On May 11, the special committee appointed to review the British Columbia Freedom of Information and Protection of Privacy Act tabled its report to the legislature. The committee made 39 recommendations to the legislature as a result of its review of FIPPA. Several of the committee’s recommendations, if accepted, would provide needed updates to improve public sector transparency. Regrettably, however, the committee has recommended that the legislature retain the controversial data sovereignty provisions of FIPPA that preclude transfers of personal information outside of Canada. In this post, we examine four interesting recommendations made by the committee.
Mandatory breach reporting
The committee recommends that FIPPA be amended to include a mandatory breach reporting and individual notification framework. The committee considered that breach reporting and individual notification was consistent with best practices and accepted the framework proposed by outgoing Information and Privacy Commissioner Elizabeth Denham. The breach reporting and notification requirements would be based on a harm test. The proposed test mirrors the test in several other Canadian breach laws and would be based on whether there is a risk of significant harm to the individual. However, large scale breaches would also be reported to the commissioner (possibly irrespective of harm). The committee also recommends changes to FIPPA to require public bodies to document privacy breaches and decisions regarding notification and reporting. It will be interesting to see whether a similar mandatory breach reporting and notification provision is accepted by the committee reviewing British Columbia’s private sector privacy legislation. There would not seem to be any logical or principled basis to mandate breach reporting in the public sector but not the private sector.
Duty to document
In a prior post we examined whether there might be a turning of the tides with respect to public sector record-keeping requirements. Commissioner Denham recommended in her special Investigation Report F15-03 that the government should create a legislated duty to document government decisions and actions. This “duty to document” has been echoed in the recommendations of other current and former provincial information and privacy commissioners in response to what is perceived to be a growing culture of “oral government” to avoid access to information requests. The committee has agreed with the recommendation that a duty to document be included in FIPPA. The committee has not outlined any specific recommendations with respect to wording but concluded that a duty to document must extend to all public bodies (including municipalities, universities, public schools, public hospitals, and other public institutions governed by FIPPA).
Data destruction
The committee noted that currently s. 42(1) of FIPPA permits the commissioner to conduct investigations and audits to ensure compliance with FIPPA. The commissioner currently has the authority to investigate whether a public body (or its employees and agents) have obstructed an access request but not whether they have destroyed records improperly to subvert the intention of FIPPA more generally. Opponents of a new power for the commissioner noted that information management is governed by the new Information Management Act and questioned whether giving the commissioner this power would encroach on the authority of the chief records officer, who has been given the power to establish retention schedules and to request information regarding the government body’s management of information. Ultimately, the committee concluded that public trust and confidence in information management required the commissioner to have the authority to investigate allegations of unauthorized destruction. The Information Management Act does not explicitly provide this power to the chief records officer.
Data sovereignty
Section 30.1 of FIPPA is highly controversial. This provision requires public bodies to ensure that personal information, over which they have custody or control, is stored and accessed only in Canada. The prohibition on data export is subject to very limited exception. Although one of the exceptions is the consent of the individual, the consent must be obtained in a prescribed form. As a consequence of this provision, public bodies are unable to use applications that may involve the storage of personal information in a cloud-based environment hosted in or transiting through the United States. This has impeded the ability of hospitals, universities and transit authorities to innovate using commercially available systems. During the committee’s consultations, the committee heard from numerous stakeholders who noted that s. 30.1 of FIPPA lacks any proportionality. Unlike most Canadian privacy legislation, s. 30.1 does not take into account either the sensitivity of the personal information or the protections that have been put into place in order to mitigate risks.
Notwithstanding the overwhelming evidence that s. 30.1 of FIPPA lacks proportionality, the committee recommended that it remain. Without citing any evidence, the committee asserted that there is a “risk” that data stored or accessed outside Canada could be subject to a lower standard of privacy protection. Furthermore, the committee held that there is no absolute prohibition (since consent is an option) and, in any event, market forces were responding to provide cloud solutions in Canada. It is hoped that the legislature will subject this recommendation to further evidence-based analysis.
Next steps
Commissioner Denham lauded the work of the committee. However, it will likely be months or longer before the government moves to introduce any amendments to FIPPA. It is possible that the government will combine the amendments to FIPPA with the outcome of the review of the private sector legislation. More updates to come!
photo credit: British Columbia Grunge Flag via photopin(license)