Data news

New Regulations in Effect Under British Columbia’s FIPPA

Written by Alex Margau | Feb 6, 2023 2:00:00 PM

As of February 1st, the Freedom of Information and Protection of Privacy Act (FIPPA) has two new mandatory requirements for public bodies in Canada’s province, British Columbia - breach notifications and privacy management programs (PMP). These requirements were part of a series of amendments to the FIPPA dated back to November of 2021, but they only came into effect now. 

Defined under British Columbia's Personal Information Protection Act as “provincial government ministries, local governments, universities, colleges, public school boards, regional health authorities, hospitals, self-regulating professional bodies and Crown corporations,” public bodies number more than 2,900 entities that now have to comply with these two new requirements, according to OIPC’s press release. 

The Information and Privacy Commissioner for British Columbia, Michael McEvoy, was happy to welcome these changes saying that “British Columbians can have greater confidence that when they entrust their personal information to public bodies, these entities have programs in place to protect that information, and that if a breach happens, no time will be wasted in informing them and our office so that we can all work to minimize harms.”

These changes, according to McEvoy, had long been advocated by the OIPC and, with their coming effect, mark an important step for the development of British Columbia’s public sector privacy law. 

Mandatory breach notifications 

In the event of a breach notification there are four key steps that need to be taken: 

  • Contain the breach: an immediate response will ensure a minimized level of harm. Shut down the breached system, activate your breach response protocol, and make sure to keep evidence that will later on help you investigate.

  • Evaluate the risks: look at what type of personal information was involved, what was the cause of the breach and its extent, determine who was impacted by the breach, and analyze any likely harms to arise out of the breach. 

  • Notify: You are required to notify “without unreasonable delay” both the OPIC and the data subject affected only in specific cases where the breach “could reasonably be expected to result in significant harm to the individual, including identity theft” or a host of other significant types of harm, as outlined by the new Part 3 of the FIPPA. 

  • Prevent: once you’ve taken all the immediate steps required, it is time to investigate the breach thoroughly by conducting, for example, a data security audit of the security measures currently in place. Following any lessons learned, review and update your internal policies and make sure to provide proper training to members of your staff. 


Privacy Management Programs

To ensure that you are accountable and transparent with respect to your management of personal information, it is mandatory that you have in place a PMP. To that end, the following components are the minimum suggested by the OIPC: 

  1. Designate a responsible for all privacy related matters in your entity.

  2. Develop a process for DPIAs.

  3. Develop a process for handling complaints and data breaches.

  4. Conduct privacy awareness and education activities with your employees.

  5. Make your privacy policy publicly available.

  6. Develop methods to ensure that service providers are aware of their obligations. 

  7. Establish a process for the regular monitoring of your PMP and update it as necessary. 

To assist public bodies, the Office of the Information and Privacy Commissioner (OIPC) has published guidance documents on their website, outlining the obligations and best practices for each of the two requirements.