Canada: British Columbia Responds to USA Patriot Act with Tough New Rules on How Service Providers Manage Public Sector Data

In addition to B.C.’s legislative action, recent remarks from Canada’s federal privacy commissioner raise the issue of whether private sector organizations should place restrictions on out-of-country data transfers.

In response to public concerns about threats to privacy arising under the USA Patriot Act, the province of British Columbia has amended its public sector privacy legislation, the Freedom of Information and Protection of Privacy Act (FOIPPA). The amendments, which became law on October 21, 2004, place tough new restrictions on storing, accessing and disclosing of B.C. public sector data by service providers.

The amendments, and related new government policies, will have a significant impact on how service providers store or access personal information in the course of providing services to an estimated 2,000 public sector bodies in British Columbia. These bodies include government ministries, hospitals, boards of health, universities and colleges, school boards, municipal governments and certain Crown corporations and agencies.

While the measures enacted in B.C. apply to public sector data only, both the B.C. and federal privacy commissioners have indicated that privacy protections should be enhanced for transborder data sharing and transfers of personal information held by private sector organizations in Canada.

The new legislative rules make it a provincial offence for services providers to:

• Store, access or disclose personal information of a B.C. public sector body outside of Canada (although there are narrowly defined exceptions);

• Fail to provide notice to the Minister of Management Services of any foreign demand for disclosure of personal information held by the service provider; or

• Discipline, suspend, demote, harass or otherwise disadvantage an employee who, acting in good and on the basis of reasonable belief, complies with the notice obligations or acts to ensure compliance with FOIPPA.

The maximum penalty for non-compliance is a fine of $500,000.

Personal information is defined to mean recorded information about an identifiable individual other than contact information. No distinction is made between the treatment of sensitive and non-sensitive personal information.

In addition to amending FOIPPA, the province has indicated that all service delivery contracts where personal information is involved will be with companies based in Canada and subject to Canadian and B.C. law. It is expected that "companies based in Canada" will be interpreted to include at least some Canadian incorporated affiliates of foreign-based corporations. It is unclear whether 100% of the directors and officers of eligible Canadian corporations will have to be citizens and residents of Canada.

The new rules will apply to all services providers who store or process personal information on behalf of a public sector body in B.C.– and not just those service providers who store or process personal information as the "outsourcer" of public sector services or operations. For example, it may be necessary for the supplier of remote diagnostic computer support services to locate all of its technicians in Canada if they will have access to personal information on a government computer in the course of providing diagnostic services.

Although the amendments to FOIPPA took effect on October 21, the restrictions on data storage, access and disclosures, as well as the notification obligations regarding foreign demands for disclosure, do not apply to contracts with a commitment date earlier than:

• October 12, 2004, in the case of contracts entered into by the government or a ministry; or

• October 21, 2004, in the case of contracts entered into by another public sector body.

The amendments to FOIPPA followed an application to the B.C. Supreme Court by a government employees’ union for a declaration that the contracting out of services involving the provincial medical services plan contravenes applicable legislation, including FOIPPA. The union’s pleadings argue that when the service provider is an American corporation or an affiliate of an American corporation, the USA Patriot Act may be used to require the service provider to disclose to American authorities personal health information about British Columbians held by the service provider. (The oral hearing for the case has not yet been scheduled.)

In response to the legal proceedings, the government undertook an analysis of the related privacy protection issues in British Columbia. Although it concluded that the USA Patriot Act posed only "a minimal and largely theoretical threat," it chose to enact the amendments to FOIPPA described above.

On October 29, 2004, B.C.’s Information and Privacy Commissioner released a 151- page report on the privacy implications of the USA Patriot Act on public sector outsourcing. In his report, and in a related letter to the Minister of Management Services, the commissioner endorsed the amendments to FOIPPA made by the government, but went on to recommend additional amendments to further strengthen privacy protections. The commissioner’s report is also noteworthy in that he placed little weight on the relevance of efficiency or international trade obligations when interpreting the nature of privacy protections required under FOIPPA.

The enactment of amendments to FOIPPA may well be the beginning, rather than the end, of this story. It remains to be seen whether other provinces or the federal government will follow B.C. and make similar amendments to their public sector privacy statutes. Further, and potentially of even greater significance, there is speculation that restrictions on out-of-country data transfers and related privacy safeguards may be extended to personal information under the control of private sector organizations in Canada.

B.C.’s Information and Privacy Commissioner appears to support this idea. His report on public sector outsourcing includes a recommendation that the provincial and federal governments "consider and address" the implications of the USA Patriot Act for the security of personal information in respect of private sector activities.

The Privacy Commissioner of Canada has also made her views known on the obligation of organizations that either transfer personal information offshore or store the data in Canada. The Commissioner’s Web-site states that the legislative review of the Personal Information Protection and Electronic Documents Act in 2006 will be a forum for developing further privacy protection measures related to transborder information-sharing by the private sector.

In written submissions to the B.C. commissioner made during the summer, the federal commissioner wrote that, "at the very least," a company in Canada that outsources information processing to organizations based abroad should notify its customers that the information may be available to the foreign government or its agencies under a lawful order made in that country. In discussing organizations that hold personal information about Canadians in Canada, she also indicated they must take appropriate security measures to prevent the unauthorized disclosure of the personal information, and that this "may mean" employing technical measures to prevent their foreign affiliates from "inappropriately" gaining access to the personal information held in Canada.

Also noteworthy is that the federal commissioner has encouraged individuals to file complaints with her office where they are concerned about their personal information being held in databases outside Canada.

The developments described above have the potential to impact on virtually every large- or medium-sized private sector organization in Canada. Obviously, any service provider who stores, accesses or processes personal information on behalf of any public sector body in Canada will want to immediately consider whether any existing service arrangements are impacted by the amendments to FOIPPA in B.C. As well, these organizations will want to be alert to the possibility of provincial or federal legislative initiatives in other Canadian jurisdictions.

More broadly, any private sector organization in Canada involved in transborder transfers of personal information, whether to a foreign office, to a foreign affiliate or to a foreign service provider, will want to consider the impact of the statements of the federal privacy commissioner described above regarding when it is necessary to provide notice to customers that personal information may be available to the foreign government. Finally, any Canadian business with a foreign affiliate will want to consider whether technical measures exist or should be implemented to prevent the affiliate from "inappropriately" gaining access to the personal information held in Canada.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.