Mandatory Privacy-Breach Reporting Coming to B.C. Public Sector

Jenna Green, Thelma Zindoga
Blake, Cassels & Graydon LLP
Contact
LinkedIn
Facebook
X
Send
Embed

As of February 1, 2023, public bodies in British Columbia (B.C.) will be required to report privacy breaches and have privacy management programs. The two provisions are the last to come into force from amendments made to B.C.’s Freedom of Information and Protection of Privacy Act in November 2021.

Mandatory breach reporting brings B.C.’s public sector in line with similar requirements under the federal Personal Information Protection and Electronic Documents Act and provincial acts in Alberta and Quebec. B.C.’s private sector has no breach-reporting requirement.

MANDATORY BREACH REPORTING

Public bodies that experience a privacy breach that could reasonably be expected to result in significant harm, including identity theft, will be required through new regulations to notify both the B.C. Privacy Commissioner and the affected individuals. The notifications must be made without delay and should include the following:

  • The name of the public body

  • The date the public body learned of the breach

  • A description of the breach, including, if known:

  • The estimated number of individuals affected

  • Contact information for a person who can answer questions about the breach on behalf of the public body

  • A description of steps the public body has taken or will take to reduce the risk of harm to affected individuals

Notifications to the affected individuals must include information similar to that above, plus:

PRIVACY MANAGEMENT PROGRAMS

Privacy management programs will ensure public bodies are accountable and transparent with respect to management of personal information. The programs should be commensurate with the volume and sensitivity of personal information under a public body’s control.

A direction detailing the expected content of privacy management programs has been issued by the B.C. Minister of Citizen’s Services and includes:

  • The designation of a privacy officer

  • A process for completing and documenting privacy impact assessment and information-sharing agreements

  • A process for responding to privacy complaints and privacy breaches

  • Privacy awareness and education for employees

  • Privacy policies

  • Methods to ensure that third-party service providers are informed of their privacy obligations

  • A process for regularly monitoring and updating the privacy management program

Public bodies can look to the Office of the Information and Privacy Commissioner for B.C.’s guidance document, the Accountable Privacy Management in BC’s Public Sector and the B.C. government’s Privacy Management and Accountability Policy for further guidance in setting up a privacy management program.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Blake, Cassels & Graydon LLP | Attorney Advertising

Written by:

Blake, Cassels & Graydon LLP
Blake, Cassels & Graydon LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Blake, Cassels & Graydon LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide