‘The biggest change in 20+ years’: UBC privacy team discusses new data residency laws

Privacy policy shapes the infrastructure of modern life — from whether you consent to let a website use your data, to how quickly hospitals can diagnose and treat patients.

On January 28, a team of information security professionals with Privacy Matters @ UBC held a webinar to explain what they describe as “the biggest change [in data privacy] in 20+ years” — the 2021 amendments to the BC Freedom of Information and Protection of Privacy Act (FIPPA).

“The title is not meant to be clickbait. It is a big deal,” said UBC cybersecurity expert Trevor Carpenter. “The reason we brought everyone together today … is really to have a conversation.”

The dialogue primarily focused on data residency: where your data lives and how the laws of the nation where your information is stored or processed influence your privacy.

Data residency

Up until November 2021, FIPPA mandated that public institutions, including UBC, store all Canadian personal data within the country "except under limited circumstances." Most cloud-based services store data on international (usually American) servers.

This created a bias towards the use of lesser-known Canada-based platforms. According to UBC information and privacy legal counsel Paul Hancock, this caused UBC to be “uniquely hobbled” compared to international institutions.

“The fact that we had to find solutions that were in Canada and could only be accessed from within Canada had a very significant impact on our ability to do our jobs,” said Hancock.

He explained that this required “dozens” of exceptions to be developed, to the point where the data residency restriction was like a “Swiss cheese full of loopholes.”

With the recent FIPPA amendment removing data residency restrictions, Privacy Impact Assessments — systematic reviews required for initiatives involving personal information — are now offered more flexibility in the consideration of out-of-country applications, explained Hancock in a written statement to The Ubyssey. Per FIPPA, public bodies like UBC are also required to submit a supplementary assessment that summarizes the potential risks and safeguards required in the use of an application based on international servers.

According to the Privacy Matters @ UBC website, the changes to FIPPA will "help UBC keep pace with new technology, and strengthen privacy protections" without altering most processes pertaining to privacy and information security.

Beyond UBC

FIPPA is province-wide legislation, and the data residency amendments will have broad impacts on everyday activities — some innocuous, some life-and-death.

“One of the biggest proponents for this change has been our health authorities,” said UBC Chief Information Officer Jennifer Burns. Since many medical diagnostic tools use servers based in the US, Canadian public hospitals can struggle to send patient scans and store personal information at other medical centres for expert diagnoses. This makes the health care system more complex and expensive, according to Burns.

“Tools we need to manage our own health and diagnostics were not available to us,” said Burns.

The amendments also mandate that institutions let people know if their privacy has been compromised. While UBC already had policies that notified people about privacy breaches as a “matter of courtesy, ” according to Hancock, that was not required for public institutions. A mandated 10 dollar fee for freedom of information requests — which was reduced from the initially discussed 25 dollar fee — was also enacted.

In 2020, when services rapidly moved online due to COVID-19, Canadian cloud-based platforms struggled to keep up. The BC government responded with an order to relax data residency restrictions. Although the 2021 amendments to FIPPA are big, most shifts will be gradual.

“Fifteen years ago … the internet was not the all-pervasive force that it is now,” said Hancock. Now, BC is left to gradually adjust to the new amendments to FIPPA and its impacts on privacy governance.

“This is a very significant change from a privacy perspective,” said Hancock.