What is Bill 22?
British Columbia's Bill 22, amending the province's Freedom of Information and Protection of Privacy Act (FIPPA), was passed into law by the BC legislature on November 25, 2021. FIPPA is British Columbia's public-sector privacy and access to information legislation, and governs both the privacy-related obligations of public bodies, and the rights of individuals with respect to the information, including personal information, that is held by public bodies.
While the majority of Bill 22's provisions came into force when it was passed on November 25, 2021, several additional provisions only recently came into force on February 1, 2023.
Who does it impact?
As public-sector legislation, the obligations imposed by Bill 22, and FIPPA more broadly, are only applicable to "public bodies. Public bodies can include:
- Provincial and municipal government ministries and institutions
- Public hospitals
- Public universities and school boards
- Certain professional governing bodies
- Designated provincial crown corporations, agencies and boards
However, FIPPA requires public bodies to protect and uphold the rights of individuals with respect to personal information held by them – for instance, a right to access and correct personal information.
Individuals may also wish to take note of the individual rights protected under FIPPA as a result of Bill 22. For example, individuals now have a right to be notified in the event of a privacy breach that could reasonably be expected to result in significant harm to the individual.
Further, in specific instances Bill 22 imposes requirements, and potential liability, on service providers and their employees and associates. For example, organizations under a contract to perform services for a public body in BC are subject to the law, and should take note of the changes implemented by Bill 22 and the obligations imposed by the law in general.
What is the impact?
When Bill 22 was passed in November 2021, it immediately made several changes to both FIPPA's privacy and access frameworks. These changes included:
- Data residency: Permitting public bodies to disclose personal information in their custody or control to service providers for storage outside of Canada, subject to the accompanying regulation requiring a privacy impact assessment.
- Employee snooping: Preventing employee "snooping" by prohibiting the unauthorized collection, use or disclosure of personal information by employees, officers or directors of public bodies or their service providers.
- Data linking: Laying the groundwork for regulation of "data-linking" programs where multiple distinct data sets are used in conjunction with each other. The limits to be placed on such programs will be further developed via regulation, which has yet to be proposed.
- Privacy offences: Introducing new privacy offences that impose liability on individuals, service providers and their employees and associates. Service providers will be held to have committed an offence, where an offence is committed by any of their employees or associates (though this is defensible by demonstrating due diligence). Officers, directors or agents of a corporation may similarly be found to have committed an offence by authorizing, permitting or acquiescing to the commission of the offence by the corporation, even if the corporation is not prosecuted for it. These new privacy offences may result in fines of up to $50,000 for individuals and $500,000 for corporations.
On February 1, 2023, the remaining provisions of Bill 22 came into force, requiring public bodies to develop privacy management programs and imposing mandatory privacy breach notification requirements:
Privacy management programs
Per section 36.2 of FIPPA, public bodies are now required to develop a privacy management program (PMP), in accordance with the direction of the Minister of Citizens' Services. The Minister's Privacy Management Program Direction outlines the mandatory components that must be included in a public body's PMP. The direction requires that public bodies do the following:
- Designate a privacy contact person
- Implement processes for completing and documenting Privacy Impact Assessments (PIAs) and Information-Sharing Agreements (ISAs)
- Document processes for responding to privacy breaches and complaints
- Implement privacy awareness and education activities for employees
- Adopt privacy policies and document processes available to employees and the public
- Inform service providers of their privacy obligations
- Regularly monitor the privacy management program and update it as required
Mandatory privacy breach notification
In the event of a privacy breach that could reasonably be expected to result in significant harm to individuals, section 36.3 of FIPPA now imposes an obligation on public bodies to provide notice of the breach to affected individuals, as well as to the British Columbia Information and Privacy Commissioner (BC IPC).
The definition of privacy breach is fairly expansive, and refers to the theft, loss or unauthorized collection, use or disclosure of personal information under the public body's custody or control. Individuals must be notified without unreasonable delay in the event of a breach.
The determination of whether a privacy breach could reasonably be expected to result in significant harm and therefore trigger a public body's notification obligations, depends on context. According to FIPPA, such harms can include:
- Identity theft
- Significant bodily harm
- Humiliation
- Damage to reputation or relationships
- Loss of employment, business or professional opportunities
- Financial loss
- Negative impact on a credit record
- Damage to or loss of property
Guidance has been provided by government regarding the approach to assessing this risk.
Notification requirements
Section 11.1 (1) (b) of the Freedom of Information and Protection of Privacy Regulation prescribes the form and content of the notice to be provided to individuals:
- The breach notification must be in writing and must be provided directly to each affected individual, subject to certain exemptions
- The notification should include the name of the public body, details pertaining to the occurrence and discovery of the privacy breach
- A description of the nature of the personal information involved in the privacy breach
- Confirmation that the privacy commissioner has been or will be notified
- Contact information for a person who can answer questions about the privacy breach
- Steps the public body has taken or will take to mitigate the risk of harm, and steps the affected individual can take to mitigate the risk of harm
Section 11.2 prescribes the form and content of the notice to be provided to the BC IPC, and mirrors most of the requirements of the notice to individuals.