BC’s Data Sovereignty Rules Relaxed: Practical Implications of COVID-19 Order
By a Ministerial Order (the “Order”), the Province of British Columbia has relaxed the general rule that personal information in the custody or control of a public body in B.C. must not be accessed from or stored outside of Canada (subject to limited exceptions).
As public bodies and their service providers know, “British Columbia has the strictest privacy and data-residency laws in Canada” (as put by the news release for the Order on BC Gov News accompanying the Order (“Release”)).
So what are the practical implications for public bodies generally?
1. Options for Online Communications Tools Expand
The Order targets “communication and collaboration software”, which could include teleconference tools (Zoom, Microsoft Teams, Cisco WebEx, etc.) and other collaboration and communications tools (Slack, WhatsApp, Asana, etc.).
“The order also enables B.C. schools and post-secondary institutions to provide online learning for students who have been displaced due to the need for physical distancing.” This could cover a range of e-learning technologies beyond teleconferencing, such as Google Classroom or Blackboard Learn.
The Order is not limited to communications tools, so public bodies may be creative in using new tools to facilitate social distancing and work from home.
2. The Disclosure Must be Limited to the Scope of the Order
Public bodies must meet conditions to rely on the Order, including limiting disclosure of personal information “to the minimum amount reasonably necessary for the performance of duties by an employee, officer or minister of the public body”. Below are some questions to answer before using the Order to adopt non-sovereign tools.
- Canadian Options – Are equivalent Canadian-sovereign tools available? If not, an otherwise FIPPA-compliant non-sovereign tool may be necessary.
- Purpose – Is the storage outside of Canada necessary to support public health recommendations or requirements, such as social distancing, and for the operation of the public body? “Nice-to-haves” are likely not necessary, but tools that allow public bodies to maintain everyday operations likely are necessary.
- Security – Does the tool otherwise comply with FIPPA? Most importantly, does it adequately protect the security of personal information? A tool does not comply with FIPPA if it has inadequate security safeguards. The determination of adequacy needs to consider guidance issued by the Office of the Information and Privacy Commissioner for British Columbia (“OIPC”), including requirements regarding encryption, governance, identity and access management, infrastructure security, and contractual provisions. If there is a Canadian-sovereign tool but it is not adequately secure, a secure non-sovereign tool may be necessary (and, practically, more protective of privacy).
- Work Arounds – Is there a way to use the tool without storing personal information outside of Canada? For example, if a call recording feature would store personal information outside of Canada, can it be disabled?
- Pricing – Are the pricing and terms for the Canadian-sovereign tool reasonable? The OIPC has not previously indicated that price would be a factor in considering necessity under FIPPA, but it plays into the practical reality. If a Canadian-sovereign tool is dramatically more expensive than a non-sovereign tool to the point where a public body’s budget would not permit use of the Canadian-sovereign tool, it may be necessary for a public body to use the non-sovereign tool.
3. The Floodgates are Not Open
Disclosure must “support public health recommendations or requirements related to minimizing transmission of COVID-19 (e.g. social distancing, working from home, etc.).” Public bodies cannot use the Order to use non-sovereign tools for other purposes. Moreover, public bodies should be prepared to only use non-sovereign tools until the expiry date of June 30.
4. The Order Expires on June 30, 2020
The Order has a short timeline and could even be rescinded earlier, so below are some considerations to deal with that timeline.
- Public bodies need to purchase tools on a short-term basis. This is a challenge because suppliers often want multi-year contracts, particularly if public bodies expect competitive pricing. If public bodies cannot get short-term agreements or adequate termination rights, they may need to stop using tools while still paying for them.
- Public bodies will need to make reasonable efforts to return the personal information to Canada as soon as operationally reasonable, so public bodies may need to negotiate special contractual provisions with the supplier of the tool.
- Public bodies may consider getting suppliers to develop a version of their tool that meets the Canadian-sovereign requirement. This may be difficult on short timelines, but it is worth exploring.
5. Other Considerations
- Public bodies should stay transparent, including by updating their privacy notices to reflect their use of non-sovereign tools.
- The OIPC has yet to publicly state if his office will be providing guidance on how the Order will apply. Public bodies should check the Commissioner’s website regularly for updates.
Our Cybersecurity, Privacy & Data Management and Technology team has unparalleled experience in navigating the FIPPA challenges posed in technology procurement. If you want assistance in taking advantage of the Order to put compliant tools in place, please contact the authors of this post for assistance.
 The basis for the Order is Section 33.1(3) of FIPPA, which states that “[t]he minister responsible for this Act may, by order, allow disclosure outside Canada under a provision of section 33.2 in specific cases or specified circumstances, subject to any restrictions or conditions that the minister considers advisable.”
 The Order creates exceptions for public bodies generally and for health care bodies (“health care bodies” are a subset of “public bodies” as both terms are defined in FIPPA). This post is focused on public bodies generally.
 We use “non-sovereign tools” to refer to third-party tools that store personal information outside of Canada and “Canadian-sovereign tools” to refer to third-party tools that store personal information inside of Canada, except in accordance with the limited exceptions that exist under FIPPA without the Order.
 Section 30 of FIPPA.