On May 27, 2015, the Legislative Assembly established the Special Committee to Review the Freedom of Information and Protection of Privacy Act to conduct the fourth statutory review of FIPPA, and to submit a report to the Legislative Assembly by May 26, 2016.
On May 11, 2016, the committee released their report and recommendations (PDF) for changes to FIPPA.
No changes to data sovereignty requirement
For the BC post-secondary education technology sector, the provision around data sovereignty (section 30.1) has been one of the most problematic requirements of the current legislation. Section 30.1 states that, “A public body must ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada,” unless prior consent is received or another section of FIPPA supersedes this requirement. Section 30.1 has inhibited the use of cloud based services located outside of Canada.
Two organizations from the BC post-secondary sector submitted briefs to the committee. Both BCNET (PDF) and the Research Universities Council of BC (PDF) noted that section 30.1 “affected their business activities and day to day operations” and had “negative impacts on administrative efficiency and security, international engagement and student recruitment, online learning offerings, and academic integrity.”
Both organizations were joined by numerous health authorities and school districts in asking that section 30.1 be changed to allow personal information and data to be stored outside of Canada “for limited purposes and under certain conditions that would mitigate risks to privacy.” The Canadian Bar Association supported this position, while the Canadian Centre for Policy Alternatives, BC Civil Liberties Association and BC Freedom of Information and Privacy Association opposed.
While the review committee was sympathetic to the requests to modify section 30.1, they were unconvinced, stating that they believed that “adequate alternatives” are available.
While the Committee appreciates the concerns expressed by health authorities, universities, schools, and other public bodies regarding their inability to use new innovative technology in their operations, the Committee is not persuaded that there are no available or adequate alternatives that do not involve storage or access outside Canada.
This view of the committee that there are “adequate alternatives” was supported by the provincial Privacy Commissioner who noted in the report that the arrival of Microsoft, Amazon and Adobe with Canadian cloud services will help to make cloud services in Canada FIPPA compliant.
Last year Microsoft and Adobe announced they will be offering cloud-based storage and software applications within Canada and this year Amazon, the largest cloud services provider in the world, made a similar announcement. Developments like these will make it increasingly easier and more affordable for public bodies to access cloud solutions in compliance with FIPPA.
Tokenization was also mentioned by the committee as an acceptable alternative to storing private information outside of Canada.
Committee Members discussed the use of encryption, tokenization, and other technological solutions to de-identify data so that it is no longer personal information, and noted that the Information and Privacy Commissioner has provided guidance to public bodies on how to deploy tokenization in such a way that it complies with the restriction in s. 30.1.
The final recommendation of the committee is that no changes be made to section 30.1.
The Committee concluded that data sovereignty is important in order for personal information to be properly protected under Canadian law. While the Committee recognized that public bodies may wish to take advantage of the latest advances in technology, including cloud-based solutions, those solutions are becoming increasingly available in Canada and they should be relied upon exclusively in order to protect the personal information of British Columbians.