BC FIPPA’s Mandatory Privacy Breach Notification and Privacy Management Program Obligations start February 1, 2023
Just over a year ago, the Government of British Columbia introduced Bill 22 to amend the Freedom of Information and Protection of Privacy Act (“FIPPA”). More details are in our previous blog post summarizing the most significant changes to FIPPA. Bill 22 deferred details on two changes: mandatory privacy breach notification obligations and the requirement that public bodies have a privacy management program (“PMP”). Those obligations are now set to come into effect on February 1, 2023 and the Government of British Columbia has provided the details in two documents:
- Amendments to the Freedom of Information and Protection of Privacy Regulation (the “Regulation”), released on November 28, 2022, which elaborates on public bodies’ new mandatory privacy breach notification obligations under section 36.3 of FIPPA; and
- The Privacy Management Program Direction (the “Direction”), released on December 2, 2022, which clarifies public bodies’ obligation to develop a PMP under section 36.2 of FIPPA.
Mandatory Breach Notification
Under section 36.3 of FIPPA, public bodies are required to notify affected individuals and the Office of the Information and Privacy Commissioner for British Columbia (the “Commissioner”), without unreasonable delay, if they experience a privacy breach that could reasonably be expected to result in significant harm to affected individuals. The Regulation now sets out what must be included in those notices.
Specifically, the Regulation now details what information a public body must include when it notifies affected individuals of a privacy breach, such as a description of the privacy breach, the personal information affected and how the individual can reduce the risk of harm from the privacy breach. It also sets out what must be in the notice to the Commissioner, such as a description of the breach that includes the relevant dates, the personal information affected and the number of affected individuals.
For those familiar with mandatory breach notification requirements under other regimes, such as under the federal private sector legislation called the Personal Information Protection and Electronic Documents Act (“PIPEDA”), the notification content requirements under FIPPA are similar. There are, however, some notable features of the FIPPA breach notification regime:
- Section 36.3(4) expressly permits the Commissioner to notify affected individuals, presumably where the public body has failed to do so. This may present challenges, such as how the Commissioner will obtain their contact information;
- The public body is only required to notify the Commissioner and affected individuals. Under PIPEDA, the responsible organization must also notify any third party that can reduce the risk of harm or mitigate the harm;
- As discussed in our previous post, public bodies do not have an express right to delay notice if providing notice could compromise a criminal investigation. However, the public body only needs to provide notice “without unreasonable delay”. A delay to avoid compromising a criminal investigation is likely reasonable. Similarly, delaying notice while containing an on-going cybersecurity incident may also be reasonable, particularly because failing to do so could expose affected individuals to greater harm or expose other individuals to harm; and
- The notice trigger is that there must be a “privacy breach [that] could reasonably be expected to result in significant harm to the individual” versus PIPEDA’s “real risk of significant harm”. Whether these wording differences will result in a higher or lower standard under FIPPA is to be seen.
In other jurisdictions, privacy commissioners have used guidance to further elaborate on mandatory breach notification obligations. While the Commissioner has not released details regarding how public bodies should report privacy breaches under the new FIPPA obligations, guidance may be forthcoming. Currently, the Commissioner has an online portal for voluntary privacy breach notification by both public bodies as well as private sector organizations. The Commissioner also has a guideline called “Privacy breaches: tools and resources”. The Commissioner may be updating both the online portal and the guideline in response to the amended Regulation.
Privacy Management Program
According to the Direction, a public body’s PMP should be reasonable and reflect the volume and sensitivity of the personal information held by the public body. The Direction indicates that a PMP must, at a minimum, set out:
- An individual responsible for: (a) being a point of contact for privacy-related matters on behalf of the public body; (b) supporting the development, implementation, and maintenance of privacy policies and practices; and (c) supporting the public body’s compliance with FIPPA;
- A process for completing and documenting privacy impact assessments and information-sharing agreements, as required or appropriate under FIPPA;
- A process for responding to privacy complaints and privacy breaches;
- Privacy policies and documented privacy processes that are available to employees and, where practicable, the public;
- Methods for ensuring any service providers processing personal information on behalf of the public body are aware of their privacy obligations; and
- A process for monitoring the PMP and updating it as required to ensure it remains appropriate and compliant with FIPPA.
As noted in the Direction, the requirement for public bodies to have a PMP is not intended to be burdensome. Public bodies are not required to develop a stand-alone PMP, and may in fact already meet the requirements in the Direction through a combination of their existing policies and practices. The Commissioner has guidelines on PMPs called “Accountable Privacy Management in BC’s Public Section”. However, it is from 2013 and may similarly need to be updated.
The PMP requirement is a local example of a global shift to privacy compliance and risk management being an on-going exercise that requires dedicated resources. Both mandatory breach notification and the PMP requirement speak to governments responding to cybersecurity threats as one of the biggest challenges. It is particularly important that public bodies have incident response plans to address privacy breaches, both to comply with the PMP requirement and to be well-prepared for privacy breaches.
Please contact us if you would like advice on any aspect of FIPPA, particularly for developing and testing your privacy incident response plan and developing your PMP.