In November 2021, the British Columbia legislature enacted a series of amendments to the Freedom of Information and Protection of Privacy Act (FIPPA) that are arguably the most significant changes to the province’s public sector privacy statute in almost two decades.
Most of those changes (a summary of which can be found here) came into effect immediately, and many public sector organizations have spent the last year adjusting policies and processes to ensure compliance with these new requirements.
However, two significant changes to the legislation did not immediately come into force:
On November 28, 2022, the legislature, by Order in Council, determined that these final amendments will come into force on February 1, 2023.
Privacy Breach Reporting
Many public sector organizations already voluntarily, and as a matter of best practice, report and provide notice of significant privacy breaches. As of February 1, 2023, organizations subject to FIPPA will join other organizations elsewhere in Canada already subject to mandatory legislated privacy breach reporting requirements.
Under this new provision, an obligation to report a privacy breach is triggered when a breach has the potential to cause significant harm due to the risk of identity theft or other harms, including significant bodily harm, humiliation, reputational harms, harm to relationships, loss of employment or professional opportunities, financial loss, negative impact on credit record, and damage to or loss of property.
A privacy breach is defined as arising any time a public body experiences the theft or loss of personal information or there is a collection, use or disclosure of personal information within the custody or control of a public body that is not authorized by FIPPA.
Under the new regulations, notices to affected individuals must include specific details of the breach, including:
There is an express requirement that affected individuals are to be directly notified of a breach. However, the regulations make allowances for circumstances in which indirect notification can be given, such as by public communications.
Public bodies who are subject to FIPPA are encouraged to start developing and incorporating privacy breach protocols into their policies and procedures now to ensure compliance with these requirements come February 2023. Non-compliance can give rise to complaints and investigations by the Office of the Information and Privacy Commissioner. Having a privacy breach procedure, including appropriate reporting and notification protocols, is one of the most effective tools in reducing the cost, liability and reputational harms that commonly arise from breach incidents.
Privacy Management Program
On February 1, 2023, new requirements that public bodies have a “privacy management program” in place will also come into effect.
The Ministry of Citizens’ Services has issued directions setting out the required components of a privacy management program, which are as follows:
The above requirements have been long-held as best practices in the development of a responsible privacy management program. Indeed, many public sector organizations governed by FIPPA may find that their policies, procedures and operations already meet these requirements. However, the enactment of a formal requirement in FIPPA to have a privacy management program in place makes it necessary for all public bodies that are subject to FIPPA to review, assess and, where applicable, supplement their existing practices, protocols and procedures.
If you have questions about this article, please contact Suzanne Kennedy or Michela Fiorido.