Amendments to British Columbia’s Freedom of Information and Protection of Privacy Act (FIPPA) taking effect on February 1, 2023, will impose more stringent privacy requirements on provincial public bodies, such as hospitals, municipalities and crown corporations, and numerous agencies, boards and commissions.
By way of background, FIPPA regulates, among other things, how public bodies in British Columbia collect, use and disclose personal information. This legislation does not currently require public bodies to (1) notify the Office and Powers of Information and Privacy Commissioner (OIPC) and affected individuals in the event of a “privacy breach”, or (2) have a privacy management program. Bill 22 – 2021: Freedom of Information and Protection of Privacy Amendment Act, 2021 (Bill 22) will introduce each of these requirements into FIPPA when in force.
Privacy Breach Notifications
Bill 22 sets out that the circumstances in which a public body must, without unreasonable delay, notify an affected individual of a “privacy breach”. These circumstances are those in which the breach could reasonably be expected to result in significant harm to the individual, including:
- bodily harm;
- humiliation;
- damage to reputation or relationships;
- loss of employment, business or professional opportunities;
- financial loss;
- negative impact on a credit record; or
- damage to, or loss of, property.
The public body must also notify the OIPC if the privacy breach could reasonably be expected to result in one of the above circumstances. The public body is not required to notify an affected individual of a breach if notification could reasonably be expected to result in immediate harm to the individual’s safety or physical or mental health—or threaten another individuals safety or physical or mental health.
Privacy Management Program
When enacted, Section 36.2 of FIPPA will require that “[the] head of a public body must develop a privacy management program for the public body and must do so in accordance with the directions of the minister responsible for this Act.”
To this end, the British Columbia Minister of Citizens’ Services recently issued Direction 02/2022, Privacy Management Program Direction (the Direction). Intended to provide public bodies with a scalable framework, the Direction sets out seven key components that must be included in a privacy management program:
- the designation of an individual responsible for being a point of contact for privacy matters, supporting the development, implementation and maintenance of privacy policies and/or procedures, and supporting the body’s compliance with FIPPA (commonly referred to as a Privacy Officer);
- a process for completing and documenting privacy impact assessments as required, and information-sharing agreements as appropriate under FIPPA;
- a documented process for responding to privacy complaints and breaches;
- privacy awareness and education activities to ensure employees are aware of their privacy obligations, which (a) may be scaled to meet the volume and sensitivity of personal information in the custody or control of the of the public body, and (b) should be undertaken at timely and reasonable intervals;
- privacy policies and written privacy processes or practices available to employees and where practicable, to the public;
- method(s) to ensure that service providers are informed of their privacy obligations (e.g., awareness activities, contractual terms that address privacy obligations); and
- a process for regularly monitoring the privacy management program and updating as required, to ensure it remains (a) appropriate to the public body’s activities, and (b) compliant with FIPPA.
The OIPC has also issued guidance regarding privacy management programs…