Guidance on Disclosures Outside of Canada
Respecting the supplementary assessment required for sensitive personal information disclosed to be stored outside of Canada.
Use this guidance to understand the requirements for storing sensitive personal information outside Canada. This guidance is for ministry and non-ministry public bodies in B.C.
There are privacy impact assessment (PIA) templates available for ministry and non-ministry public bodies. Non-ministry public bodies may choose the format for completing the assessment that is appropriate for their organization.
- Amendments to the Freedom of Information and Protection of Privacy Act (FOIPPA) were enacted November 25, 2021
- The 2021 amendments include updates to FOIPPA’s data-residency provisions, which previously required personal information to be stored and accessed in Canada, except under limited circumstances
- The amendments to FOIPPA’s data-residency provisions enable public bodies to keep pace with new technology and provide the services people expect in a modern age The amendments also bring B.C. in line with other jurisdictions by removing restrictions that could present barriers to using some digital tools and technologies
- Under the new requirements, public bodies must complete an additional assessment when sensitive personal information is disclosed to be stored outside of Canada
- The assessment will take place in a PIA. Questions to lead you through this assessment are in the general PIA template in Part 4: Disclosures Outside Canada for both ministries and non-ministry public bodies
- You can find more information in the Directions for Completing a PIA
- The assessment will result in a risk-based decision made by the public body on whether to proceed with disclosure that will result in storage of sensitive personal information outside of Canada
Determine When an Assessment is Necessary
You must complete the Assessment for Disclosures Outside Canada in the PIA if your program, project or system involves sensitive personal information disclosed to be stored outside Canada.
The PIA directs you to identify if your initiative involves sensitive personal information. Sensitivity depends on the type of personal information involved, the context and how it is handled.
The next question is concerned with whether you’re disclosing the sensitive personal information to be stored outside of Canada.
If the disclosure results in sensitive personal information being stored outside of Canada, then you’ll need to complete the supplementary assessment in your PIA.
You do not need to complete the assessment if FOIPPA section 33(2)(f) applies. This section authorizes a public body to disclose personal information if the information is made available to the public under an enactment that authorizes or requires the information to be made public. Complete the rest of the PIA, but you can skip Part 4.
Sensitive personal information is not defined in FOIPPA. Some types of personal information can be considered sensitive because there is a higher risk of harm to individuals if the information is improperly collected, used or disclosed.
Personal information may be considered sensitive depending on:
- The type of information
- The context in which it is collected, used, disclosed or stored
Examples of sensitive personal information may include:
- Personal health information
- Genetic and biometric data
- Personal financial information
- Geolocation data
- Criminal records
This list of examples is not exhaustive because context is a factor in determining whether the personal information is sensitive. For example, a home address may not be considered sensitive on its own. However, in some situations, a home address paired with an individual’s name may be considered sensitive because of the potential negative impact to the individual if the home address is disclosed to the wrong person (e.g., in situations that may impact an individual’s personal safety).
Required security measures can vary based on the sensitivity of the personal information involved. Understanding the sensitivity of the personal information will help inform if the additional assessment is required. It will also help you complete the additional assessment.
Completing the Supplementary Assessment
The assessment for sensitive personal information disclosed to be stored outside of Canada must be completed in a PIA. You’ll need to identify any privacy risks as well as the level of the privacy risks associated with storing sensitive personal information outside Canada.
Summary of Factors for Identifying Privacy Risks
In your assessment, consider the following factors:
- Whether the sensitive personal information is stored by a service provider
- Where and how the sensitive personal information is stored
- The likelihood that unauthorized collection, use, disclosure or storage of sensitive personal information will occur
- The impact to an individual(s) if unauthorized collection, use, disclosure or storage of their sensitive personal information occurs
This is not an exhaustive list. There may be other factors relevant to your assessment that you may need to consider.
Determine if the sensitive personal information is stored by a service provider. This could increase the privacy risk depending on where the service provider’s headquarters are located and what laws apply to them.
For example, a cloud service provider that is based outside of Canada may be subject to laws that require the disclosure of information held by the cloud service provider.
Where and How Information is Stored
Consider where the sensitive personal information is stored. If a service provider is storing the sensitive personal information on the public body’s behalf (e.g. a cloud service provider), you will need to consider where and how that data is stored and if that increases the risk of unauthorized collection, use, disclosure or storage.
When you answer this question, include the location and method of storing the personal information (e.g. location of data: Atlanta, GA, USA). The method of storing personal information would include details about the data storage facility (e.g. in Atlanta, GA, USA: the information is stored in a data storage facility).
The likelihood refers to the probability that an identified privacy risk will happen. The likelihood may be low, medium or high depending on the context and the risk responses in place.
For example, consider a risk of unauthorized access to personal information in a system. If your system does not use role-based access to limit what personal information users can see, the likelihood that a user can access information they don’t need to do their job is high. Technical controls that enforce role-based access will likely decrease the chance that this type of unauthorized access will occur.
To consider impact, think of the harm to individuals if their sensitive personal information is collected, used, disclosed or stored improperly or inappropriately.
When determining impact, consider the sensitivity of the personal information and refer to Determining if Personal Information is Sensitive. For example, the impact to an individual may be high if their sensitive health information or financial information is disclosed to the wrong person because it could result in identity theft or financial loss.
You may use these examples of privacy risks to help identify risks in your program, project or system:
- Your service provider has access to the sensitive personal information on an ongoing basis. This is known as standing access. Standing access increases the risk of an unauthorized disclosure of personal information
- Your cloud platform and/or infrastructure provider is subject to laws that may compel them to disclose the public body’s personal information to another entity without notifying the public body. In this case, the public body may not have an opportunity to contest the disclosure, which may be unauthorized under FOIPPA. Assessing this risk should take into consideration the sensitivity of the information and likelihood of occurrence
This list is not exhaustive.
Privacy Risk Response
For each privacy risk you identify, include a risk response that is proportionate to the level of risk. The higher the risk, the more robust the risk responses should be.
Risk responses can include measures that are contractual, technical, administrative and/or policy-based to manage access to the sensitive personal information. Examples include but are not limited to:
- Contractual: Language in the contract that requires the service provider to maintain access logs to document access to personal information (e.g. refer to the privacy protection schedule for ministries for an example of this)
- Policy: An approval process is followed before personal information is accessed
- Access to sensitive personal information is limited to few individuals
- A single individual cannot access the data alone and authorization from multiple individuals is necessary to gain access
- Access to detailed logs of activity to understand who has accessed personal information
- Encrypt sensitive personal information and consider how encryption keys are managed
- Read-only access for those that don’t need read-write privileges so that information cannot be copied or edited
- Time limited access where access ends automatically after a set period of time. This can help address risks associated with standing access (see Examples of Privacy Risks)
When you take measures to respond to privacy risks, it may be less likely that risks will occur. For example, if you have strong technical controls preventing unauthorized access to sensitive personal information, the likelihood such access will occur may be lowered.
Outcome of the Supplementary Assessment
At this point you’ve identified privacy risks and the level of privacy risk by examining the factors in Completing the Supplementary Assessment.
The outcome of the assessment will be a risk-based decision made by the head of the public body on whether to proceed with the project, taking the following into account:
- Privacy risks
- Level of privacy risk
- Risk responses (e.g., mitigations to the privacy risks)
- Any outstanding risks
The risk-based decision captures the public body’s reasoning for accepting the privacy risks in their project, program or system that discloses sensitive personal information to be stored outside of Canada.
If your public body is a ministry, you must document the decision in the PIA.
If your public body is not a ministry, you may document the decision in the PIA template or in an appropriate format as determined by the head of your public body.