Canada: Mandatory Privacy Breach Reporting And Management Program Requirements Come To B.C.

Big changes are coming to B.C.'s privacy laws. Effective February 1, 2023, new Freedom of Information and Protection of Privacy Act ("FIPPA") sections (36.2 and 36.3) and regulations will come into force. For the first time, a B.C. privacy law will require breach reporting and the implementation of a privacy management program.

Breach Notification

B.C. public bodies will be obligated to notify affected individuals and the Privacy Commissioner if a "privacy breach" occurs which could reasonably be expected to result in significant harm to the affected individual, including identity theft or significant other harm (examples of which are set out in the legislation).¹ A "privacy breach" means the theft or loss, or the collection, use or disclosure that is not authorized by FIPPA, of personal information in the custody or under the control of a public body.

Since personal information in the custody or control of a public body could be handled by third party service providers, we would expect the notification obligations to extend to any applicable privacy breaches involving such service providers. B.C. public bodies will typically have contractual breach reporting obligations on their service providers in standard privacy schedules. However, B.C. public bodies should review their service provider agreements to ensure they are positioned to comply with the new notification requirements in FIPPA.

Privacy Management Programs

B.C. public bodies will also be required to develop a privacy management program in accordance with directions from the Minister responsible for FIPPA, however, no directions have been issued yet.

A privacy management program will typically include:

• a personal information inventory (or data mapping);
• relevant policies (privacy policies addressing the various types of personal information being handled, such as employees and website visitors);
• risk assessment and remediation tools and procedures;
• education and training plans; and
• processes to manage personal information in the hands of service providers.

A privacy management plan should also include an incident response plan which addresses these new breach notification requirements as well as remediation, mitigation, investigation and resolution of incidents. The B.C. Privacy Commissioner has provided guidance for public bodies on how to implement a privacy management program. The B.C. Government also has its own Privacy Management and Accountability Policy, which may be useful guidance for other public bodies.

We will follow developments as they arise on this topic, including the anticipated government directions to come.

Footnote

1. Types of significant harm specified in the legislation include significant: bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, negative impact on a credit record, or damage to, or loss of, property.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.