As of February 1, 2023, two new British Columbia section Freedom of Information and Protection of Privacy Lawst (“FIPPA“) and related regulations is valid. All public bodies administered by FIPPA in British Columbia (generally speaking, all government departments and the broader public sector) currently report privacy breaches to the Office of the Personal and Information and Privacy Commissioner, which has a “privacy management program.” ” must be developed.
What is Privacy Breach?
Breach of privacy is defined by FIPPA as “theft, loss, or unauthorized collection, use, or disclosure” and is under the control of public authorities. Reporting requirements are triggered when a violation is “reasonably expected to result in significant harm to an individual.” This includes identity theft, serious physical harm, humiliation, damage to reputation or relationships, loss of employment, business opportunities, financial loss, impact on credit rating, or loss of property. will be
Except in certain circumstances, affected individuals must be notified “without undue delay.” The new rules set out specific requirements for written notification, including a description of the breach, containment steps taken, and steps individuals can take to reduce the risk of harm.
Public authorities must also notify the Office of the Information and Privacy Commissioner. Public authorities should be aware that the Privacy Commissioner has broad discretion to conduct independent investigations into privacy compliance.
These amendments are consistent with mandatory violation reporting requirements in other Canadian jurisdictions, including the federal government. Personal Information Protection and Electronic Document Law.
B.C. Personal Information Protection Law (“pipa) remains the only private sector law in Canada without a mandatory reporting requirement. However, it is expected that the law will be amended to introduce similar requirements.
Privacy management program
In addition to reporting requirements, FIPPA All public institutions must develop privacy management programs as directed by the Minister. Minister announced mandatory direction regarding the development of a privacy management program.
The program components should include:
- Handle questions and concerns, support program development and maintenance, and appoint a FIPPA compliant point of contact (Privacy Officer).
- Implement processes for completing and documenting privacy impact assessments and information sharing agreements.
- Implement a documented process for responding to privacy complaints and violations.
- Conducting privacy awareness and educational activities;
- Publish policies and processes to employees or the public.
- Ensure that service providers are aware of their obligations
- Implement a process to monitor the program and update as needed.
The Department of Civil Services also guidance document for public bodies. The BC Privacy Commissioner has issued updated guidance on responsible privacy management for the public sector. here.
Public authorities in British Columbia should immediately review their current privacy management programs and, where necessary, update and update those programs to prepare to meet new requirements. FIPPA organizations acting as service providers to public authorities should also consider and prepare for the impact of these changes.