NEWS RELEASE: Ministerial Order an exception to the rule

MEDIA RELEASE
March 30, 2020

Ministry of Citizens’ Services relaxes restrictions on the use of third-party tools and applications to disclose personal information inside or outside of Canada

VANCOUVER, March 30, 2020 – In the time of a global emergency, the protection of privacy and access to information rights needs to be kept at the forefront of policy discussions rather than used as a trade-off for convenience.Ministerial Order (no. M085) from the Minister of Citizens’ Services has called for a relaxation of the Freedom of Information and Protection of Privacy Act (FIPPA)’s data residency provisions in the context of the COVID-19 pandemic.

In addition to allowing the various provincial health authorities to disclose personal information inside or outside of Canada in response to COVID-19, the Order has given public bodies approval to use third-party tools and applications to disclose personal information inside or outside of Canada so long as they are being used “to support and maintain the operation of programs or activities of public [bodies]” and “to support public health recommendations or requirements” such as social distancing, working from home, etc. The order has an end date of June 30th, 2020.

We are firmly committed to the requirements for local data storage contained within the Act, even in extraordinary times. BC FIPA acknowledges that we are facing unprecedented challenges arising from the need to respond swiftly and responsibly to the COVID-19 pandemic, but this cannot be done at the expense of data residency and broader privacy rights. The all-party special committee who reviewed the Act in 2016 recommended that the personal information of British Columbians be protected in accordance with Canadian law – storing or accessing said data outside of Canada could subject it to a lower standard of privacy protection.  

BC FIPA is continuing to monitor for instances where the privacy of BC citizens is being sacrificed during the COVID-19 pandemic. “We hoped the government had exercised due diligence and put appropriate and necessary overrides in place that were triggered with the declaration of an emergency. It appears they felt those measures were insufficient and they took further action” says Jason Woywada, BC FIPA’s executive director. “There needs to be consideration for the long-term impacts of personal information being disclosed to third parties that cross borders and the impact that creates. Privacy and data residency has been under attack for years by those who wish to profit from its erosion. Maintaining privacy and data residency requirements is a positive sum proposition and should always be considered.”

BC FIPA continues to call for a comprehensive overhaul of FIPPA that is informed by a deep and sincere commitment to updating and expanding the information and privacy rights of British Columbians.  

Contact: 
Jason Woywada, Executive Director 
BC Freedom of Information and Privacy Association 

– 30 –

Related Links: 

Order of the Minister of Citizens’ Services: Freedom of Information and Protection of Privacy Act: Ministerial Order No.M085 – March 17 
https://www2.gov.bc.ca/assets/gov/british-columbians-our-governments/services-policies-for-government/information-management-technology/information-privacy/resources/ministerial_order_085_respecting_disclosures_during_covid-19_emergency__march_2020_pdf.

Declaration of a state of emergency – March 18 
https://news.gov.bc.ca/releases/2020PSSG0017-000511

Decision of the OIPC Commissioner Michael McEvoy – March 18 
https://www.oipc.bc.ca/news-releases/2399

Report of the Special Committee to Review the Freedom of Information and Protection of Privacy Act 2016 
https://www.leg.bc.ca/content/CommitteeDocuments/40th-parliament/5th-session/foi/Report/SCFIPPA_Report_2016-05-11.pdf

PIPA review presents opportunity for BC to become leader in privacy protection

Vancouver, February 24, 2020 – On February 18, 2020 the Legislative Assembly agreed that a Special Committee be appointed to review the Personal Information Protection Act (PIPA). PIPA deals with the collection, retention, use, and disclosure of personal information by private sector and nonprofit entities. The B.C. Freedom of Information and Privacy Association (BC FIPA) is pleased that this process is commencing in accordance with section 59 of that Act and looks forward to participating in the process.

“BC FIPA wants to ensure that people are empowered to maintain their right to privacy and access to information,” says Jason Woywada, FIPA’s Executive Director. “Even before consultations begin, we can anticipate a number of recommendations in areas surrounding mandatory breach notification and an expansion of the Commissioner’s powers with the ability to penalize bad actors. I remain hopeful the government will follow through and implement the recommendations from this Committee, as well as prior Committees and OIPC reports, despite the fact that hasn’t always been the case.”

In order to better protect the privacy of British Columbians, breach notifications should be required when a private sector or nonprofit entity that controls personal information becomes aware that they have lost the control of that personal information and that a significant risk to individuals is present. This provision would be similar to those that came into effect in November of 2018 in Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), and would require notifying the Information and Privacy Commissioner of BC, the affected individuals, and for the organization to keep a record of the breach.

Another major change that BC FIPA would like to see to the Act is the introduction of monetary fines to be used at the discretion of the Information and Privacy Commissioner of B.C. As private organizations move towards a business model that monetizes the collection and use of personal information, significant deterrents for breaches and misuse need to be introduced in order to protect the privacy of British Columbians.

