B.C.’s privacy commissioner says changes to provincial law now mean public bodies must develop privacy management programs and report privacy breaches that could result in serious harm.
Michael McEvoy said changes to the provincial Freedom of Information and Protection of Privacy Act (FIPPA) enacted in November 2021, came into force Feb. 1.
"The changes to FIPPA coming into effect today are ones for which my office has long advocated, and mark an important step forward for our province’s public sector privacy law,” McEvoy said.
What the changes mean, McEvoy explained, is that British Columbians can have greater confidence that when they entrust their personal information to public bodies, those entities will have programs in place to protect that information.
Protections would ensure that if a breach happens, time wouldn’t be wasted in informing people of concerns and work would be done to minimize any harm created by the breach.
Privacy management programs must include:
- someone responsible for privacy-related matters and the development, implementation and maintenance of privacy policies/procedures;
- processes to complete and document privacy impact assessments and information-sharing agreements as appropriate under FIPPA; and
- documented processes for responding to privacy complaints and breaches.
By public bodies, the law includes government ministries, the Office of the Premier, agencies, boards, commissions, corporations, offices and other bodies designated in the law’s regulations.
It also includes local government organizations such as health-care, social services and educational bodies.
Excluded are the offices of members or officers of the Legislative Assembly, the B.C. Court of Appeal, B.C. Supreme Court and B.C. Provincial Court.
In a guide created to help public bodies, the Office of the Information and Privacy Commissioner (OIPC) has detailed what needs to be done to comply with the changes deemed necessary to protect British Columbians.
It noted that executive-level support is at the heart of a privacy-respectful workplace culture and of any effective management program.
The OIPC has put the ball for ensuring funding for such programs squarely in the provincial government’s court.
“In addition to the formal legal sanctions that can flow from non-compliance, proper funding is also necessary to meet public expectations around privacy,” the guidance document said. “Maintaining public trust and confidence in a public body’s privacy practices are important; the legislative power of being able to compel citizens to surrender their personal information depends on that trust and confidence.”
Further, it said, public bodies wanting to work with service providers should ensure they meet FIPPA requirements.
“This may be particularly relevant where a public body is considering contracting with a cloud services provider, including the provision of email, office applications, and software services,” the document said. “Careful inquiries should therefore be made before entering into cloud services arrangements involving personal information.”
The guide makes clear that it is the public body and not the service provider that remains responsible for protecting British Columbians' private information.