British Columbia β municipal breach notification
FIPPA covers BC municipalities. 2021 amendments added mandatory breach notification to OIPC.
Without unreasonable delay if real risk of significant harm.
- Real-risk-of-significant-harm test determines individual notification.
- OIPC report includes a containment, investigation, and prevention narrative.
What this means for a British Columbia municipality
Canadian municipalities sit under a provincial public-sector privacy framework β for British Columbia, that means the Office of the Information and Privacy Commissioner for BC (OIPC BC) is your primary regulator. The trigger for notification is generally a real risk of significant harm to affected residents, evaluated on probability of misuse, sensitivity of the data, and the population reached.
Most small and mid-sized British Columbia municipalities also have to weigh federal coordination through the Canadian Centre for Cyber Security, vendor obligations under PIPEDA, and β for any cross-border data β US state breach statutes that apply by residency of the affected individual, not by the location of the municipality. The HackFirstAid triage walks through those layers in plain language and produces a printable summary you can hand to your CAO and council.
If you're reading this during a live incident, open the free triage first; if you're reading it on a quiet Tuesday, run it as a tabletop with your clerk, IT lead, and one council member. Most British Columbia municipalities run it once before they need it, then once for real, six months later.
Tax, permits, utility billing, and court scheduling encrypted on the same morning.
Fraudulent wire instructions on a vendor payment or payroll change.
Vital records, property assessments, or business licenses exposed or altered.