This article was originally published in Blakes Bulletin on Privacy - February 2005
On October 21, 2004, the Freedom of Information and Protection of Privacy Amendment Act, 2004 (the Amendments) received Royal Assent. The Amendments purport to address the implications of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (commonly referred to in the U.S. and Canada as the USA Patriot Act). Additional provisions address the treatment and disclosure of personal information belonging to British Columbians in light of the outsourcing of services by public bodies to service providers in the U.S. They attempt to protect the personal information of British Columbians and keep that information from being improperly accessed by, among others, American law enforcement agencies under the USA Patriot Act.
The Amendments result in a number of changes to the legislative scheme with respect to the disclosure and protection of personal information by public bodies within B.C., as contained in the Freedom of Information and Protection of Privacy Act (the Act). The changes affect when, how and where personal information may be stored, disseminated or disclosed, as well as who will be held liable under the Act in the event unauthorized disclosure is made. Highlights of the changes made to the Act include:
One. The provisions of the Act, including the offence provisions, apply to directors, officers and employees of public bodies, as well as to service providers engaged in a relationship with a public body and the employees and associates of those service providers.
Two. Personal information may only be stored or accessed within Canada unless one of the two following exceptions applies: a) the individual who is the subject of the information has consented, in the prescribed manner, to the storage or access occurring elsewhere; or b) the Amendments prescribe otherwise.
Currently, there is no Regulation in place prescribing the "proper consent" described above. Under the Freedom of Information and Protection of Privacy Regulation, consent in relation to a different section of the Act is required to be in writing and to specify to whom information may be disclosed and how it may be used.
Three. There is now an obligation on public bodies, employees of public bodies, and employees or associates of service providers to report any demand for disclosure made by a foreign entity, including a foreign Court.
Four. The Amendments contain protective provisions for "whistle-blowers".
Five. Unauthorized disclosure of personal information is prohibited not only by all public bodies, but also by employees, officers and directors of public bodies and, where an employee is a service provider, by all employees and associates of that service provider.
Six. The disclosure of personal information within Canada and outside of Canada may only occur in certain prescribed manners, one of which includes where the individual to whom the personal information relates has consented to the disclosure in the prescribed manner. Disclosure made outside of Canada is more restricted than disclosure within Canada. For example, in both cases disclosure will be allowed where requests for information are made in accordance with Part 2 of the Amendments and where the individual involved has identified the information and consented, in the prescribed manner, to its disclosure inside or outside of Canada as applicable. Disclosure will also be permitted both inside and outside of Canada where it is authorized by an enactment of B.C. or Canada, or by treaty made under an enactment of B.C. or Canada.
Seven. There are additional provisions that permit disclosure only within Canada. These include, but are not limited to, disclosure of information for a purpose for which it was obtained or compiled or for a use consistent with that purpose. Disclosure is also permitted in order to comply with a subpoena, warrant or order issued or made by a Court, person or body within Canada with jurisdiction to compel the production.
Eight. Where previously only the head of the public body was required to protect personal information, this requirement now applies to the public body itself.
Nine. A new group of privacy protection offences has been created. Offences include where any person contravenes the unauthorized disclosure provisions. It is also an offence for any service provider or employee or associate thereof to store or allow access to information contrary to the provisions of the Amendments; fail to report a foreign demand for disclosure; or contravene the provisions in place to protect "whistle-blowers". Further, where the employee or associate of the service provider actually commits the offence, the service provider will be liable. The following penalties apply where an offence under the Amendments is committed: (a) an individual, not a service provider, is liable for a fine up to $2,000; (b) a partnership or individual which is a service provider is liable for a fine up to $25,000; and (c) a corporation is liable for a fine up to $50,000.
Ten. Limited "Grandfathering" provisions are in place for some existing contracts and research arrangements.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.