If any refrain captures this moment in history, it is this: stay at home. So there is a certain paradox with the order issued by BC’s Minister of Citizens’ Services on March 17, 2020, allowing British Columbians’ personal information, including our personal health information, to be shared and stored away from our Canadian home for the first time in 15 years. Much like us, our personal information is safest at home, and we argue that it is essential for the data residency requirement to be reinstated immediately after the urgent COVID-19 threat has passed.

As quickly as COVID-19 has spread, so have the risks to our personal privacy. On May 1, Alberta launched a contact tracing app, ABTraceTogether, and New Brunswick has a similar app in the works. Neither Ontario nor BC have taken decisions with respect to contact tracing at this time. However, the use of third-party communication tools like Zoom, unknown to many of us two months ago, has become ubiquitous among the national public sector and the public-at-large alike.

To facilitate the use of these technologies, the BC Government has taken the exceptional step of suspending the prohibition on BC’s public bodies’ disclosure and storage of our personal information outside of Canada except for limited purposes. The Order effectively allows the use of collaboration software that may host information outside of Canada for healthcare purposes (and to provide online education) in a way that would not otherwise be allowed.

The minister stated that the purpose of these amendments is to enable “the broader use of communications tools for healthcare workers and other public-sector staff who are responding to the COVID-19 state of emergency” and to support “the people working on the front lines to protect the health and safety of British Columbians by ensuring they have access to vital software and technology.” In other words, by lifting our data residency requirements, public sector staff can adopt technologies before they are adapted to meet BC’s requirements for domestic servers.

Undoubtedly, this will include technologies that record and make use of our personal health information. This information is among the most intimate data the government collects. It includes not only information about our physical and mental health, but also information about demographics, finances, lifestyle choices and social circumstances.  Unwanted disclosure of that information can result in loss of employment, insurance or housing, on top of insult to dignity and stigmatization. Patients may be less likely to divulge sensitive information if they are concerned about its disclosure, which in turn poses a risk to their personal health and, in some instances, public health outcomes.

Secondary data based on our personal health information poses particular concern.  Our personal information is increasingly merged into massive data banks. Cutting-edge analytics can be applied to uncover patterns of relationships in the data, which are then recorded and become new personal information. The individual to whom the information pertains is unaware the information exists at all, and has no opportunity to correct it if it is incorrect or incomplete. When corporations make decisions based on that information, there is significant risk of inequitable and oppressive impacts to the individual and society.

For example, a person could be denied insurance benefits based on a pattern distilled from multiple data sources (electronic medical charts, social media, and others) that suggests the person consumes alcohol regularly, and is therefore an alcoholic. That information may or may not be correct, but the individual cannot correct the data-derived profile when he is unaware of its existence.

When our data is stored at home, our privacy laws ensure governments and organizations collect only information directly from the individuals to whom they relate, collect and use the information only for their intended purpose, and allow people to see and correct inaccurate information.

That is why data residency still matters. When our data is stored at home, our privacy laws ensure governments and organizations collect only information directly from the individuals to whom they relate, collect and use the information only for their intended purpose, and allow people to see and correct inaccurate information. Once our information flows beyond our borders, it does not necessarily enjoy the same protections. The United States, for example, has no overarching privacy statute like we enjoy at both the federal and provincial levels. Without territorial jurisdiction, our privacy laws cannot regulate the use of the data and seek to find the right balance between public and private interests.

The minister’s order may be renewed when it expires on June 30, 2020, and the pressure to renew it may be high. BC’s data residency requirements are virtually unique; only Nova Scotia has a similar requirement. There are undoubtedly very sound reasons to allow health officials to use new technologies to respond to the COVID-19 pandemic, even at the cost of sharing our personal information beyond Canadian borders. A time-limited relaxation allows public bodies to rapidly adopt new technologies when they cannot be adapted to our data residency requirements fast enough to meet the bodies’ emergent needs. Healthcare providers who grow accustomed to using certain technologies in fulfilling their roles may come to rely on them, making it harder to justify a return to the status quo after the pandemic eases.

However, accepting the inevitable erosions to our rights in times of emergency should not mean that we must accept these risks on a permanent basis. The justification for ensuring that our personal information generally, and our health information specifically, should remain in Canada has not been displaced by the pandemic.

The spread of COVID-19 illustrates what can happen to our data in an increasingly globalized landscape. The greater integration and interdependence of our world has accelerated the spread of infectious diseases and allowed COVID-19 to spread around the world with unprecedented speed. To slow the spread, we are all required to stay home. The same integration and interdependence of global technology can also allow our personal health information, including derived information, to spread quickly and in a manner that prevents us from controlling it.

At home, we have come to expect that our personal information will be protected by some of the world’s strongest privacy protections. Once the data crosses international borders, we lose that control. If we want our personal information to stay safe, it, too, must stay at home.

The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of any organizations, agencies or clients with which the authors are affiliated.

This article is part of the The Coronavirus Pandemic: Canada’s Response special feature.

Do you have something to say about the article you just read? Be part of the Policy Options discussion, and send in your own submission, or a letter to the editor. 
Murray Rankin
Murray Rankin is associate counsel to Arvay Finlay LLP, which he rejoined last year after serving as member of Parliament for Victoria. He also currently serves as chair of the National Security and Intelligence Review Agency (NSIRA).
Kate Phipps
Kate Phipps is an associate at Arvay Finlay LLP in Vancouver. Always concerned with fairness and citizen-focused governance, she represents and advises clients on matters including privacy and administrative law.

You are welcome to republish this Policy Options article online or in print periodicals, under a Creative Commons/No Derivatives licence.

Creative Commons License

More like this