“As we look to other international models, such as the powers ascribed to the Information Commissioner’s Office in the United Kingdom under the European Union’s General Data Protection Regulations, we see the use of fines as being an effective tool in regulating how organizations are using personal information,” says Jason Woywada. “If British Columbia wants to continue being a leader in Canada when it comes to privacy protection, we will need to see a move in this direction.”

Contact: Jason Woywada, Executive Director, BC Freedom of Information and Privacy Association

Email: Jason (at) fipa.bc.ca

Phone: 604-739-9788

-30-

Welcoming Jason Woywada as FIPA’s new Executive Director

Vancouver, February 12, 2020 – The beginning of BC FIPA’s fourth decade is an exciting time for the organization as we welcome Jason Woywada as the new Executive Director. After an extensive search process, the hiring committee was pleased to offer the position to Jason for his unique combination of skills, knowledge, and experience.

“Amongst a strong field of privacy and access professionals, we were very impressed by Jason’s formal communications training, his career in journalism, and his management experience in politics,” says Mike Larsen, FIPA’s President. “These experiences, rounded out by his privacy certifications and graduate studies, make him the ideal candidate.”

Jason began his career as a broadcast journalist in Manitoba during the 1990s. From 1999 to 2014, he worked in a variety of roles at the legislative assembly in Manitoba, including as the Director of Caucus Services for the New Democratic Party for over a decade.  Once in British Columbia, he began work at One Feather as a Deputy Elections Officer expanding his understanding of First Nations communities, their members, and culture.

Most recently, Jason was a Senior Legislative and Policy Analyst within the Office of the Chief Information Officer at the Ministry of Citizens’ Services in BC. This included work on the Annual Report on the Administration of the Freedom of Information and Protection of Privacy Act: 2017/18 & 2018/19, which gave him an inside glimpse into the mechanisms of FOI legislation.

Jason holds certification through the International Association of Privacy Professionals as a Certified Information Privacy Professional Canada (CIPP/C) and a Certified Information Privacy Manager (CIPM). He recently completed a Masters of Business Administration through the Australian Institute of Business.  

“I look forward to advocating for the types of changes that empower BC citizens to have greater access to information and improve their privacy,” says Jason Woywada, BC FIPA’s new Executive Director.

Contact: Jason Woywada, Executive Director

BC Freedom of Information and Privacy Association

Email: Jason (at) fipa.bc.ca

Phone: 604-739-9788

-30-

The Right to Data Portability

This is the second in our series on the privacy promises we can expect from a Liberal minority government.

From Innovation, Science and Economic Development Canada’s ‘Digital Charter: Trust in a digital world’, and the Liberal Party of Canada’s election 2019 platform document, ‘Forward: A real plan for the middle class’ (40).

In Canada’s Digital Charter, data portability fits within the fourth principle:

‘Transparency, Portability and Interoperability: Canadians will have clear and manageable access to their personal data and should be free to share or transfer it without undue burden.’

Clear and manageable access

Theoretically, Canadians already have “clear and manageable access” to their personal data.

For federal government institutions, Canadians have a right of access contained within section 12 of the Privacy Act. For private sector businesses, Canadians can submit requests to access personal information under the Personal Information Protection and Electronic Documents Act (PIPEDA).

In British Columbia, access to personal information held by provincial public bodies is realized through section 5 of the Freedom of Information and Protection of Privacy Act (FIPPA). For private businesses within the province, section 23 of the Personal Information Protection Act (PIPA) gives residents this ability.

In theory, the information rights enshrined within these four Acts already gives Canadians “clear and manageable access to personal data”. What’s new then is the ability to “share or transfer it without undue burden.”

What this means, exactly, is not quite as clear.

Sharing and transferring data without undue burden

In their 2019 election platform, the Liberal Party describes data portability as the ability for people to “take their data from platform to platform” (40).

From this, we might assume that someone would have the right to extract all of their data from a platform like Facebook, Twitter, or Snapchat, and transfer it to a new platform that offers a similar service.

Why would someone want to do this? One reason might be that an alternative service provider offers greater privacy protections, which in turn would create greater competition among monopolistic platforms.

This also gives Canadians the opportunity to make meaningful choices about how they share their personal information with platforms.

International models

In the European Union, Article 20 of the General Data Protection Regulations (GDPR) gives residents a right to data portability. This right allows data subjects to receive personal data about themselves from data controllers and transmit that data to other controllers.

The GDPR also ensures that the data is provided “in a structured, commonly used and machine-readable format” and provides the right to have the personal data transmitted directly from one data controller to another.

A major difference between the European Union’s GDPR and Canada’s PIPEDA is that Canada’s private sector privacy legislation frames privacy as data protection and not as a fundamental human right.

What does a humans rights based approach to privacy look like in legislation? Article 4 of the GDPR lists the fundamental rights the Regulation respects, which include:

“[T]he respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and a fair trial, and cultural, religious and linguistic diversity.’

The proposed right to data portability is a significant step towards creating a human rights based approach to privacy in Canada. While it is not as comprehensive as the GDPR, it will give individuals greater autonomy in their ability to control their own personal data.