What is the British Columbia Privacy Act?
The Personal Information Protection Act - British Columbia is the governing privacy law in the province of British Columbia, Canada, regulating the “collection, use and disclosure of personal information by organizations in a manner that recognizes both the right of individuals to protect their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.”
It is similar to the Personal Information Protection Act of the province of Alberta, in that, for example, although it governs the personal information of businesses that operate in the region, in the event that the Personal Information Protection and Electronic Documents Act (PIPEDA) applies, the BC privacy law is superseded by it.
Another thing to note is that the British Columbia Privacy Act, same as Alberta’s law, also enforces the Freedom of Information and Protection of Privacy Act (FIPPA) which regulates some of the personal information taken into consideration under BC's privacy legislation, which is in this case handled by public bodies, not organizations.
In December of 2021, a special committee came together to review the BC Privacy Act and made several recommendations for modernizing the privacy law, which can be found here. At this time, these recommendations have not yet been implemented in the text of the law.
What is Personal Information and what are other key definitions?
The British Columbia Privacy Act defines personal information as “ information about an identifiable individual and includes employee personal information but does not include contact information, or work product information.”
Another relevant definition is that of constitutes an organization, defined as “a person, an unincorporated association, a trade union, a trust or a not for profit organization, but does not include:
- an individual acting in a personal or domestic capacity or acting as an employee,
- a public body,
- the Provincial Court, the Supreme Court or the Court of Appeal,
- the Nisg̱a'a Government, as defined in the Nisg̱a'a Final Agreement, or
- a private trust for the benefit of one or more designated individuals who are friends or members of the family of the settlor.”
Because the British Columbia Privacy Act protects employee personal information, it defines this as “personal information about an individual that is collected, used or disclosed solely for the purposes reasonably required to establish, manage or terminate an employment relationship between the organization and that individual, but does not include personal information that is not about an individual's employment.”
BC privacy law also offers a definition of ‘business transaction,’ in the context of a potential transfer of personal information during the sale of an organization or of an organization’s business assets. Here then business transaction means “the purchase, sale, lease, merger or amalgamation or any other type of acquisition, disposal or financing of an organization or a portion of an organization or of any of the business or assets of an organization.”
The British Columbia Privacy Act makes a distinction between ‘express consent’ and ‘implicit consent’ which it defines as “consent to the collection, use or disclosure of personal information by an organization for a purpose if (a) at the time the consent is deemed to be given, the purpose would be considered to be obvious to a reasonable person, and (b) the individual voluntarily provides the personal information to the organization for that purpose.”
Added to this is the consent given by not opting out, meaning that an individual is given all the information about what will be collected and for what purposes and they do not opt out of the collection. Under BC privacy law this is regulated as follows:
“An organization may collect, use or disclose personal information about an individual for specified purposes if:
- the organization provides the individual with a notice, in a form the individual can reasonably be considered to understand, that it intends to collect, use or disclose the individual's personal information for those purposes,
- the organization gives the individual a reasonable opportunity to decline within a reasonable time to have his or her personal information collected, used or disclosed for those purposes,
- the individual does not decline, within the time allowed under paragraph (b), the proposed collection, use or disclosure, and
- the collection, use or disclosure of personal information is reasonable having regard to the sensitivity of the personal information in the circumstances.”
Given the tricky nature of implicit consent, it is considered as a best practice that you obtain express consent from individuals, since in the event of an audit verbal consent cannot be proven.
Who has to comply with the British Columbia Privacy Act?
Because the definition for ‘organization’ is fairly broad, British Columbia’s OIPC (Office of the Information & Privacy Commissioner) says that “an organization includes:
- a corporation, including a strata corporation,
- a partnership,
- a doctor’s office,
- an association that is not incorporated,
- a co-operative association, including a housing co-op,
- a society,
- a church or other religious organization,
- a charity,
- a sports club,
- a trade union,
- a partnership,
- a political party,
- an individual involved in a commercial activity(for example,an individual running a small renovation business that is not incorporated), and
- a trust.”
In simple terms, the British Columbia Privacy Act applies to every organization, as defined above by the text of the legislation.
It is important to note here that BC privacy law supersedes other Acts of British Columbia, unless the other Act states otherwise.
Who is excluded from compliance with the British Columbia Privacy Act?
The British Columbia Personal Information Protection Act, same as its Alberta counterpart, exempts from compliance several types of personal information, as follows:
- personal information collected, used, or disclosed for domestic or personal purposes;
- personal information collected, used, or disclosed for journalistic, artistic or literary purposes;
- personal information collected, used, or disclosed that falls under PIPEDA jurisdiction;
- personal information collected, used, or disclosed that falls under FIPPA jurisdiction;
- personal information found in court documents or records, in any notes, communications or draft decisions of administrative proceedings;
- personal information collected, used, or disclosed by a member of the Legislative Assembly of British Columbia, that relates to their functions;
- a document related to a prosecution if all proceedings related to the prosecution have not been completed;
- personal information collected, used, or disclosed before PIPA came into effect.
