Changes to FIPPA Data Residency Restrictions
On November 25th, 2021, the Freedom of Information and Protection of Privacy Amendment Act (Bill 22) received royal assent, meaning proposed amendments to British Columbia's Freedom of Information and Protection of Privacy Act (FIPPA) were approved. While these amendments help UBC keep pace with new technology, and strengthen privacy protections, most processes and policies in place for faculty and staff with regards to privacy and information security remain unchanged.
From the list of changes included in Bill 22, the item of primary interest for many in the UBC community is the changes to data-residency requirements. Data residency refers to the country where personal information is stored. The FIPPA amendment removed the requirement to maintain data residency in Canada, which will allow UBC to use software tools and services that store data in other countries. However, it is important to note that it is not now a “free for all” when it comes to systems used at UBC! FIPPA still requires a Privacy Impact Assessment (PIA) to be conducted for all initiatives involving personal information. If sensitive personal information is involved, UBC will be required to conduct a risk-benefit analysis to assess the risks of storing the information outside of Canada.
How do these changes affect UBC?
The removal of the data residency restrictions in FIPPA will allow UBC to use a wider variety of software tools and services. This will put us on a level playing field with universities in the other provinces.
While this is exciting news, it’s critical to understand that privacy is just as important in British Columbia as it ever was. These changes do not mean that you can use any electronic system or application that you desire moving forward. Any systems and applications that store information outside of Canada must undergo a Privacy Impact Assessment to ensure the data is adequately secured.
Current information is integrated with Campus-Wide Login (CWL) security measures, namely employee lifecycle management and data retention. If for whatever reason you and/or your unit feel that these enterprise systems do not fulfill your particular service needs, and you desire to use a certain electronic system or application that stores personal information outside of Canada, you cannot proceed with using that system or application until a Privacy Impact Assessment has been performed. This PIA will determine the following:
- Does your initiative involve sensitive personal information?
- Where and how is the sensitive personal information stored?
- What is the impact to an individual(s) if the unauthorized collection, use, disclosure, or storage of their sensitive personal information occurs?
- How will you track access to sensitive personal information?
- What controls are in place to prevent unauthorized access to sensitive personal information?
- What is the likelihood that unauthorized collection, use, disclosure, or storage of sensitive personal information will occur?
- What are the privacy risks for disclosure outside of Canada, including potential impacts on individuals, likelihood, and level of privacy risk?
When should a Privacy Impact Assessment be requested?
If you are undergoing an initiative that will handle personal information, it is imperative that you begin the PIA process as soon as possible. When sensitive personal information is stored outside Canada additional review is required. Once a project is approved to move forward with budget and business requirements, the PIA Request and Self-Assessment process should be initiated (CWL login required).
The PrISM SRS team will work with you to assess the privacy and security risks and recommend practical mitigations to address them. We want your technology-supported initiatives to successfully deploy in a secure and privacy-protective manner, thus enhancing UBC’s reputation as a leader in privacy and security management.
- Watch a recording of the Privacy Matters @ UBC team discussing the Freedom of Information and Protection of Privacy Amendment Act (Bill 22) with the UBC community (CWL login required).
- Learn more about the PIA process and UBC’s risk-based approach
- View the Disclosing Personal Information Outside of Canada Privacy Fact Sheet