As of February 1, 2023, public bodies in British Columbia (B.C.) will be required to report privacy breaches and have privacy management programs. The two provisions are the last to come into force from amendments made to B.C.’s Freedom of Information and Protection of Privacy Act in November 2021.
Mandatory breach reporting brings B.C.’s public sector in line with similar requirements under the federal Personal Information Protection and Electronic Documents Act and provincial acts in Alberta and Quebec. B.C.’s private sector has no breach-reporting requirement.
MANDATORY BREACH REPORTING
Public bodies that experience a privacy breach that could reasonably be expected to result in significant harm, including identity theft, will be required through new regulations to notify both the B.C. Privacy Commissioner and the affected individuals. The notifications must be made without delay and should include the following:
- The name of the public body
- The date the public body learned of the breach
- A description of the breach, including, if known:
- The date or period during which the breach occurred
- A description of the personal information involved in the breach
- The estimated number of individuals affected
- Contact information for a person who can answer questions about the breach on behalf of the public body
- A description of steps the public body has taken or will take to reduce the risk of harm to affected individuals
Notifications to the affected individuals must include information similar to that above, plus:
- Confirmation that the B.C. Privacy Commissioner has been or will be notified
- A description of steps that affected individuals can take to reduce their risk of harm
PRIVACY MANAGEMENT PROGRAMS
Privacy management programs will …
Privacy 2024 Recap – some significant decisions, slow progress for reform
The past year saw a few court decisions of note as well as halting progress toward privacy…