Clarifying “Reasonable Security Arrangements”: Privacy Commissioners Update Their Guidance


With the increasing frequency of phishing, malware and other cybersecurity threats, and the growing legal and reputational impacts of data breaches, securing your organization’s data has never been more important.  Under British Columbia’s privacy laws, all organizations, both public and private, are required to put in place “reasonable security arrangements” to protect personal information in their custody or control.

But what does this security obligation actually entail?

The Law

The reasonable security arrangements obligation, found in both the Freedom of Information and Protection of Privacy Act (FIPPA) and the Personal Information Protection Act (PIPA), requires public bodies and private sector organizations to protect personal information in their custody or control against risks such as unauthorized access, collection, use, disclosure, copying, modification or disposal. This mirrors a similar provision in the federal Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to BC private sector organizations that collect, use or disclose personal information of individuals in other provinces or from outside of Canada, requiring organizations to protect personal information by employing “security safeguards appropriate to the sensitivity of the information”.

The wording of the legislation does not provide public and private sector organizations with much practical guidance on the types of measures that will satisfy these security obligations.  Further, the development of the law in this area has left organizations to independently assess what constitute “reasonable security arrangements” based on their specific circumstances, such as the sensitivity and amount of information involved, generally accepted or common security practices in the particular sector or activity, and the likelihood of a privacy breach and resulting harm.

While this approach provides flexibility to design security protocols to suit the organization, it remains difficult to assess whether those protocols will satisfy the organization’s security obligations under these privacy laws.

Recent Guidance from the federal and provincial Privacy Commissioners

Fortunately, the British Columbia, Alberta, Quebec and federal Privacy Commissioners recently published new guidelines to assist public bodies and private sector organizations with satisfying their security obligations in FIPPA, PIPA and PIPEDA.

The Securing Personal Information: A Self-Assessment Tool for Public Bodies and Organizations contains a detailed checklist of considerations that private sector organizations and public bodies should take into account when creating (or reviewing) their security policies and procedures. Their recommendations include:

  • appointing a senior management-level employee to be responsible for overseeing information security practices;
  • reviewing contracts with third-party private sector organizations for reasonable security provisions; and
  • ensuring that there is a business continuity plan in place in the event of a system failure or other interruption to operations.

The federal Privacy Commissioner has also announced updated guidance regarding what qualifies as “sensitive information” under PIPEDA. This updated guidance sets out certain types of information that will generally be considered sensitive and, thus, must be safeguarded with a higher level of protection. This includes health and financial information, genetic and biometric data, and information about an individual’s ethnic and racial origins, political opinions, sex life or sexual orientation, and religious or philosophical beliefs.

Consequences of Non-Compliance

Despite the importance of protecting personal information from unauthorized access, use and disclosure, the enforcement powers of the BC and Canadian Privacy Commissioners in respect of breaches are quite limited.  For example:

  • Public bodies and private sector organizations suspected of non-compliance with their security obligations under FIPPA or PIPA, respectively, may be audited or investigated by the BC Privacy Commissioner and, if found in breach, may be ordered to comply with the applicable Act.
  • If a private sector organization does not implement the Commissioner’s order, those violations may attract fines of up to $10,000 for an individual and $100,000 for a corporation, though the Commissioner does not have the power to levy fines against public bodies under FIPPA.
  • In addition to audits and investigations, private sector organizations found in breach of the security safeguards requirement in PIPEDA may be subject to further consequences, including costly litigation in the Federal Court.

However, the enforcement powers of the BC and federal Privacy Commissioners are likely to become more impactful with new legislation on the horizon.  Bill C-11, which proposed a new federal Consumer Privacy Protection Act (CPPA), included provisions that would allow the federal Privacy Commissioner to impose fines of up to $10 million or 3% of an organization’s gross global revenue in response to certain breaches of PIPEDA. While the CPPA in its current form is effectively dead now that a federal election has been called, the Governments of both Ontario and Quebec are currently considering similar administrative monetary penalties in their proposed private sector privacy laws.

As similar changes are likely to be recommended as part of the BC government’s review of PIPA in 2021, it is all the more important for organizations to understand and comply with their security obligations in the various privacy acts.

Where to from here?

With Canada’s renewed focus on privacy compliance and the trend toward greater penalties, these recent guidelines offer a useful starting place for organizations to develop security policies and procedures or assess their existing policies for compliance. The BC Privacy Commissioner recommends that, at a minimum, organizations review their privacy and security policies formally every three years and informally every year to keep up with the accelerating pace of change in information technology.

For guidance on developing, reviewing or updating your organization’s privacy and security policies, please contact our Privacy Group.