British Columbia Privacy Act (BC PIPA)

Who is excluded from compliance with the British Columbia Privacy Act? 

The British Columbia Personal Information Protection Act, same as its Alberta counterpart, exempts from compliance several types of personal information, as follows: 

• personal information collected, used, or disclosed for domestic or personal purposes;
• personal information collected, used, or disclosed for journalistic, artistic or literary purposes;
• personal information collected, used, or disclosed that falls under PIPEDA jurisdiction;
• personal information collected, used, or disclosed that falls under FIPPA jurisdiction;
• personal information found in court documents or records, in any notes, communications or draft decisions of administrative proceedings;
• personal information collected, used, or disclosed by a member of the Legislative Assembly of British Columbia, that relates to their functions;
• a document related to a prosecution if all proceedings related to the prosecution have not been completed;
• personal information collected, used, or disclosed before PIPA came into effect.

In addition, according to the OIPC, public bodies are also excluded from compliance with the BC Privacy Act. These include “provincial government ministries, local governments, universities, colleges, public school boards, regional health authorities, hospitals, self-regulating professional bodies and Crown corporations (other than BC Rail, to which BC privacy law applies).”

How can I keep my organization compliant with the British Columbia Privacy Act? 

BC privacy law mandates that consent has to be obtained prior to data collection and processing, similar to PIPEDA or Alberta privacy law, which is why compliance with the British Columbia Privacy Act is summed up by the OIPC in 7 guidelines for obtaining meaningful consent as follows: 

Emphasize key elements

Individuals must be given the opportunity to review key elements that impact their privacy decisions. This means that as a covered entity you must emphasize these key elements, such as, what personal information is being collected, with which parties personal information is being shared, or for what purposes personal information is collected, used or disclosed.

Allow individuals to control the level of detail they get and when

Information must be provided to individuals in manageable and easily-accessible ways (potentially including layers) and individuals should be able to control how much more detail they wish to obtain, and when.

Provide individuals with clear options to say ‘yes’ or ‘no’

Individuals cannot be required to consent to the collection, use or disclosure of personal information beyond what is necessary to provide the product or service – they must be given a choice. These choices must be explained clearly and made easily accessible. 

Be innovative and creative

Organizations should design and/or adopt innovative consent processes that are specific to the context and appropriate to the type of interface used.

Consider the consumer's perspective

Consent processes must take into account the consumer's perspective to ensure that they are user-friendly and that the information provided is generally understandable from the point of view of the organization's target audience(s).

Make consent a dynamic and ongoing process

Informed consent is an ongoing process that changes as circumstances change; organizations should not rely on a static moment in time but rather treat consent as a dynamic and interactive process. When an organization plans to introduce significant changes to its privacy practices, it must notify users and obtain consent prior to the changes coming into effect. Organizations should also periodically audit their information management practices to ensure that personal information continues to be handled in the way described to individuals.

Be accountable

Stand ready to demonstrate compliance 

Organizations, when asked, should be in a position to demonstrate compliance, and in particular that the consent process they have implemented is sufficiently understandable from the general perspective of their target audience(s) so as to allow for valid and meaningful consent. 

Your organization can improve its privacy compliance if it follows the below steps: 

• Make sure to obtain consent prior to collecting personal information.
• Appoint one or more Data Protection Officers in charge of ensuring compliance with PIPA-BC.
• Develop best practices in order to stay compliant.
• Display the policies and practices you have in place for data protection (i.e. Privacy Policy).
• Limit the collection, use, or disclosure of personal information to only “purposes that a reasonable person would consider appropriate in the circumstances” and that fulfill the purposes your organization has confirmed. 
• Grant individuals access to their personal information that you hold about them.
• Correct the personal information of individuals upon request from said individuals. 
• Respond to data subject access requests in a timely manner. 
  
  

What data access rights does the British Columbia Privacy Act grant? 

PIPA-BC seems to offer only two data access rights to individuals with several others implicit. 

For example, it does not explicitly recognize an individual’s Right to be Informed, but in mandating that prior to obtaining consent you must inform the individual what types of information you are collecting, it does create a platform for this right. 

