New Requirements for Local Governments: Privacy Management Programs and Privacy Breach Notifications
Local governments are now required to develop privacy management programs and to report privacy breaches that could be expected to result in serious harm. These new requirements, which were among the amendments to the Freedom of Information and Protection of Privacy Act (“FIPPA”) enacted in November 2021, came into force on February 1, 2023.
Privacy Management Programs
The new section 36.2 of FIPPA requires all public bodies, including local governments, to develop a privacy management program, in accordance with the provincial directive linked here. As outlined in the provincial directive, privacy management programs must be “commensurate with the volume and sensitivity of the personal information in the public body’s custody or under its control,” and must include at least the following components:
· A designated Privacy Officer, to be responsible for
- being a point of contact for privacy-related matters such as privacy questions or concerns;
- supporting the development, implementation, and maintenance of privacy policies and/ or procedures; and
- supporting the public body’s compliance with FIPPA;
· A process for completing and documenting privacy impact assessments as required and information-sharing agreements;
· A documented process for responding to privacy complaints and privacy breaches;
· Privacy awareness and education activities to ensure employees are aware of their privacy obligations;
· Privacy policies, processes or practices available to employees and the public;
· Methods to ensure that service providers are informed of their privacy obligations; and
· A process for regularly monitoring the privacy management program and updating as required.
The Office of the Information and Privacy Commissioner (“OIPC”) has provided a comprehensive guidance document, linked here, to assist public bodies in establishing and maintaining the required privacy management program.
Privacy Breach Notification Requirements
The new section 36.3 of FIPPA requires public bodies to notify affected individuals, and the OIPC, of certain privacy breaches. A “privacy breach” is defined in section 36.3 as the theft or loss, or the collection, use or disclosure of personal information that is not authorized by Part 3 of FIPPA. If a breach could reasonably be expected to result in “significant harm” (including a number of specified physical, reputational, and financial harms) to the affected individual, the public body must notify the affected individual and the OIPC “without unreasonable delay”.
Sections 11.1 and 11.2 of the Freedom of Information and Protection of Privacy Regulation outline the required content and procedures for notifying affected individuals and the OIPC of a privacy breach under section 36.3 of FIPPA. For more information on privacy breach notification requirements, see the Provincial guidance linked here.
For any questions regarding local governments’ obligations in relation to privacy management programs or privacy breach notification requirements, do not hesitate to contact our firm.
Amy O'Connor & Julia Tikhonova