Mar 7, 2023
New Mandatory Breach Requirements in British Columbia’s Public Sector
By Roland Hung
On November 25, 2021, the Freedom of Information and Protection of Privacy Amendment Act, 2021 (“Bill 22”) was given Royal Assent. Bill 22 attempts to modernize and strengthen British Columbia’s public sector privacy statute, the Freedom of Information and Protection of Privacy Act (“FIPPA”), by, amongst other things, implementing mandatory privacy-breach reporting for public bodies. The amended FIPPA made significant amendments, including requirements for privacy management programs, modification to data residency requirements and mandatory privacy breach notification obligations. The requirements related to the privacy management programs and the mandatory privacy breach notification obligations came into force on February 1, 2023.
Given the amendments to FIPPA, now may be a good time for public bodies, especially those in British Columbia, to review their privacy management programs and implement or update policies and procedures around breach detection and notification.
Summary of Changes
Privacy management programs
Effective February 1, 2023, the head of each public body is required to develop a privacy management program (“PMP”) that includes a set of policies, procedures and tools that sufficiently protect personal information. The PMP must comply with the directions of the Minister of Citizens’ Services of BC, who is responsible for FIPPA.
The Minister of Citizens’ Services of BC issued a Privacy Management Program Direction, which provides guidance for public bodies to develop an effective PMP. The key points from the Direction include:
Designating a Privacy Contact Person: The head of a public body should designate an individual or individuals to be the privacy contact(s), who would be responsible for (a) being a point of contact for privacy-related matters; (b) supporting the development, implementation, and maintenance of privacy policies and/or procedures; and (c) supporting the public body’s compliance with FIPPA.
Privacy Impact Assessment and Information-Sharing Agreements: A public body has to develop a process for completing and documenting privacy impact assessments.
Privacy Complaints and Privacy Breaches: A public body has to develop a documented process for responding to privacy complaints and privacy breaches.
Privacy Awareness and Education Activities: A public body has to promote and encourage privacy awareness and education activities among employees to ensure they are aware of their privacy obligations. The activities should be tailored to meet the volume and sensitivity of personal information in the custody of the public body.
Making Privacy Practices and Policies Available: A public body should provide employees access to documented privacy processes or practices, as well as privacy policies.
Informing Service Providers of Privacy Obligations: A public body should inform service providers of their privacy obligations.
Monitoring and Updating: A public body should develop a process for regularly monitoring and updating the privacy management program to ensure it remains appropriate to the public body’s activities.
Since personal information in the care of public bodies can have varying degrees of sensitivity, the guidance set out above will need to be adapted to different public bodies taking into consideration their own unique circumstances.
Mandatory Privacy Breach Notification
Similar to the mandatory breach requirements under Personal Information Protection and Electronic Documents Act (“PIPEDA”), the new mandatory breach requirements under FIPPA require the head of public bodies to notify BC’s Information and Privacy Commissioner of any “privacy breach” that could reasonably result in a “real risk of significant harm” to an individual, “without unreasonable delay”. Further, public bodies are required to directly notify individuals who may reasonably face a “real risk of significant harm” from the breach without unreasonable delay following the breach. This notification must be in the manner prescribed under the regulations so the individual understands how the breach may impact them and what steps they can take to reduce or mitigate the risk.
Since the mandatory breach requirements are imposed on the head of the public body, the head of public body must be informed of the privacy breaches. Therefore, FIPPA places the onus on those who know of the privacy breach to notify the head of the public body immediately. Failure to comply with this mandatory notification is an offence punishable on conviction by fines of up to $50,000 for individuals and $500,000 for corporations.
Tips for Protecting Personal Information
Here are some guidelines that public bodies should adopt to protect personal information data and limit privacy liability:
Develop a breach protocol that is amended periodically to account for improvements in technology.
Incorporate a notification procedure in the breach protocol to report breaches to the applicable privacy regulator.
Ensure that all contracts with third parties include provisions that require the third-party contractor to immediately inform the organization of any breach or suspected breach. Inform third parties of the breach protocol once it is developed.
Ensure that record retention and destruction policies comply with existing privacy law requirements. To ensure compliance, destroy or ‘anonymize’ all personal information once it is no longer needed or legally required to be retained.
Undertake employee training initiatives to ensure familiarity and compliance with all policies and practices.
For public bodies seeking to develop policies and procedures, the following guidelines may be helpful:
Build a security program that protects the confidentiality, integrity and availability of all information, not just personal information.
Develop classification standards to easily identify personal information.
Ensure that proper security controls are in place and conduct risk assessments of all personal information.
For more information about the application of new updates in the privacy program and privacy breach notification obligations, please contact Roland Hung from Torkin Manes’ Technology, Privacy & Data Management Group.
The author would like to acknowledge Torkin Manes Articling Student, Claire Wang, for her contribution to drafting this article.