As of February 1, 2023, two new sections of the British Columbia Freedom of Information and Protection of Privacy Act (“FIPPA”) and associated regulations are in force. All public bodies governed by FIPPA in the province of British Columbia (generally speaking all government ministries and the broader public sector) are now required to report privacy breaches to individuals and the Office of the Information and Privacy Commissioner and develop a “privacy management program”.
What is a privacy breach?
A privacy breach is defined as the “theft or loss, or the collection, use or disclosure that is not authorized” by FIPPA and that is in the custody or control of the Public Body. The reporting requirements are triggered when a breach “could reasonably be expected to result in significant harm to the individual”. This includes identity theft, significant bodily harm, humiliation, damage to reputation or relationships, loss of employment, business of professional opportunities, financial loss, credit rating impact or loss of property.
Notification will be required “without unreasonable delay” to any affected individual except in prescribed circumstances. The new regulations set out specific requirements for written notification, including a description of the breach, any containment steps taken, and steps the individual can take to reduce the risk of harm.
Public bodies will also be required to provide notice to the Office of the Information & Privacy Commissioner. Public bodies should keep in mind that the Privacy Commissioner has broad discretion to conduct its own investigations into privacy compliance.
These amendments align with mandatory breach reporting requirements in other jurisdictions in Canada, including the federal Personal Information Protection and Electronic Documents Act.
The B.C. Personal Information Protection Act (“PIPA”) remains the only private sector legislation in Canada without mandatory breach reporting obligations. However, we anticipate the Act will be amended to introduce similar requirements.
Privacy management program
In addition to reporting requirements, FIPPA will require all public bodies to develop a privacy management program in accordance with the directions of the Minister. The Minister has issued mandatory directions on development of a privacy management program.
The components of a program must include:
- appointing a point of contact (privacy officer) who will handle questions or concerns, support the development and maintenance of the program and compliance with FIPPA;
- implementing a process for completing and documenting privacy impact assessments and information sharing agreements;
- implementing a documented process for responding to privacy complaints and breaches;
- implementing privacy awareness and education activities;
- making polices and processes available to employees or the public;
- ensuring service providers are aware of their obligations, and
- implementing a process for monitoring the program and updating it as required.
The Ministry of Citizens’ Services has also issued a guidance document for public bodies. The BC Privacy Commissioner has issued updated guidance for Accountable Privacy Management for the public sector here.
Public bodies in British Columbia should immediately review their current privacy management programs, and be prepared to refresh and update those programs as necessary to meet the new requirements of FIPPA. Organizations that act as service providers to public bodies should also consider and be prepared for the impact of these changes.
For further information on the changes to FIPPA and the associated regulations please contact any member of our Canadian Data Protection and Privacy group.