In one of the shortest sittings that I can recall, the Legislature of Nova Scotia has passed the Personal Information International Disclosure Protection Act, also known as Bill 19.

Nova Scotia Legislature - House Business - Status of Bills

Bill No. 19 An Act to Protect the Personal Information of Nova Scotians from Disclosure Outside Canada

Hon. Murray K. Scott Minister of Justice

First Reading June 30, 2006

Second Reading (Second Reading Debates) July 6, 2006

Law Amendments Committee July 10, 2006; July 11, 2006

Committee of the Whole House July 13, 2006

Third Reading July 14, 2006

Royal Assent July 14, 2006

I do not believe it has been proclaimed into force, so stay tuned for that part. (See update below.)

The Personal Information International Disclosure Protection Act is a response to the USA Patriot Act, specifically designed to prevent the export of personal information in the custody or control of public bodies in Nova Scotia to any other country. Though the prohibition is generic, it is clearly meant to prevent personal information from being the subject of a demand under the USA Patriot Act. It is also subject to the individual's consent, meaning that the prohibition does not apply if the individual data subject has identified the information and has specifically consented to the export of his or her information.

The Act is binding on all public bodies, their employees and specifically their service providers.

The Act requires that all public bodies ensure that all personal information in its custody or control is kept in Canada and is accessed only in Canada, unless the head of that public body has determined that storage or access outside of Canada is necessary for the public body's operations. If the head so determines, he or she has to notify the Minister of Justice for the province within ninety days of the end of the year.

The Act also contains a requirement that the Minister of Justice be notified forthwith of any "foreign demand for disclosure" or of any request that may be such a demand. The notice has to include the following:

as known or suspected,

(a) the nature of the foreign demand for disclosure;

(b) who made the foreign demand for disclosure;

(c) when the foreign demand for disclosure was received; and

(d) what information was sought by or disclosed in response to the foreign demand for disclosure.

It is an offence to disclose any personal information except in compliance with the Act and it contains specific penalties for public bodies, employees and service providers. Public sector employees may be subject to a fine of up to $2000 and imprisonment for six months. Corporate service providers may be subject to a fine of up to $500,000.

Interestingly, the Act grandfathers in contracts already entered into with service providers, but public bodies are expected to use all reasonable efforts to come into compliance with the new disclosure rules as soon as reasonably possible.

Nova Scotia is now the third Canadian province to enact such legislation, after British Columbia and Alberta.

Probably the most unmanageable portion of the Act deals with temporary exports. These are permitted (for example, in an employee's blackberry or on their laptop), but only with the permission of the head of the public body. This will be very difficult to administer because virtually every public sector employee's cell phone, laptop or briefcase contains information that is considered to be "personal information" under the statute. Every public sector employee who goes to a conference with her laptop will need the permission of the minister or university president or crown corporation president. However, given the rash of laptop thefts as of late, it may be a good thing to make public bodies think much more carefully about how information is carried around.

Interestingly, the Act is not an amendment to the Freedom of Information and Protection of Privacy Act which generally governs the collection, use and disclosure of personal information by public bodies. It is a stand-alone statute, unlike the way this was done in Alberta and BC.

For some background, see:

• Nova Scotia introduces amendments to thwart USA Patriot Act
• Bill 16: The Personal Information International Disclosure Protection Act (Nova Scotia)
• Nova Scotia's Personal Information International Disclosure Protection Act to die on the order paper, and
• Nova Scotia USA Patriot Act response is back on!.

Update (20060717): The Bill has received Royal Assent, but is has not yet been proclaimed into force. (I've added the bold bit in the table above.)

Labels: alberta, bc, laptop, nova scotia, outsourcing, patriot act, piidpa, privacy, public sector