Privacy Management Program Requirements Revealed, Come into Effect on February 1, 2023

Articles

By Jeff Holowaychuk and Abigail Choi

Following on from our recent article, the BC government has now released its Privacy Management Program Direction (“Direction”).  From February 1, 2023, public bodies in BC will be required to comply with the privacy management program provisions of the Freedom of Information and Protection of Privacy Act (“FIPPA”).

The purpose of the privacy management program is to keep public bodies accountable and transparent about the management of personal information in their custody or control. The framework set out in the Direction will allow public bodies to create a program that aligns to their operations, is right-sized for the volume and sensitivity of personal information in their custody or control and meets the requirements of FIPPA.

Privacy Management Program Requirements

The Direction requires public bodies to develop a privacy management program that includes at least the following components:

  • a designated individual that is responsible for:
    • being a point of contact for privacy questions, concerns and other privacy-related matters;
    • supporting the development, implementation and maintenance of privacy policies and/or procedures; and
    • supporting the public body’s compliance with FIPPA.
  • a process for documenting and completing privacy impact assessments and information-sharing agreements, as appropriate;
  • a documented process for responding to privacy complaints and breaches;
  • regularly scheduled privacy awareness and education sessions for employees;
  • methods to ensure that the public body’s service providers are informed of their privacy obligations, such as including terms in contract that address privacy obligations; and
  • a process to regularly monitor the privacy management program and updating the program as appropriate to maintain compliance with FIPPA.

Public bodies are also required to ensure that privacy policies and any documented privacy processes or practices are made available to employees and, where practicable, the public.

Ultimately, a public body’s privacy management program should be reasonable and scaled in accordance with the volume and sensitivity of the personal information in the public body’s custody or control. While the Direction notes that the requirement for a privacy management program may be satisfied by a public body’s existing privacy policies and practices, all public bodies should undertake a review to confirm their compliance with these requirements before they come into effect early next year.

If you have any questions about the new privacy management program requirements, contact a member of our Privacy team.