In November 2021, the British Columbia legislature enacted a series of amendments to the Freedom of Information and Protection of Privacy Act (FIPPA) that are arguably the most significant changes to the province’s public sector privacy statute in almost two decades.
Most of those changes (a summary of which can be found here) came into effect immediately, and many public sector organizations have spent the last year adjusting policies and processes to ensure compliance with these new requirements.
However, two significant changes to the legislation did not immediately come into force:
- Amendments making privacy breach reporting a mandatory requirement for public sector organizations in British Columbia; and
- A requirement that every public body have in place a privacy management program.
On November 28, 2022, the legislature, by Order in Council, determined that these final amendments will come into force on February 1, 2023.
Privacy Breach Reporting
Many public sector organizations already voluntarily, and as a matter of best practice, report and provide notice of significant privacy breaches. As of February 1, 2023, organizations subject to FIPPA will join other organizations elsewhere in Canada already subject to mandatory legislated privacy breach reporting requirements.
Under this new provision, an obligation to report a privacy breach is triggered when a breach has the potential to cause significant harm due to the risk of identity theft or other harms, including significant bodily harm, humiliation, reputational harms, harm to relationships, loss of employment or professional opportunities, financial loss, negative impact on credit record, and damage to or loss of property.
A privacy breach is defined as arising any time a public body experiences the theft or loss of personal information or there is a collection, use or disclosure of personal information within the custody or control of a public body that is not authorized by FIPPA.
Under the new regulations, notices to affected individuals must include specific details of the breach, including:
- Name of the public body;
- The date the breach was discovered,
- A description of the breach, including the date on which it occurred and a description of the nature of the personal information involved in the breach;
- Confirmation that the Information and Privacy Commissioner has or will be notified;
- A contact person who can answer questions about the breach;
- A description of the steps taken to reduce the risk of harm to affected individuals; and
- A description of the steps affected individuals could take to reduce the risk of harm.
There is an express requirement that affected individuals are to be directly notified of a breach. However, the regulations make allowances for circumstances in which indirect notification can be given, such as by public communications.
Public bodies who are subject to FIPPA are encouraged to start developing and incorporating privacy breach protocols into their policies and procedures now to ensure compliance with these requirements come February 2023. Non-compliance can give rise to complaints and investigations by the Office of the Information and Privacy Commissioner. Having a privacy breach procedure, including appropriate reporting and notification protocols, is one of the most effective tools in reducing the cost, liability and reputational harms that commonly arise from breach incidents.
Privacy Management Program
On February 1, 2023, new requirements that public bodies have a “privacy management program” in place will also come into effect.
The Ministry of Citizens’ Services has issued directions setting out the required components of a privacy management program, which are as follows:
- The designation of an individual at the public body to act as its privacy officer, with responsibility for the organization’s FIPPA compliance, being a point of contact for privacy-related matters, and supporting the development, implementation and maintenance of privacy policies and procedures;
- A process for completing and documenting privacy impact assessments and information sharing agreements;
- A process for responding to privacy complaints and privacy breaches;
- Education and training to support privacy awareness among employees of the public body;
- Making privacy policies and documented privacy processes and practices available to employees and, where practicable, the public;
- Having methods and procedures in place to ensure service providers are aware of their privacy obligations (e.g. awareness activities, use of privacy schedules and contractual terms that address privacy obligations).
- Regularly monitoring the privacy managing program and updating, as required, to ensure it remains appropriate to ensure compliance with FIPPA.
The above requirements have been long-held as best practices in the development of a responsible privacy management program. Indeed, many public sector organizations governed by FIPPA may find that their policies, procedures and operations already meet these requirements. However, the enactment of a formal requirement in FIPPA to have a privacy management program in place makes it necessary for all public bodies that are subject to FIPPA to review, assess and, where applicable, supplement their existing practices, protocols and procedures.