In addition, according to the OIPC, public bodies are also excluded from compliance with the BC Privacy Act. These include “provincial government ministries, local governments, universities, colleges, public school boards, regional health authorities, hospitals, self-regulating professional bodies and Crown corporations (other than BC Rail, to which BC privacy law applies).”
How can I keep my organization compliant with the British Columbia Privacy Act?
BC privacy law mandates that consent has to be obtained prior to data collection and processing, similar to PIPEDA or Alberta privacy law, which is why compliance with the British Columbia Privacy Act is summed up by the OIPC in 7 guidelines for obtaining meaningful consent as follows:
Emphasize key elements
Individuals must be given the opportunity to review key elements that impact their privacy decisions. This means that as a covered entity you must emphasize these key elements, such as, what personal information is being collected, with which parties personal information is being shared, or for what purposes personal information is collected, used or disclosed.
Allow individuals to control the level of detail they get and when
Information must be provided to individuals in manageable and easily-accessible ways (potentially including layers) and individuals should be able to control how much more detail they wish to obtain, and when.
Provide individuals with clear options to say ‘yes’ or ‘no’
Individuals cannot be required to consent to the collection, use or disclosure of personal information beyond what is necessary to provide the product or service – they must be given a choice. These choices must be explained clearly and made easily accessible.
Be innovative and creative
Organizations should design and/or adopt innovative consent processes that are specific to the context and appropriate to the type of interface used.
Consider the consumer's perspective
Consent processes must take into account the consumer's perspective to ensure that they are user-friendly and that the information provided is generally understandable from the point of view of the organization's target audience(s).
Make consent a dynamic and ongoing process
Informed consent is an ongoing process that changes as circumstances change; organizations should not rely on a static moment in time but rather treat consent as a dynamic and interactive process. When an organization plans to introduce significant changes to its privacy practices, it must notify users and obtain consent prior to the changes coming into effect. Organizations should also periodically audit their information management practices to ensure that personal information continues to be handled in the way described to individuals.
Stand ready to demonstrate compliance
Organizations, when asked, should be in a position to demonstrate compliance, and in particular that the consent process they have implemented is sufficiently understandable from the general perspective of their target audience(s) so as to allow for valid and meaningful consent.
Your organization can improve its privacy compliance if it follows the below steps:
- Make sure to obtain consent prior to collecting personal information.
- Appoint one or more Data Protection Officers in charge of ensuring compliance with PIPA-BC.
- Develop best practices in order to stay compliant.
- Limit the collection, use, or disclosure of personal information to only “purposes that a reasonable person would consider appropriate in the circumstances” and that fulfill the purposes your organization has confirmed.
- Grant individuals access to their personal information that you hold about them.
- Correct the personal information of individuals upon request from said individuals.
- Respond to data subject access requests in a timely manner.
What data access rights does the British Columbia Privacy Act grant?
PIPA-BC seems to offer only two data access rights to individuals with several others implicit.
For example, it does not explicitly recognize an individual’s Right to be Informed, but in mandating that prior to obtaining consent you must inform the individual what types of information you are collecting, it does create a platform for this right.
In the case of the Right to Access, BC's Privacy Act grants individuals this right, mandating that organizations have to process requests related to this right within set parameters.
Another expressly granted right is the Right to Rectification, allowing individuals to request that their personal information be corrected. If the organization deems that the request is made on reasonable grounds, it must correct the personal information as soon as possible and also make sure that the new information is communicated to any other organization that it has disclosed this to in the course of the previous year.
While there is no Right to Erasure under the British Columbia Privacy Act, organizations are required to destroy any personal information that is no longer required to fulfill the purposes for which it was collected initially.
Right to Data Portability and Right to Not be Subject to Automated Decision-Making are not provided to individuals under this privacy regulation, but the Right to Opt-Out/Object is, however, mandated here. Individuals can withdraw consent at any time but they must be informed of the implications of withdrawing consent. Organizations can retain the collected data for the period in which it is necessary to fulfill its purpose and they are under no obligation to inform any other organization of the consent withdrawal.
How to address data subject access requests under the British Columbia Privacy Act?
Sections (25) through (32) address the way organizations have to handle data subject access requests and outline the following steps:
- An individual, called here an ‘applicant,’ may send a request for access to personal information or for correcting their personal information that your organization holds about them;
- The request has to be written and provide your organization with “sufficient detail to enable [you], with a reasonable effort, to identify the individual and the personal information or correction being sought.”
