FOIPPA amendments related to cloud computing

In October 2019, the Ministry of Citizens’ Services amended the Freedom of Information and Protection of Privacy Act to enable certain aspects of using Canada-based cloud technology in B.C. These amendments do not authorize public bodies to use all cloud services – just those that store data in Canada and otherwise meet the requirements of the new sections and the rest of the Act. Services also need to meet the organization’s business, security, and system requirements.

About the Amendments

The Freedom of Information and Protection of Privacy Act (FOIPPA) generally requires personal information to be stored and accessed only within Canada, with a few specific exceptions. This limits public bodies from using cloud technology that stores personal information outside Canada unless expressly authorized. There were already provisions in FOIPPA that authorize the disclosure of personal information inside or outside Canada. And in October 2019, government added two more – specifically:

The new section 33.1 (1) (p.1) authorizes public bodies to disclose personal information inside and outside of Canada for temporary processing. This provision sets limits on that disclosure, including:

  • The processing cannot involve intentional access by a human.
  • The processing cannot result in storage of personal information outside of Canada, unless otherwise specified.
  • Where the processing happens outside of Canada, the disclosure must be for the minimum amount of time necessary.

The new section 33.1 (1) (p.2) authorizes public bodies to disclose personal information inside and outside of Canada if the personal information is metadata that is generated by an electronic system and that describes an individual’s interaction with the system. This provision sets limits on that disclosure, including:

  • Where practicable, any identifiable information in the metadata is removed or destroyed.
  • Where the disclosure is to a service provider, there is a contractual prohibition on using or disclosing the information further.

The FOIPPA Policy and Procedures Manual includes guidance on interpreting these new sections.

What this means

These amendments allow the B.C. public sector to use some common tools and technology needed to maintain operations, such as email and software for word processing, presentation, and translation. They also remove a barrier to adopting the next generation of cloud-based or cloud-enabled tools – many of which require the temporary processing of data outside Canada.