If you pay attention to privacy law in Canada, you may have seen recent news that after a 2-year wait, the federal government has finally announced that, as of November 1, 2018, it will be mandatory for any organizations covered by federal PIPEDA legislation to report data breaches to customers, affected third parties, and the federal privacy commissioner. While the exact regulations are still to be set out, this regulation marks a shift, likely prompted by the publicity around Facebook’s handling of user data.
Does this regulation affect BC libraries? The slightly confusing answer is: “not this specific legislation but still kind of yes.” Hopefully, as privacy-forward organizations, libraries already know what to do in case of a data breach and have made provisions for such breaches in their privacy and security plans.
BC libraries are actually covered by the provincial FOIPPA legislation, not the federal PIPEDA regulations, so this new mandatory reporting doesn’t apply directly to libraries. However, it may apply to some 3rd party vendors. Canadian companies outside of BC may fall under these regulations, and depending on the circumstances of a breach, the regulations could be applied if these companies store any personal and private information on behalf of libraries.
But what about BC and FOIPPA: are there mandatory breach reporting requirements? It turns out this is one place where the federal legislation has moved ahead of BC’s. For a number of years, BC’s Office of the Privacy Commissioner (OIPC) has been recommending amendments to our Act that dictate mandatory reporting of breaches (see, for example: Examination of British Columbia Health Authority Privacy Breach Management), but they are not yet mandatory.
But just because a responsibility isn’t enshrined in law doesn’t mean it’s not still best practice and expected. There are some great resources on the BC government website which, while aimed at government departments, would serve any of us well. These resources include the handy step-by-step Process for Responding to Privacy Breaches as well as the OIPC’s own “Tools and Resources” guide on privacy breaches.
While there might be some slight differences in legal mandate around breach disclosure, it’s clear that public bodies in BC are already expected to take similar steps to what will likely be outlined in the federal regulations. It is also likely that BC will follow with a similar law that will apply to provincial bodies.
The federal announcement is a useful reminder for libraries to review their policies and procedures related to data breaches.