On November 25, 2021, amendments to B.C.’s Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c. 165 (“FOIPPA”) came into force through Bill 22-2021, with a few more anticipated within the coming months (by the end of next year). FOIPPA applies to records in the custody or control of “public bodies”, such as government ministries, municipalities and regional districts, as well as many agencies, provincial regulators and Crown corporations.
The major changes to FOIPPA now in force include:
- New requirements that all public bodies must conduct privacy impact assessments (“PIAs”) in accordance with the directions of the minister responsible for FOIPPA (section 69). On November 26, 2021, the Minister of Citizens’ Services issued directions for public bodies that are not ministries regarding PIAs (the “PIA Directions”). In addition to providing general directions on conducting a PIA, the PIA Directions stipulate that the head of a public body (or their delegate) must conduct a PIA on a new initiative for which no PIA has previously been conducted, as well as before implementing a significant change to an existing initiative.
- The data-residency provisions, which had required public bodies to access and store personal information only in Canada, have been removed from FOIPPA. FOIPPA still includes rules and parameters for storage and access. The PIA Directions also apply where changes are made to the change in location where personal information is stored. Since public bodies have generally been prohibited from storing information outside of Canada until now, any storage outside of Canada will probably require a PIA. This PIA requirement may not apply where personal information will be accessed (rather than stored) outside of Canada.
- New privacy offences (such as collecting personal information except where authorized) have been added in the new Part 5.1 of FOIPPA and the monetary penalties for breaches have been increased (up to $50,000).
Some of the major FOIPPA amendments will come into force by regulation and these new sections of FOIPPA will:
- require public bodies to develop a privacy management program in accordance with the ministerial directions (new s. 36.2); and
- impose mandatory privacy breach reporting requirements (new s. 36.3).
If you would like to learn more about the changes made to FOIPPA and the implications for BC Public Bodies and partner agencies, click here to watch our on-demand webinar on the topic. We will also be providing further comment on particular areas of the new changes in future posts.
Lawson Lundell's Privacy and Data Management Blog provides updates on the most recent issues emerging in the legal and business communities. We cover a range of issues, legal developments, and new technology as they impact privacy and data management. We will focus on how organizations can protect, manage and innovate with information considering the various risks, regulatory and governance requirements.
Legal Disclaimer: The information made available on this webpage is for information purposes only. It does not constitute legal advice, and should not be relied on as such. Please contact our firm if you need legal advice or have questions about the content of this webpage.