British Columbia’s Freedom of Information and Protection of Privacy Act (“FOIPPA”) governs the protection of personal information in the custody or control of public bodies in the Province. In response to concerns regarding the possible use of the USA Patriot Act by United States officials to gain access to the personal information of British Columbians (“personal information”), the British Columbia Government has enacted the Freedom of Information and Protection of Privacy Amendment Act (the “Amendment Act”).
The Amendment Act came into force on October 21, 2004 and introduces several new concepts that affect public bodies and persons providing services to public bodies.
The Imposition of Duties on Service Providers
The Amendment Act extends certain obligations to “service providers” who provide services to public bodies. Service providers are defined in the Amendment Act as “persons retained under a contract to perform services for a public body”. The term “public body” is defined in FOIPPA as including entities such as hospitals and schools. Accordingly, all persons who provide services to a public body in British Columbia that involve the collection, use, disclosure or storage of personal information are now subject to FOIPPA and must familiarize themselves with the obligations imposed upon them.
The primary obligations of service providers under FOIPPA are as follows:
- to make reasonable security arrangements to protect from unauthorized collection, use or disclosure the personal information disclosed to them by their public body clients;
- to ensure their storage of and all access to such personal information is restricted to locations within Canada;
- to report to the B.C. Government any foreign demands for disclosure of such personal information made to that service provider; and
- not to disclose any of such personal information inside or outside Canada in a manner that contravenes FOIPPA.
Storage of and Access to Personal Information Restricted to Canada
The Amendment Act requires that all personal information be stored in Canada and that access to personal information take place only within Canadian boundaries. The intent of the Amendment Act is to prevent personal information from being stored in or accessed from jurisdictions having inadequate privacy laws or laws that threaten the security of the personal information.
As a result, a service provider located outside Canada can no longer store or access personal information unless it establishes facilities within Canada for this purpose. This change has significant implications for those public bodies seeking to enter into or renew contracts with non-Canadian based service providers. Contracts that were entered into on or prior to October 21, 2004 with foreign service providers are grandfathered pursuant to the transition provisions of the Amendment Act, for the duration of the then current term of such contracts.
Limiting the Purposes for which Personal Information may be Disclosed Outside of Canada
The Amendment Act limits the purposes for which a public body or service provider may disclose personal information outside Canada. Generally speaking, these purposes are limited to purposes that are governmental in nature, such as disclosure to a law enforcement agency, disclosure in compliance with a treaty or where the disclosure is necessary to assist a minister of the B.C. Government in the performance if his or her duties when he or she is abroad.
Within Canada, additional and broader purposes for disclosure of personal information are specified, including disclosure for the purposes for which the personal information was collected, compliance with a subpoena or other court order, or for research and statistical purposes.
Mandatory Reporting Requirement of Demands for Access to Personal Information Originating Outside of Canada
If a foreign government, court, tribunal or other authority issues a subpoena, warrant, demand or request for personal information held by a public body or a service provider (a “foreign demand”), then the public body or service provider must provide notice to the B.C. Government of the request and general information regarding who made the foreign demand, when it was received and the general nature of the personal information sought in the foreign demand.
Further, the public body or service provider must provide notice of any demand made by a local organization or person which it reasonably believes was made in response to a foreign demand. This means a public body or service provider must provide notice if it thinks the demand is indirectly a foreign demand. The obligation to report foreign demands also extends to the individual employees of the public body and service provider.
Protection For Whistle Blowers
The Amendment Act adds whistle blower protection for employees who report contravention of the FOIPPA requirements. Such employees are protected from dismissal, suspension, harassment or other behaviour disadvantaging them in their work. These new whistle blower protections apply to all employees of public bodies as well as those of service providers.
Introduction of New Offence Provision for Public Bodies and Service Providers
It is an offence to fail to comply with the new obligations created by the Amendment Act. Public bodies and service providers that breach those obligations are liable for fines up to $500,000, while individual service providers, employees or directors and officers who acquiesce in the commission of the offence are individually liable for fines up to $2,000.
Conclusion
The introduction of the Amendment Act creates significant new obligations for public bodies and service providers to restrict the disclosure outside Canada of personal information in the custody or control of public bodies. Public bodies and service providers must assess their privacy practices and policies to ensure that they are compliant with the new obligations imposed by the amendments to FOIPPA.