LawsonInsight
LawsonInsight
The New Changes To FOIPPA: Part Two
On Episode 22:The New Changes To FOIPPA: Part Two – Mark Fancourt-Smith and Alix Stoicheff speak with Ryan Berger and Meg Gaily about recent changes to BC’s Freedom of Information and Protection of Privacy Act (FOIPPA) and how they affect BC public bodies. This is the second of the two-part series that covers all the major changes to FOIPPA.
Mark Fancourt-Smith 00:07
Welcome to LawsonInsight. I'm Mark Fancourt-Smith. I'm a partner in Lawson Lundell’s Vancouver office and I practice in the dispute resolution group.
Alixandra Stoicheff 00:15
And I'm Alixandra Stoicheff. I'm an associate in the firm's Calgary office and I practice primarily in the dispute resolution group as well. Thank you for joining us on the podcast. On this episode, we will be speaking about the new changes to BC’s Freedom of Information and Protection of Privacy Act.
Mark Fancourt-Smith 00:30
and today we're joined with two repeat guests Ryan Berger and Meg Gaily. Meg is based in our Vancouver office and is in the Research and Opinions group, advising clients and organizations on a variety of practice areas including administrative law, Labor and Employment, privacy, civil procedure and appellate practice, and professional conduct. Ryan is a partner in Vancouver as well, he specializes in the areas of privacy and employment law. Welcome back to you both. Thanks for coming back to the podcast.
Alixandra Stoicheff 01:06
Yeah, welcome.
Ryan Berger 01:07
Great to be here.
Meg Gaily 01:08
Thanks for having us.
Alix Stoicheff 00:59
What are the changes that have taken place with respect to the privacy management program?
Ryan Berger 01:04
So this is a new feature, I would say to FOIPPA, we already had very high level provisions and requirements to safeguard personal information under the custody control of the public body. But these provisions will require the public body to really flesh that out and put some paper and policies and procedures and education, I would expect behind those requirements. These particular provisions are not yet in force. And so they're going to come into force by regulation. And we're anticipating that there will be some directions either through the regulation and or against through some ministerial order direction as to what specifically is going to be required as part of the privacy management program. But we certainly have some clues about what that kind of thing might look like. Because both the government and the Privacy Commissioner's Office have guidance documents on what a privacy management program would look like. And generally outlines the management accountabilities within the organization, I'm expecting that it will require the appointment of a privacy officer or another individual also responsible for privacy, in addition to the head of the public body, who is largely answerable to many of the obligations under the Act, but will sort of designate or, or require organizations to designate roles and responsibilities to more and also will set out whatever mandatory assessment tools or controls that an organization ought to have within to help limit access unauthorized access and use to information within the organization as well as with service providers and other procedures. One of them would be the PIA procedure. Another one would be for instance, and incident response process. And I'm anticipating that the program will mandate that every public body have in place an incident response plan, so it's ready.
Mark Fancourt-Smith 03:29
Just following on from the last point, the incident response plan. My understanding is one of the new provisions, which isn't enforced yet, though, is mandatory privacy breach reporting requirements, is that right? That's right.
Ryan Berger 03:42
So those two really do dovetail and like you say the privacy breach reporting obligations are not yet in force. And so they're also going to come into force through regulation, but we know what they look like. So public bodies will be required to report a privacy breach, which is a theft or loss of personal information or an authorized collection use or disclosure of personal information. And, and they'll be required to notify individuals and report to the Privacy Commissioner's Office, if that breach is reasonably expected to result in significant harm, and that's the real risk of significant harm cast is widely adopted now across Canada and a version of it and Pepita version of it in the Alberta private sector Privacy Act. And I think in most states actually in the United States. In the US, they don't have many privacy protection laws, but they do have a lot of breach reporting laws. So this is a common standard and would include identity theft or some real risk of fraud or significant embarrassment to an individual loss of financial opportunities, impact on credit, that sort of thing. So those are the types of new reporting obligations yet to come. But of course, for a public body to be able to fulfill that obligation, it's going to need mechanisms internally and perhaps with service providers as well, to be able to learn when there has been a breach. Certainly something you know, the internal unauthorized access or use of information is not something that comes up, for instance, when there's a hack or ransomware attack, and the whole system goes down. So organizations will need other mechanisms and reporting lines, internal reporting lines in place to be able to fill that obligation. And those are the kinds of things that go into an incident management program. And this would be part of the reporting process in that incident, reporting, or incident management plan.
Alix Stoicheff 06:07
So one of the other changes that's come in is that a public body now has permission to charge a fee to somebody making an application under the Act, I can understand perhaps, you know, why that might have been something that public bodies wanted to be able to do given the cost associated with responding to some of these. But I also understand, it's been a little bit controversial. So what can you tell us about that Meg?
Meg Gaily 06:30
Public bodies have always been able to charge for copying. That's one of the things particularly when you get some of these requests, where it's really going to take a lot of time for employees to gather all the documents and to copy these. So you've always been able to charge people didn't go to the privacy officer and, you know, talk about the charges. But what they did through Bill 22 was they imposed what you know, may seem to those of us in the legal profession, what that's nothing, a $10 fee for every request for general requests. And this apparently, you know, this was met with a lot of uproar, probably because the vast majority, I think it's fair to say the vast majority Ryan, correct me if I'm wrong, applications under the Act are made by members of the media. And so they were what now I have to pay down dollars every time I want to ask. But you know, from a public bodies perspective, that doesn't seem like a lot, although they've made it very clear in the statements that it's $10 for each request. And, you know, normally people are pretty good about putting everything they want in the one request. But the other day, I was doing some research, and I found a case on the BC privacy information officers website, or it was an individual, I don't know where they were requesting information from a school board. And it was a fairly small school board somewhere in the interior. And the number of requests just got ridiculous to the point where the school board denied the requests anymore. They just said we aren't going to respond to this. We've done it several times. And in the privacy officers decision upholding that decision of the school board, they rattled off like it was ridiculous. It was something like hundreds of requests. So I mean, certainly imposing a $10 fee is going to stop that kind of mischief, like if you end up having to pay hundreds of dollars, because you just keep asking. That's good. It was interesting. I personally don't think it's excessive or outrageous at all. I think I think it's high time and it makes sense. So that's my two cents on the new administration fee of $10. For every request.
