Government of British Columbia Updates the Freedom of Information and Protection of Privacy Act (FIPPA)
As of February 1, 2023, amendments to the British Columbia Freedom of Information and Protection of Privacy Act (FIPPA) have come into force. The new requirements, which were initially among a set of amendments enacted in November 2021, now apply to more than 2,900 public bodies which are governed by FIPPA (generally speaking - all government ministries and the broader public service).
These updates to FIPPA, which have been welcomed by the Office of the Information and Privacy Commissioner for British Columbia and the Ministry of Citizens’ Services, have legislated two key changes that will impact the manner in which the public sector operates: the requirement for mandatory breach notifications and the development of privacy management programs (PMP).
New Requirement: Mandatory Breach Notifications
Under the new FIPPA amendments, all public bodies in British Columbia have a required duty to report privacy breaches. In doing so, notifications of the breach must be conveyed without delay to all impacted individuals and to the Office of the Information and Privacy Commissioner for British Columbia. This is now a required component of a four-step protocol for public bodies to implement, which is as follows:
Step 1: Contain the Breach
Immediate steps to contain the breach must be taken. Measures to do so include stopping the unauthorized practice, activating the required breach management process, contacting the organization’s designated Privacy Officer, determining if a breach response team should be assembled, and notifying the police if theft or other criminal activities are involved.
Step 2: Evaluate the Risks
To evaluate the risks that the breach has caused, impacted public bodies will have to consider a multitude of factors. This includes what personal information was involved, the cause and extent of the compromise, the number of individuals and others affected, and the foreseeable harm from the breach.
Step 3: Notification
Public bodies must promptly notify the affected individuals and the Privacy Commissioner as per 11.1 of the FIPPA regulations. This notification must be written, direct, and inclusive of the required information on the breach. As a necessary component of notifying the Office of the Information and Privacy Commissioner, an online reporting form or the Privacy Breach Checklist must be completed.
Step 4: Prevention
Preventative measures must be taken to ensure that future security compromises do not occur. This will include conducting a thorough investigation into the breach (which may include a required security audit – potentially conducted by a third-party when the breach is significant in size or harm) and ensuring that the long-term safeguards are improved. Additionally, the public body must train its employees on the privacy obligations under FIPPA.
New Requirement: Privacy Management Programs
Under the new FIPPA regulations, the Government of British Columbia’s Ministry of Citizens’ Services has issued a directive that requires the head of all public bodies to develop and maintain a PMP. While the minister responsible for FIPPA does not intend for the PMP to be burdensome to implement, executing the following seven necessary requirements may result in public bodies having to undergo significant changes:
Designate someone responsible for privacy-related matters and the development, implementation, and maintenance of privacy policies / procedures in compliance with FIPPA.
Complete and document privacy impact assessments and information-sharing agreements as appropriate under FIPPA.
Document processes for responding to privacy complaints and breaches.
Conduct ongoing awareness / education on privacy activities for staff.
Ensure that privacy policies / documented privacy processes or practices are readily available to employees and, where practicable, the public.
Implement methods to ensure service providers are informed on their privacy obligations.
Regularly monitor and update the FIPPA-compliant PMPs as needed.
Impact on Public Bodies and Service Providers
As the amendments to FIPPA are now in place, public bodies in British Columbia should immediately review their current PMPs, and be prepared to update and expand those programs in order to be FIPPA-compliant.
These new compliance measures extend to organizations that act as service providers for public bodies in British Columbia. To ensure that the new FIPPA requirements are met, privacy-related dialogues and collaboration should be ongoing between the Privacy Office and the public body’s procurement staff. These safeguards are particularly relevant when a public body is considering awarding a contract to a cloud services provider, in which careful inquiries into the services provider’s privacy practices should be conducted, as well as a completed and attached Privacy Protection Schedule if a contract is successfully awarded.