Entities subject to BC’s Freedom of Information and Protection of Privacy Act (FIPPA) have long struggled with how to take advantage of technologies and services that depend on cloud computing (essentially, programs and services hosted on third party servers, accessed over the Internet). One of the reasons is BC FIPPA’s extraordinarily onerous requirement that all personal information (including much of the information used in systems such as personnel records, patient files, student registration systems, etc.), be and remain at all times in Canada, except in a very limited set of circumstances.
In late October 2019, FIPPA was amended to narrowly expand the range of circumstances where personal information may leave Canada: where information is disclosed for processing purposes only, and where it is in metadata. On one hand, this makes B.C. appear less like the girl with the kaleidoscope eyes in the Beatles’ song, but this minor liberalization is itself subject to such stringent requirements that compliance will nonetheless require due diligence and careful legal, technical and practical advice. It will also befuddle even those cloud service providers that have considerable experience working with the public sector in other jurisdictions.
It’s a move in the right direction, but a small one.
What are the changes?
Disclosure for Processing
This change addresses the underlying realities of the Internet and cloud infrastructure in Canada. For example, as data flows from workplaces on the West Coast to data centres in eastern Canada, it is likely that the data will cross south of the border en route, requiring access to certain data elements (such as routing information) to ensure it arrives at its final destination.
In particular, this change authorizes the disclosure of personal information for processing inside or outside of Canada, as long as that processing does not:
- involve the intentional access of the information by an individual; or
- result in the storage of personal information (other than metadata, which is the topic of the other change) outside of Canada.
If the processing requires the disclosure of personal information outside of Canada, that access must be temporary and limited to the minimum period of time necessary to complete the processing.
This change appears to be aimed at reconciling the tension between data residency and the availability of cloud products in Canada. Now, public bodies should be able to take advantage of cloud product functions and features that require processing outside of Canada where the above requirements are met.
Disclosure of Metadata
The second change clarifies disclosure rights in respect of metadata, which is created nearly every time an individual interacts with technology.
This change authorizes public bodies to disclose metadata that is generated by an electronic system, such as a cloud application or mobile device, and describes an individual’s interaction with that system as long as:
- any personal information in individually identifiable form has been removed from the metadata or destroyed, if practicable; and
- if the disclosure is to a service provider, the public body also prohibits any subsequent use or disclosure of personal information in individually identifiable form without its express authorization.
At first glance, the requirement to remove individually identifiable personal information only “if practicable” seems unusually permissive. However, most cloud platforms automatically generate and store metadata relating to their use, including in the form of audit logs that allow customers to monitor usage and help identify misuse (which is particularly useful in the event of a security breach). In many instances, severing individually identifiable information from these logs would be counterproductive and undermine the purpose for which that information was collected and stored. And while individually identifiable personal information can be masked, anonymized or tokenized, those options may not be technically possible (or practicable) in many cloud applications.
So, as the removal of individually identifiable information may not be practicable in some instances, this change codifies best practices by prohibiting service providers from any subsequent use of any remaining individually identifiable personal information without the express authorization of the public body.
How will the changes affect my organization?
With a focus that appears to relate mostly to cloud solutions and other online offerings, these changes affect public bodies that already subscribe to these solutions as well as those considering the move to the cloud.
If your organization already subscribes to cloud products, you may want to review the functions and features of your product to determine whether processing occurs outside of Canada and, if so, whether the new requirements are being met. If not, your organization may now be able to take advantage of existing functions and features that are only available if data can be processed outside of Canada.
With regards to metadata, it may be worth pulling out your existing agreements to see how this information is dealt with (tip: look for sections that describe “statistical data”, “aggregated data” or “usage data”). You may be surprised at how extensively your service provider can use that information.
If your organization is new to the cloud, the FIPPA changes reinforce the importance of product due diligence and, in particular, the importance of asking cloud providers about their data and metadata practices, beyond just whether the data is stored in Canada.
The protection of personal information is typically at the forefront of public body decisions to upgrade technology and modernize operations. The proposed changes provide a level of clarity that should help streamline this process and ensure best practices are observed when information is provided to cloud service providers.
However, the changes are not enough to bring FIPPA in line with private sector laws, public sector laws in other jurisdictions, or the realities of the international, interconnected Internet upon which the “cloud” is based. So, due diligence, careful analysis and training commercial cloud service providers is nonetheless required. In other words, it’ll be a long time yet before you can “climb in the back with your head in the clouds, and you’re gone…”