By Scott Lamb
Main modifications are underway to privateness legislation in Canada, and in British Columbia a few of these modifications have already been made.
On November 25, 2021, BC’s provincial legislature handed Invoice 22, Freedom of Data and Safety of Privateness Modification Act, 2021 (“Invoice 22”), which made important modifications to British Columbia’s Freedom of Data and Safety of Privateness Act (“FIPPA”) which governs how public our bodies within the province gather, use, retailer, and disclose private info.
The modifications introduced in by Invoice 22 embrace:
- Prohibiting the disclosure of data which will hurt the rights of Indigenous folks to keep up, management, defend, or develop their cultural heritage, conventional information, and cultural expressions (s. 18.1);
- Repealing the prohibition on disclosing, storing, and permitting entry to non-public info outdoors of Canada (s. 33.1);
- Requiring public our bodies to develop privateness administration packages (s. 36.2);
- Requiring public our bodies to inform affected people and the British Columbia Data and Privateness Commissioner if a privateness breach may fairly be anticipated to lead to important hurt (s. 36.3);
- Introducing new privateness offences and penalties for public our bodies, service suppliers, and their staff or associates (ss. 65.2-65.7); and
- Imposing an software price for entry to info requests (s. 75(1)(a)).
Whereas lots of the modifications have come into impact, the amendments round mandating privateness administration packages and privateness breach notifications haven’t. There have additionally been no instructions or laws issued by the BC Minister of Citizen’s Companies (the “Minister”), the minister chargeable for the FIPPA.
Privateness Administration Applications
Nonetheless, with respect to privateness administration packages there may be steerage from the Workplace of the Data and Privateness Commissioner (the “OIPC”) and a earlier inner BC authorities framework for privateness administration packages which helps inform what these amendments will imply for public our bodies and to arrange public our bodies usually for what’s to return.
OIPC has issued detailed steerage in its publication: Accountable Privateness Administration in BC’s Public Sector. The publication discusses how such packages ought to embrace foundational “constructing blocks” and ongoing evaluation and revision. The constructing blocks discuss with dedication by the general public physique via govt buy-in, the appointment of a Privateness Officer, structured reporting mechanisms, program controls to be put in place, a listing of private info, and insurance policies across the assortment, entry, and retention of private info. Additionally, it describes measures round danger evaluation, coaching, response protocols, service supplier administration, and exterior communication. As well as, it additionally describes ongoing evaluation and revision via the event of an oversight program.
The BC authorities has additionally issued its personal framework for its privateness administration packages: Privateness Administration and Accountability Coverage (“PMAP”). The publication helps guarantee BC authorities ministries adjust to FIPPA’s privateness necessities. This doc usually echoes lots of the necessities discovered within the OIPC pointers. PMAP requires Deputy Ministers to designate Ministry Privateness Officers who’re charged with creating particular insurance policies and procedures round compliance. They have to additionally talk any associated modifications to related ministry staff. The Company Data and Data Administration Workplace should facilitate information, experiences, and greatest practices for privateness professionals throughout authorities. Whereas this steerage is PMAP-specific, it could help public our bodies in structuring their privateness administration packages and allocating accountability.
Privateness Breach Notification
Invoice 22 brings in a brand new provision coping with notification for privateness breaches. Part 36.3(1) defines a “privateness breach” because the theft or loss, or the gathering, use or disclosure of private info within the custody or underneath the management of a public physique that’s not approved. The provisions set out when the pinnacle of a public physique should notify an affected particular person in addition to the Commissioner.
The Private Data Safety and Digital Paperwork Act (“PIPEDA”) has had for a while provisions coping with notification to affected people following privateness breaches. PIPEDA applies to private-sector organizations throughout Canada, and its remedy could assist decide the impression of FIPPA’s new privateness breach necessities. Set out under is a comparability chart for the provisions for each FIPPA and PIPEDA and breach notification.
| FIPPA | PIPEDA |
|
Privateness breach notifications 36.3(2) Topic to subsection (5), if a privateness breach involving private info within the custody or underneath the management of a public physique happens, the pinnacle of the general public physique should, with out unreasonable delay, (a) notify an affected particular person if the privateness breach may fairly be anticipated to lead to important hurt to the person, together with identification theft or important
(b) notify the commissioner if the privateness breach may fairly be anticipated to lead to important hurt referred to in paragraph (a). |
Notification to particular person 10.1(3) Until in any other case prohibited by legislation, a corporation shall notify a person of any breach of safety safeguards involving the person’s private info underneath the group’s management whether it is affordable within the circumstances to consider that the breach creates an actual danger of great hurt to the person. Definition of great hurt 10.1(7) For the aim of this part, important hurt contains bodily hurt, humiliation, injury to status or relationships, lack of employment, enterprise or skilled alternatives, monetary loss, identification theft, detrimental results on the credit score file and injury to or lack of property. Actual danger of great hurt — components 10.1(8) The components which might be related to figuring out whether or not a breach of safety safeguards creates an actual danger of great hurt to the person embrace (a) the sensitivity of the private info concerned within the breach; (b) the chance that the private info has been, is being or will probably be misused; and (c) another prescribed issue. |
The first distinction between the 2 items of laws with respect to when to inform is that FIPPA focusses on the place the breach may lead to “important hurt,” whereas PIPEDA requires notification the place there’s a “actual danger of great hurt.” Whereas the wording itself differs barely, the components related to figuring out hurt, reminiscent of the possibility of bodily hurt, humiliation, and reputational injury, are pretty related. This may occasionally point out that s. 36.3(3) will probably be interpreted and utilized in the identical method that s. 10.1 in PIPEDA has. By way of whether or not a privateness breach has resulted in important hurt, the eventual FIPPA laws will hopefully herald a check just like that in s. 10.1(8) in PIPEDA.
Whereas the Commissioner welcomed the brand new privateness breach notification guidelines, he famous that s. 36.3(3) wouldn’t allow a public physique to carry off on notifying affected people the place disclosure of the breach may compromise a legal investigation. He believed such an exception needs to be included and can be in line with related laws elsewhere.
The OIPC beforehand launched the publication: Privateness Breaches: Instruments and Assets. This lists a wide range of components to contemplate in figuring out whether or not to inform people affected by a breach. It’s noteworthy that the components recognized are equivalent to these listed in s 36.3(2)(a)(i)-(vii). It additionally discusses when and how you can notify the person, in addition to what needs to be included within the notification. The publication states notification ought to happen as quickly as potential following the breach, topic to any conflicting instructions from legislation enforcement. Notification ought to embrace an outline of the data inappropriately accessed, collected, used or disclosed, in addition to dangers to the person brought on by the breach, and steps taken to manage or scale back the hurt.
Transferring ahead
Public our bodies ought to put together to pivot to adjust to the brand new guidelines. This may occasionally entail evaluation of present privateness administration packages and any areas which will require work to satisfy structured necessities. It could even be prudent to judge any response plans at the moment in place for privateness breaches.
General, the brand new necessities round privateness administration packages and privateness breach notifications seem like a optimistic step in direction of enhanced privateness protections and elevated confidence in public our bodies. The present provisions, nonetheless, are solely a framework. It will likely be essential to trace laws as they’re launched as they may make clear the parameters through which BC’s public our bodies are to function.
