is intended to strengthen government accountability and transparency, enhance public sector privacy protections, and increase information sharing with Indigenous peoples while limiting disclosure that may harm them.[2] However, the proposed amendments raise some questions regarding transparency and data residency, and introduce potential uncertainty regarding the rules for public sector technology service providers.

The Proposed Changes

Bill 22 introduces a number of new requirements for managing and protecting privacy:

• A privacy management program must be developed for each public body.[3]
• Notification to any affected individual is required for privacy breaches involving personal information in the custody or control of a public body.[4]
• All public healthcare bodies must conduct a privacy impact assessment.[5]
• Disclosure must be refused where it could reasonably be expected to harm the rights or abilities of Indigenous persons to protect or control their cultural heritage, cultural expression, and traditional knowledge.[6]

These requirements were identified as a result of the heightened need to provide safe and convenient online services following the COVID-19 pandemic while simultaneously keeping pace with other jurisdictions and new technology.[7] Other changes are purported to increase government transparency. However, these changes were all introduced alongside the removal of the Office of the Premier as a designated “public body”,[8] and the introduction of a fee for all non-personal information requests.[9] These changes are questionable as to their intent and move the British Columbia government unnecessarily away from its purported goals of increased accountability and transparency.

To further the protections afforded by FIPPA, Bill 22 also makes it an offence to:

• make a false statement to, wilfully mislead, obstruct the duties of, or fail to comply with the privacy commissioner;
• willfully conceal, destroy, or alter records to avoid complying with a request for access; and
• collect, use, or disclose personal information except as authorized, or fail to notify the head of a public body of an unauthorized disclosure.[10]

The latter two offences identified above extend to corporate service providers and their employees to the extent that Bill 22 further imposes personal liability on any officer, director, or agent who authorizes, permits, or acquiesces in the commission of such an offence.[11] In addition, these offences bring with them increased penalties of up to $500,000 for corporations.[12] Thus, all corporate service provides must be aware of the restrictions and requirements proposed and currently existing under the Act, and ensure that they have robust privacy policies in place to protect against the risk of improper employee conduct.

Concerns Regarding Data Residency

The proposed changes regarding data residency requirements will allow access to digital tools and technologies, but data will no longer need to be stored in British Columbia. Information and Privacy Commissioner Michael McEvoy calls this change deeply concerning.[13] However, by contrast, this development is leading some in the industry to be optimistic because such technologies can provide the most secure and effective solutions, increasing privacy and data security.[14]

The concern identified by the Privacy Commissioner is based on the fact that the proposed amendments in Bill 22 with respect to data residency leave any protection of personal information disclosed outside of Canada entirely to regulations that are, as of yet, undrafted. McEvoy suggests requiring public bodies to conduct privacy impact assessments and consider reasonable alternatives before exporting personal information.[15] Similarly, details of data linking activities are relegated to regulations, reducing transparency and clarity regarding the rules and requirements for data linking-programs.[16]

What does Bill 22 mean for business in British Columbia? Service providers will have the ability to leverage new technologies to provide British Columbia’s public sector with modern tools to serve the province. However, by leaving the details of how these issues will be governed to regulation, the British Columbia government is leaving service providers in a position of uncertainty as to what rules they may face when operating in the public sector.

Conclusion

For anyone doing business with a public sector entity in British Columbia, the proposed amendments in Bill 22 will bring some long-anticipated changes to FIPPA by strengthening protections through new offences and stricter privacy management requirements. Such changes should work to give those businesses a higher degree of confidence with respect to how information will be managed and ease the burden, to some degree of conducting business with the public sector.  However, Bill 22 also introduces some new concerns regarding the commitment to transparency in the public sector and a lack of clarity regarding how many of these new provisions will operate in practice. Compliance with these new changes will be important for any service providers operating in the public sector. It will be necessary to closely monitor the Bill 22 changes as they are introduced to ensure there are no material revisions, which could be introduced through the as of yet to be drafted regulations, and to remain in compliance with the new legislation.

[1] Bill 22, Freedom of Information and Protection of Privacy Amendment Act, 2021, 2nd Sess, 42nd Parl, British Columbia, 2021 (first reading) [Bill 22].
[2] British Columbia, Legislative Assembly, Hansard, 42nd Parl, 2nd Sess, Draft Transcript (18 Oct 2021) (Hon L Beare) [First Reading].
[3] Bill 22, supra note 1, s 25.
[4] Ibid, s 25.
[5] Ibid, s 39.
[6] Ibid, s 9.
[7] First Reading, supra note 2.
[8] Bill 22, supra note 1, s 50.
[9] Ibid, s 44.
[10] Ibid, s 37.
[11] Ibid, s 37
[12] Ibid, s 37.
[13] Michael McEvoy, Information and Privacy Commissioner for British Columbia, Letter to Minister Lisa Beare Re: Bill 22 – Freedom of Information and Protection of Privacy Act Amendments (20 Oct 2021), online: Office of the Information and Privacy Commissioner.
[14] Jeremy Hainsworth, “Victoria unveils changes to information and privacy legislation” (18 October 2021), online: BIV.
[15] Ibid.
[16] Ibid.

by Robert C. Piasentin and Kristen Shaw (Articled Student)

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2021