Clym Logo
CA flag

CA

British Columbia Personal Information Protection Act (BC PIPA)

Overview

The British Columbia Personal Information Protection Act (PIPA), effective since January 1, 2004, governs how private sector organizations collect, use, and disclose personal information in British Columbia. It aims to protect personal information while recognizing the need for organizations to collect and use data for legitimate purposes and is superseded by the federal Personal Information Protection and Electronic Documents Act (PIPEDA) when PIPEDA applies.

Regulation Summary

  • May 2003: PIPA received Royal Assent.
  • January 1, 2004: PIPA became effective.

  • Private sector organizations operating in British Columbia.
  • Organizations managing personal information within BC, regardless of where they are based.
  • Non-profit organizations engaging in commercial activities.

  • Public Bodies: Governed by the Freedom of Information and Protection of Privacy Act (FIPPA).
  • Personal Use: Personal data collected for personal or domestic purposes.
  • Employee Information: Exemptions for certain employee data when directly related to employment.

  • Accountability: Designate a privacy officer to ensure compliance.
  • Consent: Obtain informed consent before collecting, using, or disclosing personal data.
  • Purpose Limitation: Use data only for specified purposes.
  • Transparency: Provide clear policies about data handling practices.
  • Data Security: Implement measures to protect personal information from unauthorized access or misuse.

  • Cookie Use: Notify users about cookies and obtain consent where required.
  • Privacy Policies: Display detailed privacy policies.
  • Access Requests: Respond to access and correction requests within 30 days.

  • Retention and Disposal: Retain personal data only as long as necessary and dispose of it securely.
  • Cross-Border Transfers: Ensure adequate protection for data transferred outside Canada.
  • Breach Reporting: Notify affected individuals and the Office of the Information and Privacy Commissioner (OIPC) in case of significant breaches.

  • Access: Request access to personal information.
  • Correction: Request correction of inaccuracies.
  • Withdrawal of Consent: Revoke consent for future data use.
  • Complaints: File complaints with the OIPC regarding data mishandling.

  • Overseen by the Office of the Information and Privacy Commissioner (OIPC).
  • Powers include audits, investigations, and enforcement orders.
  • Penalties: Fines of up to CAD $10,000 (approximately $7,400) for individuals and CAD $100,000 (approximately $74,000) for organizations for non-compliance.