By Scott Lamb
Major changes are underway to privacy law in Canada, and in British Columbia some of these changes have already been made.
On November 25, 2021, BC’s provincial legislature passed Bill 22, Freedom of Information and Protection of Privacy Amendment Act, 2021 (“Bill 22”), which made significant changes to British Columbia’s Freedom of Information and Protection of Privacy Act (“FIPPA”) which governs how public bodies in the province collect, use, store, and disclose personal information.
The changes brought in by Bill 22 include:
- Prohibiting the disclosure of information that may harm the rights of Indigenous people to maintain, control, protect, or develop their cultural heritage, traditional knowledge, and cultural expressions (s. 18.1);
- Repealing the prohibition on disclosing, storing, and allowing access to personal information outside of Canada (s. 33.1);
- Requiring public bodies to develop privacy management programs (s. 36.2);
- Requiring public bodies to notify affected individuals and the British Columbia Information and Privacy Commissioner if a privacy breach could reasonably be expected to result in significant harm (s. 36.3);
- Introducing new privacy offences and penalties for public bodies, service providers, and their employees or associates (ss. 65.2-65.7); and
- Imposing an application fee for access to information requests (s. 75(1)(a)).
While many of the changes have come into effect, the amendments around mandating privacy management programs and privacy breach notifications have not. There have also been no directions or regulations issued by the BC Minister of Citizen’s Services (the “Minister”), the minister responsible for the FIPPA.
Privacy Management Programs
However, with respect to privacy management programs there is guidance from the Office of the Information and Privacy Commissioner (the “OIPC”) and a previous internal BC government framework for privacy management programs which helps inform what these amendments will mean for public bodies and to prepare public bodies generally for what is to come.
OIPC has issued detailed guidance in its publication: Accountable Privacy Management in BC’s Public Sector. The publication discusses how such programs should include foundational “building blocks” and ongoing assessment and revision. The building blocks refer to commitment by the public body through executive buy-in, the appointment of a Privacy Officer, structured reporting mechanisms, program controls to be put in place, an inventory of personal information, and policies around the collection, access, and retention of personal information. Also, it describes measures around risk assessment, training, response protocols, service provider management, and external communication. In addition, it also describes ongoing assessment and revision through the development of an oversight program.
The BC government has also issued its own framework for its privacy management programs: Privacy Management and Accountability Policy (“PMAP”). The publication helps ensure BC government ministries comply with FIPPA’s privacy requirements. This document generally echoes many of the requirements found in the OIPC guidelines. PMAP requires Deputy Ministers to designate Ministry Privacy Officers who are charged with developing specific policies and procedures around compliance. They must also communicate any related changes to relevant ministry employees. The Corporate Information and Records Management Office must facilitate knowledge, experiences, and best practices for privacy professionals across government. While this guidance is PMAP-specific, it may assist public bodies in structuring their privacy management programs and allocating responsibility.
Privacy Breach Notification
Bill 22 brings in a new provision dealing with notification for privacy breaches. Section 36.3(1) defines a “privacy breach” as the theft or loss, or the collection, use or disclosure of personal information in the custody or under the control of a public body that is not authorized. The provisions set out when the head of a public body must notify an affected individual as well as the Commissioner.
The Personal Information Protection and Electronic Documents Act (“PIPEDA”) has had for some time provisions dealing with notification to affected individuals following privacy breaches. PIPEDA applies to private-sector organizations across Canada, and its treatment may help determine the impact of FIPPA’s new privacy breach requirements. Set out below is a comparison chart for the provisions for both FIPPA and PIPEDA and breach notification.
Privacy breach notifications
36.3(2) Subject to subsection (5), if a privacy breach involving personal information in the custody or under the control of a public body occurs, the head of the public body must, without unreasonable delay,
(a) notify an affected individual if the privacy breach could reasonably be expected to result in significant harm to the individual, including identity theft or significant
(b) notify the commissioner if the privacy breach could reasonably be expected to result in significant harm referred to in paragraph (a).
Notification to individual
10.1(3) Unless otherwise prohibited by law, an organization shall notify an individual of any breach of security safeguards involving the individual’s personal information under the organization’s control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.
Definition of significant harm
10.1(7) For the purpose of this section, significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.
Real risk of significant harm — factors
10.1(8) The factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm to the individual include
(a) the sensitivity of the personal information involved in the breach;
(b) the probability that the personal information has been, is being or will be misused; and
(c) any other prescribed factor.
The primary difference between the two pieces of legislation with respect to when to notify is that FIPPA focusses on where the breach could result in “significant harm,” whereas PIPEDA requires notification where there is a “real risk of significant harm.” While the wording itself differs slightly, the factors relevant to determining harm, such as the chance of bodily harm, humiliation, and reputational damage, are fairly similar. This may indicate that s. 36.3(3) will be interpreted and applied in the same manner that s. 10.1 in PIPEDA has. In terms of whether a privacy breach has resulted in significant harm, the eventual FIPPA regulations will hopefully bring in a test similar to that in s. 10.1(8) in PIPEDA.
While the Commissioner welcomed the new privacy breach notification rules, he noted that s. 36.3(3) would not enable a public body to hold off on notifying affected individuals where disclosure of the breach could compromise a criminal investigation. He believed such an exception should be included and would be consistent with similar legislation elsewhere.
The OIPC previously released the publication: Privacy Breaches: Tools and Resources. This lists a variety of factors to consider in determining whether to notify individuals affected by a breach. It is noteworthy that the factors identified are identical to those listed in s 36.3(2)(a)(i)-(vii). It also discusses when and how to notify the individual, as well as what should be included in the notification. The publication states notification should occur as soon as possible following the breach, subject to any conflicting directions from law enforcement. Notification should include a description of the information inappropriately accessed, collected, used or disclosed, as well as risks to the individual caused by the breach, and steps taken to control or reduce the harm.
Public bodies should prepare to pivot to comply with the new rules. This may entail assessment of current privacy management programs and any areas that may require work to fulfill structured requirements. It would also be prudent to evaluate any response plans currently in place for privacy breaches.
Overall, the new requirements around privacy management programs and privacy breach notifications appear to be a positive step towards enhanced privacy protections and increased confidence in public bodies. The current provisions, however, are only a framework. It will be crucial to track regulations as they are released as they will clarify the parameters in which BC’s public bodies are to operate.