Lessons from the Public Sector: A Playbook for Private Sector Data Security

In British Columbia’s private sector, compliance with privacy legislation should not be viewed as the finish line for data security standards. It is only the starting block.

The BC Freedom of Information and Protection of Privacy Act (FIPPA), which applies to public bodies, and the Personal Information Protection Act (PIPA), which governs provincially-regulated private organizations, each establish minimum requirements relating to the security of personal information. However, FIPPA prescribes more robust obligations on public bodies than PIPA imposes on private organizations.

As a result, private businesses, especially those who rely solely on the language of PIPA itself to understand their privacy and security obligations, may be left ill-equipped to prevent, mitigate and overcome privacy breach incidents. In today’s threat environment, this impacts a business’s bottom line. Based on 2025 figures, Canadian organizations pay over $6 million CAD per data breach on average.¹

A compliance mindset focused on the mandatory minimum requirements under PIPA may reduce the risk of a finding by the Office of the Privacy Commissioner (OIPC) that an organization acted in contravention of the legislation, but compliance alone does not shield businesses from class actions, business interruption, reputational damage or other consequences which might arise from a data security breach. Moreover, the broad obligation under PIPA to implement “reasonable security arrangements” requires organizations to adopt safeguards beyond those expressly prescribed.

Reasonable Security Arrangements

Both PIPA² and FIPPA³ require private organizations and public bodies to protect personal information by making “reasonable security arrangements”. The adequacy of such is assessed on an objective basis⁴. While “reasonable security arrangements” do not require perfection, the standard is situational and may demand increased rigour, depending on factors such as the sensitivity of the personal information⁵. As a result, the relevant provisions of FIPPA and PIPA allow for flexibility in determining what measures are prudent in the circumstances.

Amendments to FIPPA that came into force in 2023 provide a more structured framework in which “reasonable security arrangements” might be achieved.

Mandatory Breach Reporting

For example, the amendments introduce mandatory privacy breach notification to the OIPC and to affected individuals where the breach could reasonably be expected to result in significant harm. In contrast, PIPA does not contain like provisions explicitly requiring such notification. Although in a 2020 joint investigation report it was determined that it was not necessary to decide whether an organization’s reasonable security arrangements under PIPA includes a legal duty to notify affected individuals⁶, FIPPA decisions arising prior to the amendments suggest that the OIPC views notification as part of a public body’s broader obligation to implement reasonable security arrangements.⁷ As a result, it is possible that the OIPC might consider the failure to notify affected individuals as a factor in a finding that a private organization failed to make reasonable security arrangements.

Private sector organizations would therefore be ill-advised to disregard notification considerations simply because PIPA does not expressly require them. Indeed, the OIPC encourages private sector organizations to notify its office and affected individuals as an important mitigation strategy⁸. Privacy breaches can have serious consequences ranging from financial harm to threats to personal safety. Timely notification allows affected individuals to take proactive measures, such as by changing passwords or cancelling credit cards. Beyond individual harm reduction, breach notification also fosters transparency, accountability, and goodwill between organizations and their employees, customers, vendors, and other interest-holders.

In addition to adopting breach reporting protocols, there are other risk management opportunities for private sector organizations which exceed minimum compliance obligations.

Privacy Impact Assessments

Under FIPPA, privacy impact assessments (PIAs) are a mandatory, legally required process for all new or substantially modified initiatives involving the processing of personal information. The purpose of a PIA is to identify and address potential privacy risks before they materialize, thereby reducing the likelihood of costly data breaches or non-compliance.

While the OIPC recommends PIAs in the private sector, under PIPA there is no legal requirement to complete them. However, there are compelling reasons for private sector organizations to adopt this practice voluntarily. Among other benefits, PIAs can:

• identify and mitigate risks such as overcollection, inadequate security safeguards or unclear consent practices;
• build trust and confidence with staff, consumers, vendors and other interest-holders;
• reduce costs by identifying and addressing privacy concerns at the design stage; and
• support greater ethical and legally defensible decision making, including by prompting organizations to seriously consider whether the proposed data collection is reasonable.

Privacy Management Programs

While both FIPPA and PIPA require organizations to appoint a privacy officer and develop privacy-related policies, FIPPA imposes additional obligations through its requirement to implement a formal privacy management program⁹, which include:

• maintaining a documented process for responding to privacy breaches;
• providing privacy awareness and related education activities for employees;
• implementing measures such as contractual terms to ensure that service providers are aware of their privacy obligations; and
• regular monitoring and updating of the privacy management program.

These additional obligations imposed on public bodies can easily be adopted by private organizations to bolster data security. They are not particularly onerous, but their effectiveness in mitigating risk make them worthwhile. Employee training and privacy awareness initiatives, for example, can significantly reduce the likelihood of human error, which remains a leading cause of privacy incidents¹⁰.

Next Steps

The FIPPA amendments offer a practical playbook for use by private sector organizations. The OIPC has already recommended reforms¹¹ to modernize PIPA to better align with stronger standards federally and in jurisdictions such as Alberta, Quebec, California and countries under the General Data Protection Regulation (GDPR). It is a widely held view, including that of the author, that it is not a matter of if there will be legislative amendments to strengthen data security measures under PIPA, but only a matter of when.

Businesses should begin adopting more mature privacy management and data security practices now, even in the absence of an explicit statutory requirement. The benefits extend well beyond mitigating legal risk. Organizations that exceed the requirements of PIPA are better positioned to build consumer trust, remain competitive and demonstrate a meaningful commitment to privacy and ethical data practices. Those who do not, and instead treat compliance as the ultimate benchmark, risk falling behind.

1. Cost of a Data Breach Report 2025 by IBM
2. At section 34
3. At section 30
4. OIPC Investigation Report F06-01 at para. 49
5. OIPC Investigation Report F06-01 at para. 49
6. OIPC Investigation Report 20-02 at 2.7
7. OIPC Investigation Report F11-01
8. OIPC Privacy breach quick reference guide for small and medium-sized businesses, April 2026 OIPC News Release, May 2026
9. Privacy Management Program Direction, 02/2022, Minister of Citizens’ Services
10. Cost of a Data Breach Report 2025 by IBM
11. Submission to the Special Committee to Review the Personal Information Protection Act; 2020 BCIPC 47 | Supplemental submission to the Special Committee to Review the Personal Information Protection Act; 2021 BCIPC 09