LawsonInsight

The New Changes To FOIPPA: Part One

Lawson Lundell Season 1 Episode 21

On Episode 21:The New Changes To FOIPPA: Part One Mark Fancourt-Smith and Alix Stoicheff speak with Ryan Berger and Meg Gaily about recent changes to BC’s Freedom of Information and Protection of Privacy Act (FOIPPA) and how they affect BC public bodies. 
This is a two part series that will cover all the major changes to FOIPPA.

Check out our other resources on this topic: 

Mark Fancourt-Smith  00:07

Welcome to LawsonInsight. I'm Mark Fancourt-Smith. I'm a partner in Lawson Lundell’s Vancouver office and I practice in the dispute resolution group.

 

Alixandra Stoicheff  00:15

And I'm Alixandra Stoicheff. I'm an associate in the firm's Calgary office and I practice primarily in the dispute resolution group as well. Thank you for joining us on the podcast. On this episode, we will be speaking about the new changes to BC’s Freedom of Information and Protection of Privacy Act.

 

Mark Fancourt-Smith  00:30

and today we're joined with two repeat guests Ryan Berger and Meg Gaily. Meg is based in our Vancouver office and is in the Research and Opinions group, advising clients and organizations on a variety of practice areas including administrative law, Labor and Employment, privacy, civil procedure and appellate practice, and professional conduct. Ryan is a partner in Vancouver as well, he specializes in the areas of privacy and employment law. We're going to be splitting this discussion across two podcasts, as there is a lot to discuss in order to ensure our listeners have all the information they need on the changes to BC’s Freedom of Information and Protection of Privacy Act. Welcome back to you both. Thanks for coming back to the podcast.

 

Alixandra Stoicheff  01:06

Yeah, welcome.

 

Ryan Berger  01:07

Great to be here.

 

Meg Gaily  01:08

Thanks for having us.

 

Mark Fancourt-Smith  01:10

To start with I just wanted to get from you. What does the BC Freedom of Information and Protection of Privacy Act do? Is there any way to shorten the name? And how do you pronounce it?

 

Ryan Berger  01:21

Gosh, well, it is a handful. A mouthful. And there are two camps. I'm in the FOIPPA camp: F O I P P A. I think Meg, you’re in the FIPPA camp?

 

Meg Gaily  01:31

I’m in the FIPPA camp: F I P P A. And as I think I've mentioned to Ryan before, when you're creating an acronym, you don't use the conjunction. So words like ‘of’ and ‘and’ drop out. So it should be FIPPA Ryan because otherwise it would be really long. It would be something like FOIAPOPA or something. Right? But hey,

 

Ryan Berger  01:54

That's fair. That's fair, but way too technical for me. I go by the logic of I'm a big FOMO person. And I think none of us would say FMO, we all say FOMO. But I also have a fear of misusing acronyms, which would be FOMA. So I go with FOIPPA still.

 

Meg Gaily  02:17

But FIOPPA, FIPPA - let's call the whole thing off? No, we can't call it off, but it is same. One in the same. We’re talking about Freedom of Information and Protection of Privacy.

 

Mark Fancourt-Smith  02:28

Yeah. So for our listeners, who may not know, what does it do, what does it cover?

 

Ryan Berger  02:33

So it is the act that applies to British Columbia Public bodies. And there are two main parts of it. There's the Freedom of Information part of it, which gives individuals rights of access to records in the custody or control of public bodies, for example, that's ministries of the government. It extends to many Crown corporations, municipalities, universities, hospitals, health authorities, and the like. And so there are various definitions and schedules that name, what are the BC public bodies from which individuals can seek access to information and the other main half of it, at least so far, has been the protection of privacy. And it outlines the rules for BC public bodies with respect to protecting personal information.

 

Alixandra Stoicheff  03:25

So I understand there have been some recent changes to FOIPPA or FIPPA, I'm not going to take a stand on the pronunciation. 

 

Mark Fancourt-Smith  03:32

Just call it the Act. 

 

Ryan Berger  03:35

That’s what the commissioner does.

 

Alixandra Stoicheff  03:39

I understand there have been some changes to the act. And we thought it made sense to start off by asking you to explain just what those changes are. And if you can explain what prompted them.

 

Ryan Berger  03:49

Yeah, so in the fall, the BC government introduced and passed Bill 22. And there are a few main changes that it makes to FOIPPA, and we're going to be covering some of the big ones today. One of them is data residency and the rules regarding restrictions on BC public bodies to keep personal information in Canada only. Some rules about impact assessments, privacy management programs, breach notification and reporting requirements, and application fees, and some changes to the fines that can be levied under the act. You also asked what prompted the changes? I think there are a number of factors, you know, one that the government promoted and I think I think certainly was behind a lot of advocacy for change was really just sort of modernizing certain aspects of the act and updating them to align with other Canadian and international Western jurisdictions. And so there's been a lot of push to do that. There haven't been significant changes. to VoIP like this, I think in over 25 years. So it was time for a lot of things. And with respect to the data residency issue that certainly has attracted a lot of scrutiny, I think and criticism and advocacy on both sides of the issue. But certainly I know that there were a lot of BC public bodies, who for a long time, were concerned that they weren't able to really compete and seek the kind of support and access to service providers internationally that some of our other competitors, either in other provinces or up in the public sector were able to do as a result of the in Canada only rules.

