2004 Amendments to the BC Privacy Act
In 2004 the British Columbia Freedom of Information and Protection of Privacy Act was amended in response to the USA Patriot Act. One of the key amendments prohibits the storage of personal information outside of Canada (unless certain criteria are met). The legislation states:
30.1 A public body must ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada, unless one of the following applies:
(a) if the individual the information is about has identified the information and has consented, in the prescribed manner, to it being stored in or accessed from, as applicable, another jurisdiction;
(b) if it is stored in or accessed from another jurisdiction for the purpose of disclosure allowed under this Act;
(c) if it was disclosed under section 33.1 (1) (i.1).
The Impact of the Privacy Amendments
Unfortunately, prohibiting the storage of personal information outside of Canada adversely impacts the ability of the BC public sector to:
- Drive down the costs of IT through the economies of cloud computing offered by top tier public cloud service providers such as Windows Azure. Windows Azure, and other major cloud service providers, do not have data centers in Canada.
- More rapidly improve collaboration and learning using 3rd party web-based services (social media, collaboration, video, etc) that store data outside of Canada. This hits home in a big way for the education sector.
BC and Nova Scotia are the only provinces that prohibit the storage of public sector personal information outside of Canada. All other provinces will allow data to be stored outside of Canada; with the proper safeguards of course.
Patriot Act Risks: Perceived or Real?
In 2004 the state of the cloud computing service provider industry was far less mature. SLAs and data center certifications were either lacking or insufficient to provide the necessary safeguards required to store public sector personal information. I can understand such cloud computing shortcomings in 2004 driving legislation prohibiting data storage outside of Canada.
Enacting the prohibition in response to the Patriot Act seems short sighted or a knee jerk reaction when you consider that Canada has very similar legislation and there is a high level of cooperation between Canada and the United States via mutual legal assistance treaties. Meaning, personal information can be obtained by Canadian or American governments without your knowledge even if the data is stored in Canada. Much of research I’ve done around the Patriot Act suggests that Patriot Act risks to personal information are more perceived than real. Almost all the conversations I’ve had with people knowledgeable about the Patriot Act and it’s relevancy to Canada suggest that Patriot Act risks are more perceived than real.
If there is general consensus that the Patriot Act poses less of a risk to personal information than was originally perceived, should BC privacy legislation be amended to allow the storage of personal information outside of Canada like the majority of provinces? Or, are the other provinces (except for Nova Scotia) being too risky permitting personal information to be stored outside of Canada?
Public Sector Personal Information Risks
You’re only as strong as the weakest link, as the cliché goes. Is the Patriot Act the weakest link when ranking the risks to public sector personal information? It would seem not. There are much more significant risks such as poor password policies, data seepage (via USB drives and online storage services like Dropbox), etc. Examples include:
- When passwords attack: the problem with aggressive password policies
- Never mind the Patriot Act, watch your thumb drives
- USB drives missing with Canadian voter data
- Survey: Nearly Half of Employees Who Know Their Employer Bans File Sharing Services for Work Use Them Anyway
Of course, that’s not to suggest that assessing and reacting to the true risks of the Patriot Act are trivial and should be ignored. But, the arrival of the Patriot Act has caused a big stir and created a high profile public concern that is giving the impression that the Patriot Acts risks to personal information outweigh other risks that are more significant and prevalent. It would be interesting to see a quantification of the Patriot Act risks compared to the other personal information risks that abound in most organizations.
Compared to others the extent of my research in assessing the Patriot Act risks to personal information has been brief and cursory. Some of the resources I found useful in understanding the Patriot Act in relation to the BC Privacy Act include:
- A well written document by Kris Klein from the Law Office of Kris Klein (on behalf of Salesforce.com) that makes a strong case against the prohibition of transborder data storage: Submission to the Special Committee to Review The Freedom Of Information And Protection Of Privacy Act … Transborder Data Flows And Their Regulation
- Applying Canadian Privacy Law to Transborder Flows of Personal Information from Canada to the United States: A Clarification
- Canadian Privacy Blog. Do a search for “Patriot Act”; lots of information from a privacy lawyer’s perspective.
- Cloud Computing and Privacy FAQ
- Privacy and Cloud-Based Education Technology in British Columbia