By Scott Lamb
Main modifications are underway to privateness legislation in Canada, and in British Columbia a few of these modifications have already been made.
On November 25, 2021, BC’s provincial legislature handed Invoice 22, Freedom of Info and Safety of Privateness Modification Act, 2021 (“Invoice 22”), which made vital modifications to British Columbia’s Freedom of Info and Safety of Privateness Act (“FIPPA”) which governs how public our bodies within the province acquire, use, retailer, and disclose private info.
The modifications introduced in by Invoice 22 embody:
- Prohibiting the disclosure of knowledge that will hurt the rights of Indigenous individuals to take care of, management, defend, or develop their cultural heritage, conventional data, and cultural expressions (s. 18.1);
- Repealing the prohibition on disclosing, storing, and permitting entry to private info outdoors of Canada (s. 33.1);
- Requiring public our bodies to develop privateness administration packages (s. 36.2);
- Requiring public our bodies to inform affected people and the British Columbia Info and Privateness Commissioner if a privateness breach might moderately be anticipated to lead to vital hurt (s. 36.3);
- Introducing new privateness offences and penalties for public our bodies, service suppliers, and their staff or associates (ss. 65.2-65.7); and
- Imposing an utility charge for entry to info requests (s. 75(1)(a)).
Whereas most of the modifications have come into impact, the amendments round mandating privateness administration packages and privateness breach notifications haven’t. There have additionally been no instructions or laws issued by the BC Minister of Citizen’s Providers (the “Minister”), the minister answerable for the FIPPA.
Privateness Administration Applications
Nonetheless, with respect to privateness administration packages there’s steering from the Workplace of the Info and Privateness Commissioner (the “OIPC”) and a earlier inside BC authorities framework for privateness administration packages which helps inform what these amendments will imply for public our bodies and to organize public our bodies usually for what’s to return.
OIPC has issued detailed steering in its publication: Accountable Privateness Administration in BC’s Public Sector. The publication discusses how such packages ought to embody foundational “constructing blocks” and ongoing evaluation and revision. The constructing blocks confer with dedication by the general public physique via government buy-in, the appointment of a Privateness Officer, structured reporting mechanisms, program controls to be put in place, a listing of private info, and insurance policies across the assortment, entry, and retention of private info. Additionally, it describes measures round danger evaluation, coaching, response protocols, service supplier administration, and exterior communication. As well as, it additionally describes ongoing evaluation and revision via the event of an oversight program.
The BC authorities has additionally issued its personal framework for its privateness administration packages: Privateness Administration and Accountability Coverage (“PMAP”). The publication helps guarantee BC authorities ministries adjust to FIPPA’s privateness necessities. This doc usually echoes most of the necessities discovered within the OIPC tips. PMAP requires Deputy Ministers to designate Ministry Privateness Officers who’re charged with creating particular insurance policies and procedures round compliance. They need to additionally talk any associated modifications to related ministry staff. The Company Info and Information Administration Workplace should facilitate data, experiences, and finest practices for privateness professionals throughout authorities. Whereas this steering is PMAP-specific, it might help public our bodies in structuring their privateness administration packages and allocating duty.
Privateness Breach Notification
Invoice 22 brings in a brand new provision coping with notification for privateness breaches. Part 36.3(1) defines a “privateness breach” because the theft or loss, or the gathering, use or disclosure of private info within the custody or below the management of a public physique that isn’t licensed. The provisions set out when the top of a public physique should notify an affected particular person in addition to the Commissioner.
The Private Info Safety and Digital Paperwork Act (“PIPEDA”) has had for a while provisions coping with notification to affected people following privateness breaches. PIPEDA applies to private-sector organizations throughout Canada, and its remedy could assist decide the influence of FIPPA’s new privateness breach necessities. Set out beneath is a comparability chart for the provisions for each FIPPA and PIPEDA and breach notification.
Privateness breach notifications
36.3(2) Topic to subsection (5), if a privateness breach involving private info within the custody or below the management of a public physique happens, the top of the general public physique should, with out unreasonable delay,
(a) notify an affected particular person if the privateness breach might moderately be anticipated to lead to vital hurt to the person, together with id theft or vital
(b) notify the commissioner if the privateness breach might moderately be anticipated to lead to vital hurt referred to in paragraph (a).
Notification to particular person
10.1(3) Until in any other case prohibited by legislation, a corporation shall notify a person of any breach of safety safeguards involving the person’s private info below the group’s management whether it is cheap within the circumstances to imagine that the breach creates an actual danger of serious hurt to the person.
Definition of serious hurt
10.1(7) For the aim of this part, vital hurt consists of bodily hurt, humiliation, harm to repute or relationships, lack of employment, enterprise or skilled alternatives, monetary loss, id theft, adverse results on the credit score report and harm to or lack of property.
Actual danger of serious hurt — components
10.1(8) The components which might be related to figuring out whether or not a breach of safety safeguards creates an actual danger of serious hurt to the person embody
(a) the sensitivity of the non-public info concerned within the breach;
(b) the chance that the non-public info has been, is being or shall be misused; and
(c) every other prescribed issue.
The first distinction between the 2 items of laws with respect to when to inform is that FIPPA focusses on the place the breach might lead to “vital hurt,” whereas PIPEDA requires notification the place there’s a “actual danger of serious hurt.” Whereas the wording itself differs barely, the components related to figuring out hurt, corresponding to the possibility of bodily hurt, humiliation, and reputational harm, are pretty comparable. This will likely point out that s. 36.3(3) shall be interpreted and utilized in the identical method that s. 10.1 in PIPEDA has. By way of whether or not a privateness breach has resulted in vital hurt, the eventual FIPPA laws will hopefully usher in a check just like that in s. 10.1(8) in PIPEDA.
Whereas the Commissioner welcomed the brand new privateness breach notification guidelines, he famous that s. 36.3(3) wouldn’t allow a public physique to carry off on notifying affected people the place disclosure of the breach might compromise a felony investigation. He believed such an exception must be included and can be in step with comparable laws elsewhere.
The OIPC beforehand launched the publication: Privateness Breaches: Instruments and Sources. This lists a wide range of components to contemplate in figuring out whether or not to inform people affected by a breach. It’s noteworthy that the components recognized are similar to these listed in s 36.3(2)(a)(i)-(vii). It additionally discusses when and notify the person, in addition to what must be included within the notification. The publication states notification ought to happen as quickly as potential following the breach, topic to any conflicting instructions from legislation enforcement. Notification ought to embody an outline of the data inappropriately accessed, collected, used or disclosed, in addition to dangers to the person brought on by the breach, and steps taken to manage or cut back the hurt.
Public our bodies ought to put together to pivot to adjust to the brand new guidelines. This will likely entail evaluation of present privateness administration packages and any areas that will require work to meet structured necessities. It could even be prudent to judge any response plans at the moment in place for privateness breaches.
General, the brand new necessities round privateness administration packages and privateness breach notifications look like a optimistic step in direction of enhanced privateness protections and elevated confidence in public our bodies. The present provisions, nonetheless, are solely a framework. It will likely be essential to trace laws as they’re launched as they are going to make clear the parameters through which BC’s public our bodies are to function.