 

Mark Fancourt-Smith  05:43

Ryan, one thing I just wanted to ask you was in terms of public bodies, which are traditionally mentioned in connection with FOIPPA. Is this really just about public bodies?

 

Ryan Berger  05:53

Not strictly, there are provisions and there have been in the I guess, before the updates to FOIPPA. But now it's a little bit more clear that the act also applies to service providers of BC public bodies, when they're handling personal information in the custody or control of the public body. So many of the privacy protection rules apply. And also the fines extend to service providers when they're handling that personal information, as well as the employees of those service providers. It's not just BC public bodies that ought to pay attention to this, but it is all the individuals and organizations that provide services to BC public bodies.

 

Alixandra Stoicheff  06:38

So why don't we get into some of the changes in a bit more detail. So I understand that the data residency requirements have been eliminated. Practically speaking, what does this mean?

 

Ryan Berger  06:48

Great question. This is one of the most political aspects of the changes. Previously, BC public bodies were not permitted to access or store personal information outside of Canada, except for in limited circumstances. They had to be very careful about those rules and or if they were engaging service providers, there were a lot of contractual provisions, they needed to negotiate into those contracts, that often were kind of the sticking point or a significant stumbling block for those agreements. What the changes have done essentially allows BC public bodies to store personal information and access personal information or disclose personal information anywhere so inside of Canada, or outside of Canada, as long as the disclosure is permitted under the act. And so those are four limited purposes that fulfill the mandate of the BC public body or the purpose for which the information was collected, or to allow the public body or a service provider to process the information for reasonable purposes. There are some provisions now through regulation that require a public body to engage in a privacy impact assessment process if they are going to store sensitive information outside of Canada, but it's no longer a restriction in and of itself.

 

Mark Fancourt-Smith  08:23

Picking up from your last point, Meg, I was wondering if I could ask you one of the major changes that was cited in the blog that you and Ryan, did was this requirement to conduct privacy impact assessments? Can you tell us about those?

 

Meg Gaily  08:38

Sure. There's always been a privacy impact assessment provision in the act, what they did with Bill 22, was they've made it now mandatory for both ministries and public bodies. Whenever you're implementing what's called a new initiative, or you're making a significant change to an existing initiative, you have to do what's called a privacy impact assessment or a PIA. So when you think about well, what's an initiative? What are you talking about? Why would I need to do a privacy impact assessment? So the kind of things that are initiatives are things like you're implementing a new document management system or doing digital transformation, new website analytics tools, even things like new human resources systems, new databases, right, or a new benefit program, and it doesn't have to be a health benefit thing. But you now have to do a privacy impact assessment. And so what they did was the privacy impact assessment has to comply with a ministerial direction. And so that was issued in late November that's out there now. It exists for all public bodies, and there's another one for ministries, and you go through and it just sets out all these various requirements. We went through it in detail in the webinar, we did, you know, effectively, it's taking a risk based approach, like, is there the possibility that this information could be disclosed? And would it be harmful. And so the government also created a template that you can use as your privacy impact assessment. You don't have to follow the template, but it sets it all out in pretty nice detail. Or you can come up with your own so long as you follow all of there's something like eight directions in the ministerial direction that you're supposed to follow. So that's, that's new, frankly, I think it's just a way of saying, Hey, we're alive to this issue, this might impact on privacy. Let's go through and see what it does take some ownership for it.

 

Ryan Berger  10:45

Yeah, I think that's exactly right Meg and as you say, it's what's interesting to me is, it's a risk assessment process that the public body has to go through. It's not a risk elimination process. I mean, living in the world of privacy, we know there's always risks, and it's about what are reasonable mitigation steps that one can take considering the sensitivity of the information, and where it's being stored in the world. And depending on that location, it may that may factor in as well for the public body. And so it's I think it's about doing some diligence on that, and the mitigation steps. And so as service providers, you know, one of the things that I think they'll be looking to do and in trying to sell services to BC public bodies is to assist them with that risk mitigation effort and help them put together their PIA’s. Certainly, you know, we're advising our public bodies to ask their service providers for assistance on that.

 

Mark Fancourt-Smith  11:57

On the next episode, we'll be discussing further changes to the act including the privacy management program, mandatory privacy breach reporting requirements, and the new fee structure for accessing information. Thank you for joining us on LawsonInsight. Thanks again to Meg and Ryan, for joining us today. And make sure you check out their full webinar and blog on this issue available on the Lawson Lundell website.

 

Alixandra Stoicheff  12:19

And you can also stay up to date by connecting with us on social media using the handle @LawsonLundell. And by subscribing to the podcast on Apple, Spotify or Google podcasts. Thanks for listening!