Changes to FIPPA Data Residency Restrictions

Last updated: September 19, 2024
Aerial view of Double-Headed Serpent Post - Brent Sparrow Jr., Musqueam - UBC Vancouver Campus

On November 25th, 2021, the Freedom of Information and Protection of Privacy Amendment Act (Bill 22) received royal assent, meaning proposed amendments to British Columbia's Freedom of Information and Protection of Privacy Act (FIPPA) were approved. While these amendments help UBC keep pace with new technology, and strengthen privacy protections, most processes and policies in place for faculty and staff with regards to privacy and information security remain unchanged.

From the list of changes included in Bill 22, the item of primary interest for many in the UBC community is the changes to data-residency requirements. Data residency refers to the country where personal information is stored. The FIPPA amendment removed the requirement to maintain data residency in Canada, which allows UBC to use software tools and services that store data in other countries. However, it is important to note that it is not now a “free for all” when it comes to systems used at UBC! FIPPA still requires a Privacy Impact Assessment (PIA) to be conducted for all initiatives involving personal information. If sensitive personal information is involved, UBC is required to conduct a risk-benefit analysis to assess the risks of storing the information outside of Canada.

How Do These Changes Affect UBC?

The removal of the data residency restrictions in FIPPA allows UBC to use a wider variety of software tools and services. This puts us on a level playing field with universities in other provinces.

While this is exciting news, it’s critical to understand that privacy is just as important in British Columbia as ever. These changes do not mean that you can use any electronic system or application that you desire moving forward.  Any systems and applications that store information outside of Canada must undergo a Privacy Impact Assessment to ensure the data is adequately secured.

Current information is integrated with Campus-Wide Login (CWL) security measures, namely employee lifecycle management and data retention. Suppose for whatever reason you and/or your unit feel that these enterprise systems do not fulfill your particular service needs, and you desire to use a certain electronic system or application that stores personal information outside of Canada. In that case, you cannot proceed with using that system or application until a Privacy Impact Assessment has been performed.

Why a Privacy Impact Assessment (PIA) is Still Needed 

The PIA Helps to Determine:

  • Does your initiative involve sensitive personal information?
  • Where and how is the sensitive personal information stored?
  • What is the impact to an individual(s) if the unauthorized collection, use, disclosure, or storage of their sensitive personal information occurs?
  • How will you track access to sensitive personal information?
  • What controls are in place to prevent unauthorized access to sensitive personal information?
  • What is the likelihood that unauthorized collection, use, disclosure, or storage of sensitive personal information will occur?

  • What are the privacy risks for disclosure outside of Canada, including potential impacts on individuals, likelihood, and level of privacy risk?

     

Beaty Biodiversity Museum

When Should a Privacy Impact Assessment be Requested?

If you are undergoing an initiative that will handle personal information, it is imperative that you begin the PIA process as soon as possible. When sensitive personal information is stored outside Canada additional review is required. Once a project is approved to move forward with budget and business requirements, the PIA Request and Self-Assessment process should be initiated (CWL login required).

The PrISM SRS team will work with you to assess the privacy and security risks and recommend practical mitigations to address them. We want your technology-supported initiatives to successfully deploy in a secure and privacy-protective manner, thus enhancing UBC’s reputation as a leader in privacy and security management.

Go Further...

Privacy Matters @ UBC

Safety & Risk Services | 2389 Health Sciences Mall
University Counsel | 6328 Memorial Road,
UBC Cybersecurity | 6356 Agricultural Road
E-mail privacy.matters@ubc.ca

UBC Crest The official logo of the University of British Columbia. Urgent Message An exclamation mark in a speech bubble. Caret An arrowhead indicating direction. Arrow An arrow indicating direction. Arrow in Circle An arrow indicating direction. Arrow in Circle An arrow indicating direction. Chats Two speech clouds. Facebook The logo for the Facebook social media service. Information The letter 'i' in a circle. Instagram The logo for the Instagram social media service. Linkedin The logo for the LinkedIn social media service. Location Pin A map location pin. Mail An envelope. Menu Three horizontal lines indicating a menu. Minus A minus sign. Telephone An antique telephone. Plus A plus symbol indicating more or the ability to add. Search A magnifying glass. Twitter The logo for the Twitter social media service. Youtube The logo for the YouTube video sharing service. Bell Warning