_1.jpg)
This isn’t completely out of the blue because the Nova Scotia government has been “reviewing” FOIPOP since 2022, but unlike in most provinces it has been “behind the scenes”. Unlike other provinces, which have public consultations, Nova Scotia’s consultation on transparency was behind closed doors.
I wrote to the then Minister of Justice seeking to participate on behalf of the Nova Scotia branch of the Canadian Bar Association’s Privacy And Access Law Section. The CBA was never invited to chat. I wonder who else commented. We were told that the results of this review would be made public, but they never were. All we got was Bill 150, dropped in the legislature on September 26 and passed on October 3. There was no real opportunity given for privacy and access to information experts to appear in committee with their comments.
In this episode, I’m going to do a relatively high-level overview of what’s changing with the new FOIPOP that will come into effect in 2027. There’s some good, some bad and some changes that I’m indifferent to. I hope I can provide a relatively unbiased view of it, given that I do legal work for applicants who are seeking access to records, for public bodies who have to comply with the law and third parties whose records held by public bodies are sometimes the subject of access requests.
There’s a big change to the purposes clause of the law. The original FOIPOP was relatively unique among access to information laws in Canada in that it clearly had as its intent full transparency, accountability and access – as fundamental to how democracy should work.
The purpose clause in the current act includes:
2. The purpose of this Act is …
(b) to provide for the disclosure of all government information with necessary exemptions, that are limited and specific, in order to
(i) facilitate informed public participation in policy formulation,
(ii) ensure fairness in government decision-making,
(iii) permit the airing and reconciliation of divergent views;
That part is gone. Just removed. The leader of the opposition made a motion to have it returned, but the motion was defeated.
That’s too bad. The purpose clause is important in how regulators and courts approach the law, and future governments will be able to say it was removed for a reason and that should influence how it is interpreted. That’s a real step backward.
As I said, the new Act fully repeals and replaces the earlier statute. It restructures the entire Act into clear Parts (e.g., Part I – Freedom of Information; Part II – Protection of Privacy; Part III – Reviews and Appeals; Part IV - Information and Privacy Commissioner), and has a number of standardized definitions for consistent terminology (like “access request,” “correction request,” etc.), and procedural timelines are now measured in business days rather than calendar days. This will draw out access requests. Previously, the public body had thirty days; now it’s thirty business days. That’s thirty five percent longer. Easier on the public body, to be sure, but it will mean it takes longer to get requested information from public bodies.
An important change in the new FOIPOP is that it will include municipalities. The Commissioner's jurisdiction is significantly expanded through the consolidation of provincial and municipal regulation. Specifically, the new Act repeals Part XX of the Municipal Government Act and integrates municipalities and municipal bodies into the general FOIPOP framework. Part XX of the MGA was generally a mirror of FOIPOP, but with some significant differences. Bringing municipalities into FOIPOP means the Commissioner now has explicit and uniform jurisdiction to conduct reviews and investigations involving municipal units. The Review Officer's previous roles in handling appeals related to access and correction requests are maintained, but the new Act formalizes two new categories of complaint investigation called Privacy Reviews. These reviews can be initiated by individuals who believe their personal information was collected, used, or disclosed in contravention of the Act, or proactively by the Commissioner if there are reasonable grounds to suspect a contravention.
One of the most important changes is that the former “review officer” is now the Information and Privacy Commissioner of Nova Scotia, and will be an officer of the Nova Scotia House of Assembly. While still appointed by the Governor-in-Council, this position is much more independent of government than under the present Act. A big miss, at least as far as critics are concerned, is that the Commissioner does not have the ability to issue binding orders on public bodies. That position still just issues recommendations, and it’s up to applicants to go to court to get orders.
The 2027 Act introduces or revises numerous definitions, including “Personal information” which now explicitly includes IP addresses, biometric data, and genetic characteristics, while excluding business contact information.
In the part of the Act related to the right of access to public body records, changes clarify that the right of access extends to records in custody or control of a public body, but not to duplicates or exact copies. It says that part of a record that can be withheld and can be reasonably severed, access must be provided to the remainder of the record.
Not surprisingly, the amendments made earlier this year related to frivolous, vexatious and unduly repetitive requests have been continued in the new FOIPOP. The Commissioner must approve a request from a public body to disregard a request, with defined criteria and 14-business-day timelines for both application and decision. It does provide applicants with a right to appeal to the Supreme Court of Nova Scotia if their request is disregarded.
Almost all the timelines in FOIPOP have been extended. All procedural periods are now in business days (such as giving a public body 30 business days to respond to an access request). It also introduces an explicit suspension of time calculations while fees are being negotiated or reviews are underway (s. 20).
The government gets to set a standard application fee pursuant to the regulations, and also sets service-based fees but exempts requests for one’s own personal information and provides 3 free hours of work time. Public bodies can charge additional fees if the request will take more than three hours. When presented with a fee estimate, applicants may narrow their requests accordingly. Once the request is being processed, a public body can provide a “revised fee estimate” that the applicant can either accept or revise their request. Fee estimates and revised fee estimates can be referred to the Commissioner.
There remains a possibility for fee waivers where disclosure serves a public interest (e.g., environment, public health, or safety), or if the applicant can’t afford to pay the fee.
