Written By Sebastien Gittens, Stephen Burns and David Wainer
Amendments to British Columbia’s Freedom of Information and Protection of Privacy Act (FIPPA) taking effect on February 1, 2023, will impose more stringent privacy requirements on provincial public bodies, such as hospitals, municipalities and crown corporations, and numerous agencies, boards and commissions.
By way of background, FIPPA regulates, among other things, how public bodies in British Columbia collect, use and disclose personal information. This legislation does not currently require public bodies to (1) notify the Office and Powers of Information and Privacy Commissioner (OIPC) and affected individuals in the event of a "privacy breach", or (2) have a privacy management program. Bill 22 – 2021: Freedom of Information and Protection of Privacy Amendment Act, 2021 (Bill 22) will introduce each of these requirements into FIPPA when in force.
Privacy Breach Notifications
Bill 22 sets out that the circumstances in which a public body must, without unreasonable delay, notify an affected individual of a "privacy breach". These circumstances are those in which the breach could reasonably be expected to result in significant harm to the individual, including:
- bodily harm;
- damage to reputation or relationships;
- loss of employment, business or professional opportunities;
- financial loss;
- negative impact on a credit record; or
- damage to, or loss of, property.
The public body must also notify the OIPC if the privacy breach could reasonably be expected to result in one of the above circumstances. The public body is not required to notify an affected individual of a breach if notification could reasonably be expected to result in immediate harm to the individual's safety or physical or mental health—or threaten another individuals safety or physical or mental health.
Privacy Management Program
When enacted, Section 36.2 of FIPPA will require that "[the] head of a public body must develop a privacy management program for the public body and must do so in accordance with the directions of the minister responsible for this Act.”
To this end, the British Columbia Minister of Citizens' Services recently issued Direction 02/2022, Privacy Management Program Direction (the Direction). Intended to provide public bodies with a scalable framework, the Direction sets out seven key components that must be included in a privacy management program:
- the designation of an individual responsible for being a point of contact for privacy matters, supporting the development, implementation and maintenance of privacy policies and/or procedures, and supporting the body's compliance with FIPPA (commonly referred to as a Privacy Officer);
- a process for completing and documenting privacy impact assessments as required, and information-sharing agreements as appropriate under FIPPA;
- a documented process for responding to privacy complaints and breaches;
- privacy awareness and education activities to ensure employees are aware of their privacy obligations, which (a) may be scaled to meet the volume and sensitivity of personal information in the custody or control of the of the public body, and (b) should be undertaken at timely and reasonable intervals;
- privacy policies and written privacy processes or practices available to employees and where practicable, to the public;
- method(s) to ensure that service providers are informed of their privacy obligations (e.g., awareness activities, contractual terms that address privacy obligations); and
- a process for regularly monitoring the privacy management program and updating as required, to ensure it remains (a) appropriate to the public body's activities, and (b) compliant with FIPPA.
The OIPC has also issued guidance regarding privacy management programs. Therein, the OIPC advises that a public body should assess its current privacy regime before designing such a program by:
- appointing a project lead with sufficient privacy knowledge and authority to manage the project and assess the findings;
- ensuring oversight by executive management through a project lead;
- to the extent necessary, involving human resources, risk management, internal audit and it personnel;
- if necessary, obtaining outside privacy expertise;
- obtaining and documenting information to assess compliance, including thorough staff interviews, file reviews and IT system reviews;
- regularly reporting to executive on progress and implement any resulting direction from executive;
- reporting to executive on any identifiable risk and compliance issues;
- providing a final report of all findings to executive with a full mapping of findings against FIPPA’s requirements; and
- taking any other steps that might, in light of the public body’s situation, be desirable to document its current state of compliance and the way forward.
After a public body has undertaken the above assessment, the OIPC sets out "building blocks" that a privacy management program should include. Some of these building blocks are:
- ensuring there is executive-level support for the program;
- clearly identifying and communicating the role and responsibilities of the Privacy Officer;
- establishing reporting mechanisms;
- identifying the personal information in custody or control of the public body;
- implementing policies regarding:
- collection, use and disclosure of personal information;
- the accuracy of personal information, including individual access to and correction of personal information;
- retention and disposal of personal information;
- responsible use of personal information; and
- implementing a process for privacy-related complaints.
Regarding the ongoing assessment and revision of a privacy management program, risk assessment tools should be used frequently, external communication can always be improved and training of employees can be modified based on experience.
We anticipate that Bill 22 will have a substantial impact on organizations subject to FIPPA. As a result, public bodies in British Columbia should undertake a thorough review of their existing privacy policies and procedures as soon as possible to ensure they are compliant with Bill 22 by February 1, 2023.
If you would like to know more about how this proposed legislation may affect your organization, we invite you to contact the members of the Bennett Jones Privacy & Data Protection group.