Ryan Berger 08:42
Yeah, certainly the debate highlights the tension and the issues around the purposes behind the act with respect to transparency, and public access to information. And, you know, potentially the over use, and in some small cases, the abuse, as Meg points out of the powers under the act. And so I think that was part of the thinking behind the $10 fee, certainly $10 does not offset the actual costs of public bodies, having worked with them. Really, some of the costs to deal with these things are quite significant. And I don't think actually, the public recognizes the additional cost and burden on BC public bodies, many of whom are not staffed well to deal with FOI requests and the like. They're working as hard as they can to undertake their mandate. So the debate certainly highlighted some of those tensions.
Meg Gaily 09:51
Yeah, and to be clear, this is for general requests. This is not for personal requests. So if I'm applying to get to find out what personal information about me is being held by a public body, I don't have to pay the $10. They're concerned that they don't want it to be a barrier to access. And they're also not charging indigenous governing entities for it either. So either alive to that this, this was really to attract the more general where we have these shotgun approaches and multiple requests.
Mark Fancourt-Smith 10:25
Just turning to a final kind of misuse, if you will. What can you tell us about the new privacy offenses which have been added in the new part 5.1 of the act.
Ryan Berger 10:38
So, there were fines applicable for breaches of, certain breaches of privacy under the act. And for instance, in British Columbia anyway, there was a relatively well known case of Prince George councilor who released a sensitive internal investigation report regarding their RCMP force with a lot of scintillating detail personal details about people who was prosecuted, and I believe was fined $500, under the previous version of the Act for that. And there, I think some more well known case of particularly in Alberta, with respect to nurses being prosecuted under their Health Information Act, essentially, for snooping into health care records that are not theirs, maybe, you know, individuals known to them or celebrities and that sort of thing. And so the changes of have bulked up the potential fines under the Act and a little bit with respect to the scope of fine. So now, they include offenses related to unauthorized collection use or disclosure of personal information. And it's, I think, a little clearer that these can apply to both individuals, individual employees of public bodies, as well as the service providers and corporations under the Act and individuals, for instance, individual employees of the service providers. Again, it's one of those things that not only public bodies and employees of public bodies need to pay attention to, but their service providers and their employees need to pay attention to. And so the fines now can go up to $50,000 for individuals and corporations up to $500,000. So the potential is that the high end of the fine is much higher. And I think that's in recognition, really worldwide that particularly, you know, egregious privacy breaches, intentional privacy breaches, are not going to be tolerated. Any anymore. And but I'll know that there is a defense provision which lowers the threshold somewhat for establishing a defense under the old act, old version of the act, you had to prove due diligence, but now you only have to demonstrate it. And I read that as a material change to the provisions there. So I think that really they're looking for a situation where there is an intentional unauthorized access use or disclosure and where it be sensitive. A court will have authority now to impose a significant fine,
Mark Fancourt-Smith 13:44
Yeah, it's interesting. It seems part and parcel both in terms of non-statutory privacy cases, as well as well, even in sort of online defamation cases of the courts really now grappling with the true damage that disclosure of information can do, especially when it can never effectively be pulled back.
Ryan Berger 14:04
Yeah, I think that's fair. I think there is a developing recognition of, in some cases, anyway, the severity of some of these breaches or misuses of information, or wrongful disclosures, I think there is more public support behind political support behind prosecutions of them or the imposition of more significant fines for real wrongdoers.
Alix Stoicheff 14:33
One of the things that's really struck me today during this discussion is the impact that these changes will have on contractors and not just what we were sort of traditionally think of as public bodies. Is that you know, is the word getting out there are companies that work closely with you know, ministries and other public entities aware of these changes. Do you think, I know it's a tough one for you to answer, but I just the extent of these changes is really kind of jumping out at me.
Ryan Berger 15:03
Yeah, like you say, it's hard for me to gauge that empirically. But I'll say, you know, having done our webinar, January 20, and I believe that's available on our website, we had significant attendance. And we, we know that we had many public bodies listening in as well as service providers, specifically, that we know work with public bodies. And so I do think the word is getting out there to some extent. But that's a process, I wouldn't be surprised. And I would expect there to be a bit of a learning curve on it. In my practice, we when we are negotiating agreements on behalf of BC public bodies, with service providers, there's often a bit of an education component to that discussion, and that negotiation to bring those service providers along and help them understand what the privacy protection requirements are here, and particularly when we're dealing with us service providers who are not familiar with our jurisdiction. That was a steeper hill to climb, I think back in the day when it was in in Canada only rules and we had to really nail that down and figure it out. But they still I think that there still will be an educational process and a curve for service providers.
Mark Fancourt-Smith 16:38
Thank you for joining us on LawsonInsight. Thanks again to Meg and Ryan, for joining us today. And make sure you check out their full webinar and blog on this issue available on the Lawson Lundell website.
Alix Stoicheff 16:49
And you can also stay up to date by connecting with us on social media using the handle @LawsonLundell. And by subscribing to the podcast on Apple, Spotify or Google podcasts. Thanks for listening!