The B.C. government has opened the "world" of connectivity and communication software tools and applications not previously available to public bodies because they stored or permitted access to personal information outside of Canada.
To assist public bodies coping with certain challenges associated with COVID-19, the B.C. government has issued a ministerial order under the Freedom of Information and Protection of Privacy Act ("FOIPPA"). Under this order, the government is temporarily exempting public bodies from the "in Canada Only" requirements in B.C.'s public-sector privacy legislation. The substantial privacy protection requirements of FOIPPA remain.
Under FOIPPA, personal information in the custody or under the control of a B.C. public body can only be stored in and accessed from within Canada, except in limited circumstances. Effective March 26, 2020, public bodies are permitted to disclose personal information outside of Canada in additional limited circumstances. The disclosure must still be for lawful purposes under FOIPPA.
The COVID-19 pandemic has changed how the public sector is working. Many employees are working remotely, educational institutions are transitioning to online learning, and health care workers are under increased pressure to share information quickly and effectively. In the news release announcing this order, the B.C. government explains that this temporary exemption to the "in Canada Only" requirements is intended to ensure that public sector workers have access to the necessary technological tools to do their jobs, and that those involved in health care are able to share personal information on an urgent basis.
All public bodies are now temporarily permitted to disclose personal information outside of Canada through the use of third-party tools and applications if the following conditions are met:
- the third-party tools or applications are being used to support and maintain the operation of programs or activities of the public body or public bodies;
- the third-party tools or applications support public health recommendations or requirements related to minimizing transmission of COVID-19 (e.g. social distancing, working from home, etc.); and
- any disclosure of personal information is limited to the minimum amount reasonably necessary for the performance of duties by an employee, officer or minister of the public body.
Prior to disclosing personal information through the use of third-party tools and applications, the head of the public body must also be satisfied that:
- the third party application has reasonable security measures to protect against risks such as unauthorized access, collection, use disclosure or disposal; and
- the public body makes all reasonable efforts to remove personal information which is collected, used or disclosed through a third-party application from the third-party application, as soon as is operationally reasonable, and the public body retains and manages the information.
For those public bodies involved in the provision of health care services,1 the disclosure outside of Canada is also conditional on it being necessary for:
- the purposes of communicating with individuals respecting COVID-19,
- the purposes of supporting a public health response to the COVID-19 pandemic, or
- the purposes of coordinating care during the COVID-19 pandemic.
The relaxations are designed to allow public bodies a broader range of options with respect to communication and collaboration platforms, given the unprecedented need to connect in a robust and managed way with individuals such as patients, students, employees and others, in large numbers. The privacy requirements of FOIPPA remain, however, given the standard terms and conditions of service providers, it will be challenging for public bodies to meet two added requirements: (1) removal of personal information from the third party applications as soon as is "operationally reasonable"; and (2) ensuring that the public body retains and manages the information.
These temporary measures will remain in force until June 30, 2020. However, the government may rescind or extend the order if necessary.
Contact any member of Lawson Lundell's Privacy and Data Management Group if you have any questions about this new ministerial order, or how to ensure that your organization remains compliant with Canadian privacy legislation in light of COVID-19.
1 Certain hospitals and auxiliary hospitals, regional hospital districts and regional hospital district boards, provincial mental health facilities, regional health boards, the BC Emergency Health Services, the Ministry of Health, the Ministry of Mental Health and Addictions and the Provincial Health Services Authority.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.