In the case of the Right to Access, BC's Privacy Act grants individuals this right, mandating that organizations have to process requests related to this right within set parameters. 

Another expressly granted right is the Right to Rectification, allowing individuals to request that their personal information be corrected. If the organization deems that the request is made on reasonable grounds, it must correct the personal information as soon as possible and also make sure that the new information is communicated to any other organization that it has disclosed this to in the course of the previous year. 

While there is no Right to Erasure under the British Columbia Privacy Act, organizations are required to destroy any personal information that is no longer required to fulfill the purposes for which it was collected initially. 

Right to Data Portability and Right to Not be Subject to Automated Decision-Making are not provided to individuals under this privacy regulation, but the Right to Opt-Out/Object is, however, mandated here. Individuals can withdraw consent at any time but they must be informed of the implications of withdrawing consent. Organizations can retain the collected data for the period in which it is necessary to fulfill its purpose and they are under no obligation to inform any other organization of the consent withdrawal. 

How to address data subject access requests under the British Columbia Privacy Act?

Sections (25) through (32) address the way organizations have to handle data subject access requests and outline the following steps: 

• An individual, called here an ‘applicant,’ may send a request for access to personal information or for correcting their personal information that your organization holds about them;
• The request has to be written and provide your organization with “sufficient detail to enable [you], with a reasonable effort, to identify the individual and the personal information or correction being sought.”
• You must make a reasonable effort to answer every request “as accurately and completely as reasonably possible” and “to provide each applicant with (i) the requested personal information, or (ii) if the requested personal information cannot be reasonably provided, with a reasonable opportunity to examine the personal information.” There are exceptions to this as follows: 
• the information is protected by solicitor-client privilege; 
• you are a credit reporting agency;
• the disclosure could reasonably be expected to threaten the safety or physical or mental health of an individual other than the individual who made the request;
• the disclosure can reasonably be expected to cause immediate or grave harm to the safety or to the physical or mental health of the individual who made the request;
• the disclosure would reveal personal information about another individual;
• the disclosure would reveal the identity of an individual who has provided personal information about another individual and the individual providing the personal information does not consent to disclosure of his or her identity.
• You must respond to an applicant’s request no later than 30 days after receiving the request.
• If the request is refused you must provide the applicant with the following information:
• the reasons for the refusal;
• the name, position title, business address and business telephone number of an officer or employee of the organization who can answer the applicant's questions about the refusal;
• that they can ask for a review within 30 days of being notified of the refusal, as stated in section 47 of the law. 
• You may extend the time for responding to a request by another 30 days or, with the commissioner’s permission, for a longer period of time if the applicant has failed to provide sufficient information for you to identify them, if the personal information requested is too large and gathering it all would interfere with your organization’s operations, or if you need more time to consult with other organizations or public bodies before you can decide whether to grant the applicant access or not to the personal information. 
• Charging fees for access is not allowed when the applicant requests access to their employee personal information. However, when the applicant requests access to their personal information, section 32 allows for charging “a minimal fee for access to the individual's personal information that is not employee personal information concerning the individual.” If you charge the applicant a fee for services provided while responding to their access request you must give the applicant a written estimate of the costs before providing said services and you may also require them to pay a deposit for all or part of the fee. The OIPC-BC advised that the minimal fee should cover only “the actual costs you incurred in producing the record” and this fee “must never generate any profit.”
  
  

Enforcement and penalties

The British Columbia Privacy Act is enforced by the Office of the Information and Privacy Commissioner (OIPC) who handles complaints from individuals and organizations. 

In the initial stages of receiving a complaint, the OIPC will usually encourage the individual to first try to resolve the matter directly with your organization and if they accept the individual’s complaint they will try to mediate a settlement. If this is not achieved, under certain circumstances, they may hold a formal inquiry and may compel testimony, order production of evidence or enter premises, as part of the powers granted to them. The OIPC can issue orders which they can then publish and your organization has 30 days to comply with an order unless you ask the BC Supreme Court to overturn the order within those 30 days. 

Offenses under BC privacy law incur fines of no more than $10,000 for individuals and no more than $100,000 for organizations.

Data Subject Rights - GDPR vs. British Columbia Privacy Act

FAQs about the British Columbia Privacy Act