- You must make a reasonable effort to answer every request “as accurately and completely as reasonably possible” and “to provide each applicant with (i) the requested personal information, or (ii) if the requested personal information cannot be reasonably provided, with a reasonable opportunity to examine the personal information.” There are exceptions to this as follows:
- the information is protected by solicitor-client privilege;
- you are a credit reporting agency;
- the disclosure could reasonably be expected to threaten the safety or physical or mental health of an individual other than the individual who made the request;
- the disclosure can reasonably be expected to cause immediate or grave harm to the safety or to the physical or mental health of the individual who made the request;
- the disclosure would reveal personal information about another individual;
- the disclosure would reveal the identity of an individual who has provided personal information about another individual and the individual providing the personal information does not consent to disclosure of his or her identity.
- You must respond to an applicant’s request no later than 30 days after receiving the request.
- If the request is refused you must provide the applicant with the following information:
- the reasons for the refusal;
- the name, position title, business address and business telephone number of an officer or employee of the organization who can answer the applicant's questions about the refusal;
- that they can ask for a review within 30 days of being notified of the refusal, as stated in section 47 of the law.
- You may extend the time for responding to a request by another 30 days or, with the commissioner’s permission, for a longer period of time if the applicant has failed to provide sufficient information for you to identify them, if the personal information requested is too large and gathering it all would interfere with your organization’s operations, or if you need more time to consult with other organizations or public bodies before you can decide whether to grant the applicant access or not to the personal information.
- Charging fees for access is not allowed when the applicant requests access to their employee personal information. However, when the applicant requests access to their personal information, section 32 allows for charging “a minimal fee for access to the individual's personal information that is not employee personal information concerning the individual.” If you charge the applicant a fee for services provided while responding to their access request you must give the applicant a written estimate of the costs before providing said services and you may also require them to pay a deposit for all or part of the fee. The OIPC-BC advised that the minimal fee should cover only “the actual costs you incurred in producing the record” and this fee “must never generate any profit.”
Enforcement and penalties
The British Columbia Privacy Act is enforced by the Office of the Information and Privacy Commissioner (OIPC) who handles complaints from individuals and organizations.
In the initial stages of receiving a complaint, the OIPC will usually encourage the individual to first try to resolve the matter directly with your organization and if they accept the individual’s complaint they will try to mediate a settlement. If this is not achieved, under certain circumstances, they may hold a formal inquiry and may compel testimony, order production of evidence or enter premises, as part of the powers granted to them. The OIPC can issue orders which they can then publish and your organization has 30 days to comply with an order unless you ask the BC Supreme Court to overturn the order within those 30 days.
Offenses under BC privacy law incur fines of no more than $10,000 for individuals and no more than $100,000 for organizations.
Data Subject Rights - GDPR vs. British Columbia Privacy Act
- Right to access data
- Right to correct inaccurate data
- Right to the portability of data
- Right to delete personal information
- Right to information about how entities are sharing your data
- Right to restrict processing
- Right to object to processing
- Right to object to automated processing
BRITISH COLUMBIA PRIVACY ACT
- Right to access
- Right to rectification
How can Clym help?
Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Customizable branding;
- Ready Compliance: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.
FAQs about the British Columbia Privacy Act
Who does the British Columbia Privacy Act apply to?
In simple terms, the British Columbia Privacy Act applies to every organization, as defined by the text of the legislation. However, because the definition for ‘organization’ is fairly broad, British Columbia’s Office of the Information & Privacy Commissioner says that “an organization includes: a corporation, including a strata corporation, a partnership, a doctor’s office, an association that is not incorporated, a co-operative association, including a housing co-op, a society, a church or other religious organization, a charity, a sports club, a trade union, a partnership, a political party, an individual involved in a commercial activity(for example,an individual running a small renovation business that is not incorporated), and a trust.”
What are the compliance requirements under the British Columbia Privacy Act?
BC privacy law mandates that consent has to be obtained prior to data collection and processing and offers seven guidelines for obtaining meaningful consent:
- Emphasize key elements
- Allow individuals to control the level of detail they get and when
- Provide individuals with clear options to say ‘yes’ or ‘no’
- Be innovative and creative
- Consider the consumer's perspective
- Make consent a dynamic and ongoing process
- Be accountable
What rights does the British Columbia Privacy Act provide?
The British Columbia Privacy Act recognizes the right to access and the right to rectification but also implies a right to be informed, a right to object by withdrawing consent, or a right to erasure where organizations are required to destroy any personal information that is no longer required to fulfill the purposes for which it was collected initially.
Who enforces the British Columbia Privacy Act?
The British Columbia Privacy Act is enforced by the Office of the Information and Privacy Commissioner (OIPC) who handles complaints from individuals and organizations.
What are the penalties for violations of the British Columbia Privacy Act?
Penalties under British Columbia Privacy Act consist of fines of no more than $10,000 for individuals and no more than $100,000 for organizations.