By Esther Shainblum and Martin U. Wissmath

Helpful Guidelines on Security for Personal Information from B.C. Privacy Commissioner

Any security assessment for disclosing personal information outside of Canada must include an assessment of the legal framework for the jurisdiction where that personal information would be disclosed, according to British Columbia’s Office of the Information & Privacy Commissioner (“BC IPC”). A guidance published by the BC IPC in March 2022, entitled “Reasonable security measures for personal information disclosures outside of Canada” (the “Guidance”), offers useful direction to organizations, including charities and not-for-profit organizations anywhere in Canada, with regard to the factors they should take into account when considering the disclosure of personal information outside of the country.

Although it is directed to public bodies in British Columbia that are governed by BC’s Freedom of Information and Protection of Privacy Act (BC FIPPA) and is intended to help them interpret the requirement to implement “reasonable security measures” to protect personal information against risks such as unauthorized collection, use, disclosure or disposal when disclosing personal information outside of Canada, the Guidance provides good advice that can be extrapolated to other sectors and other types of organizations.

Because Canadian laws do not apply once personal information leaves the country, and because, according to the BC IPC, contractual or technical protections may not be enough to protect the information, the BC IPC advises public bodies to conduct comprehensive privacy impact assessments before making the decision to proceed with disclosure. This recommendation is included as a requirement under Regulation 294/2021, enacted pursuant to BC FIPPA.

Noting that the disclosure of personal information outside of Canada requires a very high level of rigour, the Guidance advises that public bodies should have administrative, technical or contractual controls in place and should be prepared to demonstrate reasonable security controls in line with industry standards such as ISO 27002, ISO 27017 or the NIST Cybersecurity Framework. This recommendation is aligned with the privacy best practices set out in Schedule 1 to the federal Personal Information Protection and Electronic Documents Act (PIPEDA).

Another factor that must be taken into account is the legal framework of the jurisdiction to which the personal information will be disclosed. The Guidance notes that the requirement for “reasonable security measures” is unlikely to be met when personal information is being disclosed to an authoritarian regime that “does not respect the rule of law, has no privacy laws, or those laws are inadequate.” Any jurisdiction lacking constitutional individual freedoms, due process and responsible government, would not likely allow for “reasonable security measures” to be put in place, especially if it would have “the power to compel information without a warrant”.

Other factors to assess, depending on circumstances, include:

• the sensitivity of the personal information in question (e.g., personal health information is much more sensitive than contact information);
• the volume of the personal information in question;
• the foreseeability of an unauthorized collection, use, disclosure, or storage of personal information;
• the impact to individuals of an unauthorized collection, use, disclosure, or storage of their personal information;
• whether a reasonable alternative is available within Canada.

Even if all the factors indicate that disclosure to the foreign jurisdiction would be reasonable, the public body must still implement reasonable administrative and technical measures to protect the information.

The Guidance notes that disclosure of personal information will “always involve risks that no administrative, technical or contractual controls can eliminate.” The Guidance advises that disclosure of personal information outside of Canada should only be undertaken after a careful assessment, where the risks involved are objectively assessed and reasonable and with reasonable measures in place to “adequately mitigate those risks.”

It should be noted that neither the Guidance nor BC FIPPA include a definition of “disclosure”. It is not clear whether the term would include a “transfer” for processing of personal information under PIPEDA, which is not considered to be a disclosure. However, all the factors set out in the Guidance would apply equally to actual disclosures as well as to transfers for processing and should be adhered to by charities and not-for-profits considering taking either step.

​Read the April 2022 Charity & NFP Law Update