The Provincial government has recently confirmed the latest in a series of long-anticipated and significant changes to BC's Freedom of Information and Protection of Privacy Act ("FIPPA").
- Mandatory reporting requirements in the event of privacy breaches.
- Requirement to develop and maintain a "privacy management program".
Privacy Breach Notifications
Public bodies will be required to report any privacy breach that "could reasonably be expected to result in significant harm to the individual". A "privacy breach" is broadly defined. It includes theft, loss, or any other unauthorized collection, use or disclosure of personal information.
Organizations will be expected to assess whether a breach could reasonably result in "significant harm". FIPPA sets out several examples of harm meeting that threshold, including identity theft, physical or financial harm, reputational or relationship damage, and negative impact on credit rating or professional opportunities.
Notification will be required "without unreasonable delay" to any affected individual. The new regulations set out specific requirements for written notification, including descriptions of the breach, any containment steps taken, and steps the individual can take to reduce the risk of harm.
Public bodies will also be required to provide notice to the Office of the Information & Privacy Commissioner. Public bodies should keep in mind that the Privacy Commissioner has broad discretion to conduct its own investigations into privacy compliance.
These updates make BC the latest in a series of Canadian jurisdictions that have made privacy breach reporting mandatory. The upcoming amendments to FIPPA follow the introduction of similar requirements in Alberta, Quebec and under Federal privacy legislation. While each set of laws is unique, previous guidance from those jurisdictions may help public bodies in BC understand the scope of their new obligations.
The Personal Information Protection Act, which applies to BC's private organizations, currently does not have similar requirements. However, the introduction of mandatory breach reporting for private organizations has been formally proposed on several occasions, including as part of the 2021 report of the Special Committee to Review the Personal Information Protection Act.
Privacy Management Program
In addition to reporting requirements, FIPPA will require all public bodies to develop and maintain a privacy management program. The Minister responsible for the act may establish specific requirements for privacy management programs, but no directions have been issued to date.
The BC Privacy Commissioner previously provided guidance for public bodies designing a privacy management program, including:
- Maintaining an inventory of personal information held by the organization, and how that information is used and disclosed;
- Establishing necessary policies to address collection of personal information from employees and third parties;
- Conducting risk assessments and establishing security processes;
- Managing external service providers and establishing standards for privacy and information security;
- Designing breach and incident management response programs; and
- Implementing training for employees responsible for privacy management.
Public bodies should take this opportunity to review their current privacy management programs, and be prepared to refresh and update those programs as necessary to meet the new requirements of FIPPA.
We would be pleased to assist with any questions about developing a privacy management program, responding to privacy incidents, or preparing for compliance with these new legislative updates.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.