Mandatory Privacy Breach Reporting and Management Program Requirements Come to B.C.
Posted in Privacy

Big changes are coming to B.C.’s privacy laws. Effective February 1, 2023, new Freedom of Information and Protection of Privacy Act (“FIPPA”) sections (36.2 and 36.3) and regulations will come into force. For the first time, a B.C. privacy law will require breach reporting and the implementation of a privacy management program.

Breach Notification

B.C. public bodies will be obligated to notify affected individuals and the Privacy Commissioner if a “privacy breach” occurs which could reasonably be expected to result in significant harm to the affected individual, including identity theft or significant other harm (examples of which are set out in the legislation).[1] A “privacy breach” means the theft or loss, or the collection, use or disclosure that is not authorized by FIPPA, of personal information in the custody or under the control of a public body.

Since personal information in the custody or control of a public body could be handled by third party service providers, we would expect the notification obligations to extend to any applicable privacy breaches involving such service providers. B.C. public bodies will typically have contractual breach reporting obligations on their service providers in standard privacy schedules. However, B.C. public bodies should review their service provider agreements to ensure they are positioned to comply with the new notification requirements in FIPPA.

Privacy Management Programs

B.C. public bodies will also be required to develop a privacy management program in accordance with directions from the Minister responsible for FIPPA, however, no directions have been issued yet.

A privacy management program will typically include:

  • a personal information inventory (or data mapping);
  • relevant policies (privacy policies addressing the various types of personal information being handled, such as employees and website visitors);
  • risk assessment and remediation tools and procedures;
  • education and training plans; and
  • processes to manage personal information in the hands of service providers.

A privacy management plan should also include an incident response plan which addresses these new breach notification requirements as well as remediation, mitigation, investigation and resolution of incidents. The B.C. Privacy Commissioner has provided guidance for public bodies on how to implement a privacy management program. The B.C. Government also has its own Privacy Management and Accountability Policy, which may be useful guidance for other public bodies.

We will follow developments as they arise on this topic, including the anticipated government directions to come.

If your organization has any questions about breach reporting, incident management, a privacy management plan or your service provider agreements, we would be pleased to help you.

[1] Types of significant harm specified in the legislation include significant: bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, negative impact on a credit record, or damage to, or loss of, property.

  • Ryan  Berger

    Ryan Berger is a leading privacy and employment lawyer, with a primary focus on providing strategic advice to businesses and employers.

    Ryan leads the firm’s Privacy Group and routinely advises public and private sector ...

  • Cory  Sully

    Cory Sully is an associate in both the Labour, Employment and Human Rights Group and the Privacy and Data Management Group in Vancouver. Cory provides practical and strategic advice to clients regarding various issues relating to ...

About Us

Lawson Lundell's Privacy and Data Management Blog provides updates on the most recent issues emerging in the legal and business communities. We cover a range of issues, legal developments, and new technology as they impact privacy and data management. We will focus on how organizations can protect, manage and innovate with information considering the various risks, regulatory and governance requirements.

Legal Disclaimer: The information made available on this webpage is for information purposes only. It does not constitute legal advice, and should not be relied on as such. Please contact our firm if you need legal advice or have questions about the content of this webpage. 




Recent Posts



Jump to Page