By Keri L. Bennett and Teodora Bardas
On October 19, 2021, we wrote about the proposed changes to B.C.’s Freedom of Information and Protection of Privacy Act contemplated in Bill 22 – 2021.
Bill 22 – 2021 passed on November 25, 2021, enacting a number of significant changes to the privacy legislation governing public bodies. The Bill remained largely unchanged from earlier versions.
Many of the major changes to B.C.’s Freedom of Information and Protection of Privacy Act came into effect immediately on November 25, 2021, including:
- repeal of data localization requirements, subject to restrictions in pending regulation;
- protection of information that could reasonably be expected to harm the rights of Indigenous peoples; and
- fees for access requests.
The new mandatory breach notification requirements will only come into force by regulation.
On November 26, 2021, the Lieutenant Governor passed an Order in Council setting the fee for access requests at $10.
Mandatory Breach Notification
It remains to be seen what additional parameters may accompany the enactment of the mandatory breach notification requirements.
Presently, the Bill requires the head of a public body to report breaches to both the Office of the Information and Privacy Commissioner and to affected individuals where there is a risk of “significant harm”. Significant harm is described as including identity theft or significant bodily harm, humiliation, damage to reputation or relationships, loss of employment or professional opportunities, financial loss, negative credit score impact, and damage to or loss of property. Importantly, the head of a public body will not be required to notify an affected individual if notification could be reasonably expected to result in immediate and grave harm to the individual or if it would threaten harm to another individual. Harm can include harm to safety or physical or mental health.
Employers should watch for further detail to be prescribed by regulation.
Data Localization Requirements
Changes to data localization requirements now permit public bodies to disclose and store personal information outside of Canada in accordance with any regulation made by the Minister. At the time of this update, there continues to be no regulations qualifying this change. As such, it remains uncertain what restraints will be imposed by the Minister, if any.
What Does this Mean for Employers?
Employers should revisit their privacy programs and make any necessary updates. Employers should ensure to train employees on the requirements, in particular the mandatory breach notification requirements.
In addition, employers should watch for regulations that should provide greater clarity on the mandatory breach notification requirements and the scope of any restrictions for disclosing and storing personal information outside of Canada.
The amendments provide public bodies with more flexibility in terms of data storage and the use of technological services. However, employers must continue to be vigilant in protecting employee privacy and ensure they have appropriate technological safeguards in place.
Keri L. Bennett is a labour and employment lawyer at Roper Greyell LLP and practices in all areas of labour, employment and human rights law. Keri is also the firm’s Privacy and Freedom of Information lead. To obtain contact information of any other lawyer at our firm, please visit https://ropergreyell.com/our-people/
Teodora Bardas is an articled student at Roper Greyell LLP. She is interested in all areas of workplace law, including employment, labour and workplace human rights law.
While every effort has been made to ensure accuracy in this update, you are urged to seek specific advice on matters of concern and not to rely solely on what is contained herein. The document is for general information purposes only and does not constitute legal advice.