As of February 1, 2023, public bodies in British Columbia (B.C.)
will be required to report privacy breaches and have privacy
management programs. The two provisions are the last to come into
force from amendments made to B.C.'s Freedom of
Information and Protection of Privacy Act in November
2021.
Mandatory breach reporting brings B.C.'s public sector in
line with similar requirements under the federal Personal
Information Protection and Electronic Documents Act and
provincial acts in Alberta and Quebec. B.C.'s private sector
has no breach-reporting requirement.
MANDATORY BREACH REPORTING
Public bodies that experience a privacy breach that could reasonably be expected to result in significant harm, including identity theft, will be required through new regulations to notify both the B.C. Privacy Commissioner and the affected individuals. The notifications must be made without delay and should include the following:
- The name of the public body
- The date the public body learned of the breach
-
A description of the breach, including, if known:
- The date or period during which the breach occurred
- A description of the personal information involved in the breach
- The estimated number of individuals affected
- Contact information for a person who can answer questions about the breach on behalf of the public body
- A description of steps the public body has taken or will take to reduce the risk of harm to affected individuals
Notifications to the affected individuals must include information similar to that above, plus:
- Confirmation that the B.C. Privacy Commissioner has been or will be notified
- A description of steps that affected individuals can take to reduce their risk of harm
PRIVACY MANAGEMENT PROGRAMS
Privacy management programs will ensure public bodies are
accountable and transparent with respect to management of personal
information. The programs should be commensurate with the volume
and sensitivity of personal information under a public body's
control.
A
direction detailing the expected content of privacy
management programs has been issued by the B.C. Minister of
Citizen's Services and includes:
- The designation of a privacy officer
- A process for completing and documenting privacy impact assessment and information-sharing agreements
- A process for responding to privacy complaints and privacy breaches
- Privacy awareness and education for employees
- Privacy policies
- Methods to ensure that third-party service providers are informed of their privacy obligations
- A process for regularly monitoring and updating the privacy management program
Public bodies can look to the Office of the Information and Privacy Commissioner for B.C.'s guidance document, the Accountable Privacy Management in BC's Public Sector and the B.C. government's Privacy Management and Accountability Policy for further guidance in setting up a privacy management program.
For permission to reprint articles, please contact the bulletin@blakes.com Marketing Department.
© 2025 Blake, Cassels & Graydon LLP.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.