Mandatory Privacy-Breach Reporting Coming to B.C. Public Sector

As of February 1, 2023, public bodies in British Columbia (B.C.) will be required to report privacy breaches and have privacy management programs. The two provisions are the last to come into force from amendments made to B.C.’s Freedom of Information and Protection of Privacy Act in November 2021.

Mandatory breach reporting brings B.C.’s public sector in line with similar requirements under the federal Personal Information Protection and Electronic Documents Act and provincial acts in Alberta and Quebec. B.C.’s private sector has no breach-reporting requirement.

MANDATORY BREACH REPORTING

Public bodies that experience a privacy breach that could reasonably be expected to result in significant harm, including identity theft, will be required through new regulations to notify both the B.C. Privacy Commissioner and the affected individuals. The notifications must be made without delay and should include the following:

• The name of the public body

• The date the public body learned of the breach

• A description of the breach, including, if known:

  • The date or period during which the breach occurred

  • A description of the personal information involved in the breach

• The estimated number of individuals affected

• Contact information for a person who can answer questions about the breach on behalf of the public body

• A description of steps the public body has taken or will take to reduce the risk of harm to affected individuals

Notifications to the affected individuals must include information similar to that above, plus:

• Confirmation that the B.C. Privacy Commissioner has been or will be notified

• A description of steps that affected individuals can take to reduce their risk of harm

PRIVACY MANAGEMENT PROGRAMS

Privacy management programs will ensure public bodies are accountable and transparent with respect to management of personal information. The programs should be commensurate with the volume and sensitivity of personal information under a public body’s control.

A direction detailing the expected content of privacy management programs has been issued by the B.C. Minister of Citizen’s Services and includes:

• The designation of a privacy officer

• A process for completing and documenting privacy impact assessment and information-sharing agreements

• A process for responding to privacy complaints and privacy breaches

• Privacy awareness and education for employees

• Privacy policies

• Methods to ensure that third-party service providers are informed of their privacy obligations

• A process for regularly monitoring and updating the privacy management program

Public bodies can look to the Office of the Information and Privacy Commissioner for B.C.’s guidance document, the Accountable Privacy Management in BC’s Public Sector and the B.C. government’s Privacy Management and Accountability Policy for further guidance in setting up a privacy management program.

For more information, please contact:

Jenna Green               +1-604-631-5247
Thelma Zindoga        +1-604-631-5227

or any member of our Privacy & Data Protection or Cybersecurity groups.