On October 19, 2021, we wrote about the proposed changes to B.C.'s Freedom of Information and Protection of Privacy Act contemplated in Bill 22 – 2021.
Bill 22 – 2021 passed on November 25, 2021, enacting a number of significant changes to the privacy legislation governing public bodies. The Bill remained largely unchanged from earlier versions.
Many of the major changes to B.C.'s Freedom of Information and Protection of Privacy Act came into effect immediately on November 25, 2021, including:
- repeal of data localization requirements, subject to restrictions in pending regulation;
- protection of information that could reasonably be expected to harm the rights of Indigenous peoples; and
- fees for access requests.
The new mandatory breach notification requirements will only come into force by regulation.
On November 26, 2021, the Lieutenant Governor passed an Order in Council setting the fee for access requests at $10.
Mandatory Breach Notification
It remains to be seen what additional parameters may accompany the enactment of the mandatory breach notification requirements.
Presently, the Bill requires the head of a public body to report breaches to both the Office of the Information and Privacy Commissioner and to affected individuals where there is a risk of "significant harm". Significant harm is described as including identity theft or significant bodily harm, humiliation, damage to reputation or relationships, loss of employment or professional opportunities, financial loss, negative credit score impact, and damage to or loss of property. Importantly, the head of a public body will not be required to notify an affected individual if notification could be reasonably expected to result in immediate and grave harm to the individual or if it would threaten harm to another individual. Harm can include harm to safety or physical or mental health.
Employers should watch for further detail to be prescribed by regulation.
Data Localization Requirements
Changes to data localization requirements now permit public bodies to disclose and store personal information outside of Canada in accordance with any regulation made by the Minister. At the time of this update, there continues to be no regulations qualifying this change. As such, it remains uncertain what restraints will be imposed by the Minister, if any.
What Does this Mean for Employers?
Employers should revisit their privacy programs and make any necessary updates. Employers should ensure to train employees on the requirements, in particular the mandatory breach notification requirements.
In addition, employers should watch for regulations that should provide greater clarity on the mandatory breach notification requirements and the scope of any restrictions for disclosing and storing personal information outside of Canada.
The amendments provide public bodies with more flexibility in terms of data storage and the use of technological services. However, employers must continue to be vigilant in protecting employee privacy and ensure they have appropriate technological safeguards in place.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.