One thing that is interesting and progressive: The new FOIPOP specifically says that public bodies must provide electronic records in “an electronic form that is capable of re-use”. This is positive. If the record is an Excel spreadsheet, the spreadsheet itself should be provided and not just a photocopy of the spreadsheet. (There are few things as useless and opaque as a print-out of an excel spreadsheet full of formulas.)
There are a number of changes that will restrict public and journalistic access to records. The first is an expansion of the definition of “legal privilege” to specifically include settlement privilege. And at section 86(2), the Information and Privacy Commissioner will not be able to inspect a record that is alleged to be privileged to determine if it actually is privileged. Only the Court can do that, and the process to get there can be set out in the regulations.
The second major restriction on the right to know is essentially excluding any right of access to any record that is defined as an “Executive Council record”, going well beyond what was traditionally “cabinet confidences.” To make it worse, in section 32(2), a head of a public body is prohibited from disclosing Executive Council records. There’s no discretion.
The new Act expands the privacy sections substantially and in a good way, but most of the details will have to wait until we get to see the regulations.
Every public body will have to have a privacy policy and has to publicly disclose its internal privacy-complaint process.
Once the Act comes into effect, every public body will have to carry out a privacy assessment for any new or substantially changed “project, program, system or other activity involving the collection, use or disclosure of personal information”. The details for what must be in a privacy assessment will be determined in regulations.
The new Act defines “Data-linking” programs – where two or more data sets are combined, either temporarily or permanently, and requires them to be carried out only in accordance with the yet to be seen regulations.
There are some tweaks to the rules that permit a public body to collect, use or disclose personal information. These public sector privacy laws are generally not based on consent so these rules set the guardrails for public bodies. There are new rules related to inter-agency data sharing, research, and public-interest exceptions.
There’s a new explicit authorization for disclosure to protect individuals from intimate-partner violence or human trafficking.
The new Act introduces obligations to contain, assess, and notify affected individuals and the Commissioner of privacy breaches that pose a real risk of significant harm — aligning Nova Scotia with federal PIPEDA and other provincial models.
There is a weird new provision in s. 79 that authorizes a public body to go to court if “personal information in the custody or under the control of a public body has been stolen or has been collected by or disclosed to a third party other than as authorized by this Act”. They can get an order to return or destroy the personal information, or any other order the court considers appropriate to protect the personal information.
Individuals still have a right to access their own information, and public bodies have an obligation to retain any information that has been used to make a decision directly affecting an individual for at least one year so the individual can exercise their access right. And also in such circumstances, the public body has to make every reasonable effort to make sure the information is accurate and complete.
While the former Privacy Review Officer Act existed separately, the new Act integrates and strengthens the privacy review powers directly within the consolidated statute, giving the Commissioner an explicit mandate to conduct Privacy Reviews. This authority can be used to investigate complaints that personal information has been improperly collected, used, or disclosed, and allows the Commissioner to proactively initiate an investigation if they have reasonable grounds to believe a contravention has occurred.
Finally, on the privacy side, the new FOIPOP revokes and replaces the Personal Information International Disclosure Protection Act or PIIDPA. That law generally prohibits a public body from allowing personal information to be stored outside of Canada or to be accessed from outside of Canada, subject to some exceptions. Under the new FOIPOP, a public body will only be allowed to store or permit access from outside of Canada in accordance with specific regulations, which we haven’t seen yet.
While the new independent Information and Privacy Commissioner is not granted the ability to issue orders or levy penalties in connection with access, correction or privacy reviews, the Commissioner does have broad powers in connection with carrying out such a review. The Commissioner can summon witnesses and compel records (other than records that are claimed to be privileged). The Commissioner can initiate a privacy review without a complaint or request if the “Commissioner has reasonable grounds to believe that a person has contravened or is about to contravene this Part”.
The Commissioner also has an important role to play in requests that a public body thinks is trivial, frivolous, vexatious or abusive. The public body has to seek the approval of the Commissioner to disregard such requests, which is an important check to prevent the overuse of these new provisions.
Individual complainants, exercising access, correction and privacy rights, still have recourse to the Supreme Court of Nova Scotia. In most cases, that will be following a review by the Information and Privacy Commissioner, but individuals do have the right to skip the Commissioner and go straight to the Supreme Court of Nova Scotia. Once you’re in the Court, it is what’s called a “de novo” proceeding meaning that the Court will determine the matter from the very beginning. And the court can issue binding orders.
So this represents a significant change to the privacy and access to information landscape in Nova Scotia. It repeals the old Freedom of Information and Protection of Privacy Act, the Privacy Review Officer Act, the Personal Information International Disclosure Protection Act and Part XX of the Municipal Government Act, replacing all of them with a new Freedom of Information and Protection of Privacy Act. As I said, it comes into effect in April 2027.
This has been a relatively high-level overview of the new Act. Each time I read it, I find something new. I would encourage folks in Nova Scotia who have an interest in access to information and privacy to review the legislation, and let the government know if it raises any concerns. Though the process to get here has been the opposite of transparent, there is an opportunity before April 2027 to amend it before it comes fully into effect.
