Royal Assent of Bill 35 on October 31st, 2019 means greater potential for cloud solutions within British Columbia’s public bodies.
British Columbia upholds some of the nation’s most rigid privacy legislation in the form of the Freedom of Information and Protection of Privacy Act, otherwise known as FIPPA/FOIPPA. Citizens of BC can rest assured that, under FIPPA, public bodies within the province are held accountable for the collection, storage, use, and disclosure of their personally identifiable information.
Among its provisions, FIPPA clearly defines data sovereignty requirements for the personal data of all British Columbian residents. In order to mitigate the risk of foreign law enforcement agencies compelling service providers to divulge the personal information of BC residents, FIPPA mandates that personal data must reside within data centers operated within Canada.
However, FIPPA’s stringent rules are not without their challenges. The data sovereignty language found within FIPPA was penned before the advent of cloud computing, which has created a nearly insurmountable roadblock for public bodies within BC who wish to leverage cloud solutions that are hosted outside of the country.
That is, until now.
HOW HAS FIPPA CHANGED?
Bill 35, introduced by the provincial government of British Columbia on October 7th, 2019, proposed amendments to Section 33 of FIPPA to allow for processing of personal information outside of Canada, given specific criteria.
As per Section 33, personal information may be disclosed outside of Canada:
(p.2) if the information is metadata that
(i) is generated by an electronic system, and
(ii) describes an individual's interaction with the electronic system,
(iii) if practicable, personal information in individually identifiable form has been removed from the metadata or destroyed, and
(iv) in the case of disclosure to a service provider, the public body has prohibited any subsequent use or disclosure of personal information in individually identifiable form without the express authorization of the public body; .
Bill 35 received Royal Assent on October 31st, 2019, enforcing the recommended amendments for all public bodies.
WHAT IS A PUBLIC BODY?
There are over 2,900 public bodies within British Columbia. These include, are not limited to:
Provincial government ministries
WHAT IS PERSONAL INFORMATION?
Personally Identifiable Information (PII) encompasses all recorded information about an identifiable individual. This can include, but is not limited to:
FIPPA applies to PII that is “in the custody or under control of” a public body.
HOW ARE CUSTODY AND CONTROL DEFINED?
Unfortunately, within the context of FIPPA, they’re not. These two terms, and the determination of which party has either, depend on circumstance and situational context.
To illustrate an example of custody and control, imagine a teacher who has returned to work from a conference. If the teacher sends an email to a friend detailing their experience at the conference through their personal email account, there is little chance that the email would be interpreted as “in the custody or under control of” the school by which they are employed. However, if the teacher were to send the same email to a colleague using their professional email account, there is a high chance that the contents of the email would be considered within the scope of FIPPA.
WILL PUBLIC BODIES BE ABLE TO LEVERAGE CLOUD SaaS PRODUCTS NOW?
Well, maybe. Like most legislation, FIPPA is intensely prone to interpretation.
The new provisions within FIPPA allow for PII to reside in foreign systems in the form of system generated metadata, and only if the metadata refers to an interaction that a user has with the system itself. While this likely means that a customer relationship management (CRM) tool that stores and analyzes PII won’t be able to fully migrate to the cloud, a next generation anti-malware solution that includes a cloud hosted management console may receive the greenlight from previously hesitant privacy managers.
The privacy floodgates have not opened fully, but FIPPA’s new amendments may represent a balance between confidentiality and functionality that has been long requested by organizations across the province. Given proper justification, new opportunities for cloud solutions may be on the horizon for British Columbia’s public sector.
Public bodies within BC may now have the ability to take advantage of the cost-savings and functionality that cloud computing offers. In order to do so, public bodies must ensure that PII is restricted to system generated metadata, and that metadata handled by cloud service providers is appropriately restricted from subsequent use and disclosure.