British Columbia has had the Freedom of Information and Protection of Privacy Act (FOIPPA) since 1993. FOIPPA regulates the collection, use and disclosure of personal information by public bodies.

Two years ago, I moved from Edmonton, Alberta to Victoria, BC. It was not surprising to find out that BC is taking an information privacy matter differently than Alberta but it was very surprising to see and then experience the implication of it. As an Enterprise Architect, I am always researching and looking for new, innovative, cost efficient ways to support business with the best technology. Coming from Edmonton (working for the local government for over 13 years) I was very familiar with the cloud services such as SaaS, IaaS or PaaS and could not understand why the BC government is not taking advantage of a (proven already for at least 5 years) cloud technology.

Seeking the answer as to why the cloud is not here, I found out that public bodies in British Columbia are subject to restrictions on the storage or access to personal information from outside Canada. These restrictions, which are outlined in the Freedom of Information and Protection of Privacy Act (FIPPA), require all personal information in public body’s custody or control to be stored only in Canada and accessed only in Canada, with a few narrowly defined exceptions (Section 30.1 of the FIPPA).

“Storage and access must be in Canada

30.1  A public body must ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada, unless one of the following applies:

(a) if the individual the information is about has identified the information and has consented, in the prescribed manner, to it being stored in or accessed from, as applicable, another jurisdiction;

(b) if it is stored in or accessed from another jurisdiction for the purpose of disclosure allowed under this Act;

(c) if it was disclosed under section 33.1 (1) (i.1). “

Recently the BC Government, trying to ‘move to cloud’ started to recognize that Section 30.1 has bigger implications than was anticipated when the act was created. Unfortunately, most of the best suitable cloud services are provided by vendors from outside Canada. I think it will be very interesting to watch how the problem will be handled, what is going to happen in this space?

Another interesting aspect is the different approach to Privacy Impact Assessment (PIA), which in my opinion, have become a critical tool in privacy management.

What is a PIA? It is a formal assessment of the privacy implications associated with a given project, initiative, or collection of records, usually in reference to applicable legislation or policy.

The PIA process requires a thorough analysis of potential impacts on privacy and a consideration of measures to mitigate or eliminate any such impacts. The privacy impact assessment is a due diligence exercise, in which the organization identifies and addresses potential privacy risks that may occur in the course of its operations.

Some facts:

British Columbia - PIAs mandatory under FOIP Act, not under Personal Information Protection Act (PIPA)

“A Privacy Impact Assessment (PIA) is a foundation tool/process designed to ensure compliance with government’s privacy protection responsibilities.  In accordance with section 69(5) of FOIPPA, ministries must complete a PIA using the PIA form.”

“The PIA can make the difference between a privacy invasive and a privacy enhancing initiative, without compromising business objectives or adding significant costs. The PIA process is also designed as an educational tool, since participation in privacy impact assessments promotes privacy awareness.  It is important that a PIA be completed during the early developmental stages of any program, system or other initiative as a component of the project/business plan.”

Alberta - PIAs not mandatory under FOIP Act or PIPA, but mandatory under HIA

“The FOIP Act provides the authority for the Information and Privacy Commissioner to comment on the implications for freedom of information or for protection of privacy of proposed legislative schemes or programs of public bodies. Privacy impact assessments are not mandatory under the FOIP Act, but are recommended for major projects that involve the collection, use or disclosure of personal information. “