Friday, October 08, 2004

BC amends public sector privacy law to block access to information if services are outsourced

In response to fears about access to information about British Columbians by foreign (read: US) authorities if data processing services are outsourced by the provincial government (see my various blog posts on this controversy), the BC government has introduced Bill 73 in the legislature to amend the Freedom of Information and Protection of Privacy Act to -- they hope -- limit this risk. The bill contains the following provisions:

Protection of personal information

30 A public body must protect personal information in its custody or under its control by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal.

Storage and access must be in Canada

30.1 A public body must ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada, unless one of the following applies:

(a) if the individual the information is about has identified the information and has consented, in the prescribed manner, to it being stored in or accessed from, as applicable, another jurisdiction;

(b) if it is stored in or accessed from another jurisdiction for the purpose of disclosure allowed under this Act.

Obligation to report foreign demand for disclosure

30.2 (1) In this section:

"foreign demand for disclosure" means a subpoena, warrant, order, demand or request that is

(a) from a foreign court, an agency of a foreign state or another authority outside Canada, and

(b) for the unauthorized disclosure of personal information to which this Act applies;

"unauthorized disclosure of personal information" means disclosure of, production of or the provision of access to personal information to which this Act applies, if that disclosure, production or access is not authorized by this Act.

(2) If a public body, an employee of a public body or an employee or associate of a service provider

(a) receives a foreign demand for disclosure,

(b) receives a request to disclose, produce or provide access to personal information to which this Act applies, if the public body, employee or other person receiving the request

(i) knows that the request is for the purpose of responding to a foreign demand for disclosure, or

(ii) has reason to suspect that it is for such a purpose, or

(c) has reason to suspect that unauthorized disclosure of personal information has occurred in response to a foreign demand for disclosure,

the head of the public body, the employee or other person must immediately notify the minister responsible for this Act.

(3) The notice under subsection (2) must include, as known or suspected,

(a) the nature of the foreign demand for disclosure,

(b) who made the foreign demand for disclosure,

(c) when the foreign demand for disclosure was received, and

(d) what information was sought by or disclosed in response to the foreign demand for disclosure.

The Canadian Press has an article on these amendments, as well:

B.C. toughens privacy law over fears of info leaks under U.S. anti-terror law:

"VICTORIA (CP) -- The B.C. government introduced amendments to its privacy legislation Thursday designed to allay fears U.S. authorities could get their hands on provincial residents' private records.

Management Services Minister Joyce Murray introduced changes to the Freedom of Information and Protection of Privacy Act that, among other things, restricts storage and access of information outside Canada and threatens heavy fines on those who improperly disclose it.

'Our government takes the issue of privacy protection very seriously and has always been a national leader in privacy protection,' Murray said in a news release.

'British Columbians can be assured that no sensitive personal information will be sent to the U.S. on either a temporary or permanent basis.'"

No comments: