BA - Which competent authority groups require an ISA in order to obtain information

[mstanton1]

Under Bill 20 some verbiage specifically requires an information sharing agreement (ISA) in order for the competent authority to view data. Review is needed to identify:

• The different competent authority groups
• How legislation reads for each group
• How legislation is interpreted in each case - i.e. some say we need an ISA, or legislative authority or other....so would we consider that group to actually need an ISA or does something else in legislation provide them authority

*It would be valuable to pull the competent authorities noted from Bill 20 and perhaps create this in a spreadsheet

[mstanton1]

Information previously gathered by @Apt766525

@mstanton1

• Technically the groups related to the above Act are not competent authorities as legislate, but they do have similar authority.
• The purposes for their search of the RTR and the information provided to them is less than what a competent authority would get, but more than what the public sees.
• These groups would require regulations to inform what information they can receive and why, and they would be subject to an ISA to receive that information.

On the form, there is a “Other” option to gain access to the RTR. These groups would be required to provide either their authority under section 399.5 or 399.51. They would also have to have regulations made for them (399.5) and an ISA before they can access the RTR (399.5 and 399.51).

---

Discussion from the meeting with Policy:

1. Under 399.5 there has to be an information sharing agreement in place and this would allow a subset of information for this group, or could determine they need all of the information. Policy is looking into what these groups might need to determine what we need to have built.
2. Registries flagging concern for cost and timelines with additional requests. If prescribed classes require search use of competent authority search would be significantly easier with preventing another build.
3. Not seen as crucial by policy but updates will be provided.

---

@mstanton1 Circled back with Policy on the above clarifications: Requirement of ISA: ISAs are only required for the two provisions listed above and under section 399.51 which contemplates sharing information with other corporate registrars. Competent authorities are not required to enter into ISAs.

Form Identification: The specific spots or sections where the ISA needs to be indicated is a business decision on the part of the Registries, but it can be noted perhaps in brackets. On the form there is reference to the competent authority sections, and then the option for “Other”. It can be noted here. Suggestion from Policy: For example the form can state “Other (Please note an Information Sharing Agreement may be required) – Applicable Section:…)” Or the Registries may wish to place this in another spot.

Access to unknown groups and timeline: The groups that require ISAs, and to be added by way of regulation, will not be known until they reach out to request access. Once they reach out, Policy would determine whether they qualify for access and what kind of information can/should access. Once policy team has completed the analysis they would move to the regulation drafting process. Regulations can take as little as 3 months to develop, but usually take about 4 – 6 months to complete. It is important to note that regulations can be made to take effect either on deposit or they can be made to go in effect at any time AFTER they are deposited. So, if we were to have a regulation approved by Cabinet today, and deposited tomorrow, it is possible to not have that regulation come into force until 2 weeks, 3 months or 1 year after the date of deposit. Regulations such as this would be worked on collaboratively with CITZ to ensure that they are put into force at a time when Registries can provide the service.

[Apt766525]

@mstanton1 Have created a spreadsheet with the list of all competent authorities with the BILL 20 legislation readings that require ISA. Please let me know if any changes or there is additional information to be recorded. Thanks https://docs.google.com/spreadsheets/d/1eGGOgpvleRO7x2mYtho6wEbThNq35LM3/edit?usp=drive_link&ouid=100179527247507750986&rtpof=true&sd=true

[mstanton1]

@Apt766525 I've reviewed and found this really easy to understand. It would be worthwhile to share with Policy the summary sheet here so they can add any input they have. Would you please add reviewing this to the next UX/UI meeting agenda? At that time I want to also make sure we focus in on the Note. The note identifies the groups with ISAs are not truly competent authorities so the information provided to them is less than what a competent authority would get but more than what the public would get. Having a secondary level of access was flagged as a concern to Finance earlier as it means creating more than one competent authority type in the system and creates a great deal of additional dev work. We should clarify that legislation does not require we set up another type and instead we can either give the full or public access.

[Apt766525]

@mstanton1 Sure have sent the spreadsheet to policy for review and noted that down for next weeks agenda.

[Apt766525]

@mstanton1 Have updated the spreadsheet as per policies advice as "corporate registrar" is included in the competent authority section and not under the section 5 PCMLTFA entities. The policy reason for writing the legislation this way was to “future” proof the RTR for any possible requests for information from any person or entity. The persons or entities referred to in the above noted sections are not necessarily law enforcement, taxing authorities or regulators, so they do not meet the requirements to be competent authorities.

These persons or entities will not necessarily need all the information in the registry either and the policy rational for that is to ensure that information is kept confidential when necessary. For example, not all persons or entities referred to in those sections will require a SIN and as you know this is a highly sensitive piece of information. It is important that we not share information that is not directly relevant to the work of those requesting it.

Currently, policy does not contemplate access to RTR information for any section 5 PCMLTFA entities. However, one of these entity types could reach out and request access to some RTR information that is not public information. If the Ministry of Finance completes analysis of the request and determines it is appropriate for the entity to have access to additional non-public RTR information for particular purposes, then an OIC package may get developed (could take 3-6 months for regulation work to complete) and a new regulation would then come into effect that prescribes the particular entity/person access to a particular set of RTR information for particular purposes. BC Registry would then need to enter into an ISA with the entity/person and ensure the system is capable of providing the entity/person the required RTR information.

Policy does not see an immediate need for the system to provide tailored access to RTR information for a distinct entity/person, but at anytime this could change if the Ministry of Finance is approached with a request for such access. Analysis would occur, OIC package would be developed and completed, ISA would be entered into between the entity and BC Registry, and then the system would need to provide for the required access to RTR information for that entity. BC Registry and the Ministry of Finance would need to work together to ensure the BC Business Registry system was ready for this new form of information access when required.

[mstanton1]

@mstanton1 to raise RAID ticket for the risk of future development (ongoing development) and complexity that this would introduce.

[mstanton1]

RAID #477 created. To be discussed with Sal.