On November 25, 2021, amendments to B.C.'s Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c. 165 ("FOIPPA") came into force through Bill 22-2021, with a few more anticipated within the coming months (by the end of next year). FOIPPA applies to records in the custody or control of "public bodies", such as government ministries, municipalities and regional districts, as well as many agencies, provincial regulators and Crown corporations.
The major changes to FOIPPA now in force include:
- New requirements that all public bodies must conduct privacy impact assessments ("PIAs") in accordance with the directions of the minister responsible for FOIPPA (section 69). On November 26, 2021, the Minister of Citizens' Services issued directions for public bodies that are not ministries regarding PIAs (the "PIA Directions"). In addition to providing general directions on conducting a PIA, the PIA Directions stipulate that the head of a public body (or their delegate) must conduct a PIA on a new initiative for which no PIA has previously been conducted, as well as before implementing a significant change to an existing initiative.
- The data-residency provisions, which had required public bodies to access and store personal information only in Canada, have been removed from FOIPPA. FOIPPA still includes rules and parameters for storage and access. The PIA Directions also apply where changes are made to the change in location where personal information is stored. Since public bodies have generally been prohibited from storing information outside of Canada until now, any storage outside of Canada will probably require a PIA. This PIA requirement may not apply where personal information will be accessed (rather than stored) outside of Canada.
- New privacy offences (such as collecting personal information except where authorized) have been added in the new Part 5.1 of FOIPPA and the monetary penalties for breaches have been increased (up to $50,000).
Some of the major FOIPPA amendments will come into force by regulation and these new sections of FOIPPA will:
- require public bodies to develop a privacy management program in accordance with the ministerial directions (new s. 36.2); and
- impose mandatory privacy breach reporting requirements (new s. 36.3).
We will be providing further comment on particular areas of the new changes in future posts and will be planning a webinar on January 20, 2022.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.