Back to Bills

Modern Access and Privacy Law

Full Title:
Freedom of Information and Protection of Privacy Act

Summary#

  • This bill replaces Nova Scotia’s current freedom‑of‑information and privacy law starting April 1, 2027. It sets rules for getting government records and for how public bodies collect, use, and protect your personal information.
  • It keeps a right to access records, adds clearer timelines and fees, requires privacy policies and privacy impact checks, and creates breach‑notice rules.
  • It also creates a provincial “identity services” function to help verify who you are for government services, and keeps most personal data inside Canada.

Key changes

  • Access to records: Anyone can request records from “public bodies” (provincial departments, municipalities, hospitals, universities, school boards, NSCC, and many agencies).
  • Timelines and limits: 30 business days to respond, with one 30‑day extension (more only with the Privacy Commissioner’s approval). Requests that are trivial or abusive can be disregarded with the Commissioner’s approval.
  • Fees: An application fee may apply (not for your own personal information). First 3 hours of search/prep are free; more work can be charged, with fee estimates and possible waivers for hardship or public interest.
  • Privacy rules: Public bodies must have privacy policies, do privacy assessments for new or major changes to programs that use personal data, notify people and the Commissioner of significant breaches, and keep data accurate and secure.
  • Keeping data in Canada: Public bodies generally cannot store or access personal information from outside Canada unless regulations allow it. Older contracts stay under previous rules until they end.
  • More transparency for certain public‑private partnership deals: Executed agreements that shift major risk to a private partner and are designated as P3s must be released, except for trade secrets, sensitive business information, or safety risks.
  • Stronger oversight: The Information and Privacy Commissioner becomes an officer of the Legislature, can review access and privacy matters, and issue recommendations. People can appeal to the Supreme Court.

What it means for you#

  • Residents

    • You can request government records and get a written answer within about a month (longer if extended). You may have to pay an application fee and some processing costs after the first three hours.
    • You can ask to see and correct your own personal information. If a correction is refused, your request will be noted on your file.
    • If a privacy breach puts you at risk of significant harm (like identity theft), you must be notified, unless notice would seriously harm your safety or health.
    • Government must keep your personal information safe, accurate, and in Canada (with limited exceptions set by regulation).

  • Journalists, researchers, and community groups

    • Clearer timelines, fee estimates, and reuse‑friendly electronic formats when possible.
    • Some new limits remain (for example, Cabinet records for 15 years, advice/recommendations, law‑enforcement and commercial confidences, and third‑party privacy).
    • P3 contracts that transfer major risk and are designated must be released with narrow carve‑outs.

  • Public body employees and FOI coordinators

    • Must assist applicants, meet timelines, provide fee estimates, and sever only what is clearly exempt.
    • Need a privacy policy, complaint process, and privacy impact assessments for new or substantially changed programs involving personal data.
    • Must notify the Commissioner and affected people of significant privacy breaches and keep records used to make decisions for at least one year.

  • Businesses and non‑profits working with government

    • Stronger protection for trade secrets and commercial information; mandatory notice and appeal options if disclosure is proposed.
    • For designated P3 agreements, most of the executed contract is releasable, except sensitive items like trade secrets, your detailed financial/business information, or safety‑risk details.

  • Municipalities, hospitals, universities, schools, NSCC

    • Covered as “public bodies.” Must designate a “head,” adopt privacy policies, do privacy assessments, manage access requests, and follow breach‑notice rules.
    • Some closed‑meeting deliberations and draft bylaws/policies can be withheld, with time limits.

  • Victims and safety‑related cases

    • Public bodies may collect or share personal information to reduce the risk of intimate‑partner violence or human trafficking.
    • Heads can disclose information in the public interest to warn about serious risks to health, safety, or the environment.

  • Identity for online and in‑person services

    • A designated provincial identity services provider can verify identity, update identity information, and issue physical or digital credentials under rules set by the Minister.

  • Court options

    • If you disagree with a decision, you can ask the Commissioner to review it or, in some cases, appeal directly to the Supreme Court. After the Commissioner reports, you can appeal if the public body does not follow the recommendations.

  • Timing

    • Law takes effect April 1, 2027. New data‑residency rules apply to contracts committed on or after May 1, 2027. Older contracts stay under the previous rules for their full term.

Expenses#

No publicly available information.

Proponents' View#

  • Modernizes and clarifies access and privacy rules, with firm timelines and clearer steps for both requesters and public bodies.
  • Strengthens privacy: required privacy assessments, breach notifications, and tighter rules on when and how personal data can be collected, used, or shared.
  • Keeps most personal data in Canada, reducing exposure to foreign laws and cyber risks.
  • Improves transparency on major public‑private partnership deals while still protecting trade secrets and public safety.
  • Gives the independent Commissioner stronger tools to review cases, while allowing direct court appeals to resolve disputes.
  • Supports better digital services through a provincial identity system and reusable electronic records.

Opponents' View#

  • Fees and the power to disregard “frivolous or vexatious” requests may deter legitimate access or be used too broadly, even with Commissioner oversight.
  • Many exemptions remain broad (for Cabinet records, advice to government, economic interests, and third‑party business information), which could limit transparency.
  • The Commissioner’s reports are recommendations, not binding orders; requesters may still need to go to court.
  • Data‑residency limits could increase costs or reduce access to modern cloud tools unless regulations allow flexibility.
  • New privacy assessments and policies may add administrative work and slow program changes.
  • A centralized identity service and data‑linking programs, if expanded, could raise concerns about surveillance or misuse without strong safeguards.