<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=5678177&amp;fmt=gif">

British Columbia PIPA-BC

The data protection law of the province of British Columbia, Canada.

Book a Demo

What is PIPA-BC?

Personal Information Protection Act - British Columbia (PIPA-BC) is the governing privacy law in the province of British Columbia, Canada, regulating the “collection, use and disclosure of personal information by organizations in a manner that recognizes both the right of individuals to protect their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.

It is similar to the PIPA-AB regulation that governs the province of Alberta, in that, for example, although it governs the personal information of businesses that operate in the region, in the event that the Personal Information Protection and Electronic Documents Act (PIPEDA) applies, PIPA-BC is superseded by it.  

Another thing to note is that PIPA-BC, same as Alberta’s law, also enforces the Freedom of Information and Protection of Privacy Act (FIPPA) which regulates some of the personal information taken into consideration under PIPA-BC, which is in this case handled by public bodies, not organizations. 

In December of 2021, a special committee came together to review PIPA-BC and made several recommendations for modernizing the privacy law, which can be found here. At this time, these recommendations have not yet been implemented in the text of the law.

 

What is Personal Information and what are other key definitions?

PIPA-BC defines personal information as “ information about an identifiable individual and includes employee personal information but does not include contact information, or work product information.” 

Another relevant definition is that of constitutes an organization, defined as “a person, an unincorporated association, a trade union, a trust or a not for profit organization, but does not include:

  • an individual acting in a personal or domestic capacity or acting as an employee,
  • a public body,
  • the Provincial Court, the Supreme Court or the Court of Appeal,
  • the Nisg̱a'a Government, as defined in the Nisg̱a'a Final Agreement, or
  • a private trust for the benefit of one or more designated individuals who are friends or members of the family of the settlor.”

Because PIPA-BC protects employee personal information, it defines this as “personal information about an individual that is collected, used or disclosed solely for the purposes reasonably required to establish, manage or terminate an employment relationship between the organization and that individual, but does not include personal information that is not about an individual's employment.”

PIPA’s text also offers a definition of ‘business transaction,’ in the context of a potential transfer of personal information during the sale of an organization or of an organization’s business assets. Here then business transaction means “the purchase, sale, lease, merger or amalgamation or any other type of acquisition, disposal or financing of an organization or a portion of an organization or of any of the business or assets of an organization.”

PIPA-BC makes a distinction between ‘express consent’ and ‘implicit consent’ which it defines as “consent to the collection, use or disclosure of personal information by an organization for a purpose if (a) at the time the consent is deemed to be given, the purpose would be considered to be obvious to a reasonable person, and (b) the individual voluntarily provides the personal information to the organization for that purpose.” 

Added to this is the consent given by not opting out, meaning that an individual is given all the information about what will be collected and for what purposes and they do not opt out of the collection. Under PIPA-BC this is regulated as follows: 

“An organization may collect, use or disclose personal information about an individual for specified purposes if:

  • the organization provides the individual with a notice, in a form the individual can reasonably be considered to understand, that it intends to collect, use or disclose the individual's personal information for those purposes,
  • the organization gives the individual a reasonable opportunity to decline within a reasonable time to have his or her personal information collected, used or disclosed for those purposes,
  • the individual does not decline, within the time allowed under paragraph (b), the proposed collection, use or disclosure, and 
  • the collection, use or disclosure of personal information is reasonable having regard to the sensitivity of the personal information in the circumstances.”

Given the tricky nature of implicit consent, it is considered as a best practice that you obtain express consent from individuals, since in the event of an audit verbal consent cannot be proven. 

 

Who has to comply with the PIPA-BC?

Because the definition for ‘organization’ is fairly broad, BC’s OIPC (Office of the Information & Privacy Commissioner) says that “an organization includes:

  • a corporation, including a strata corporation,
  • a partnership,
  • a doctor’s office,
  • an association that is not incorporated,
  • a co-operative association, including a housing co-op,
  • a society,
  • a church or other religious organization,
  • a charity,
  • a sports club,
  • a trade union,
  • a partnership,
  • a political party,
  • an individual involved in a commercial activity(for example,an individual running a small renovation business that is not incorporated), and
  • a trust.”

In simple terms, PIPA-BC applies to every organization, as defined above by the text of the legislation.

It is important to note here that PIPA-BC supersedes other Acts of British Columbia, unless the other Act states otherwise.

Who is excluded from PIPA-BC compliance? 

PIPA-BC, same as its Alberta counterpart, exempts from compliance several types of personal information, as follows: 

  • personal information collected, used, or disclosed for domestic or personal purposes;
  • personal information collected, used, or disclosed for journalistic, artistic or literary purposes;
  • personal information collected, used, or disclosed that falls under PIPEDA jurisdiction;
  • personal information collected, used, or disclosed that falls under FIPPA jurisdiction;
  • personal information found in court documents or records, in any notes, communications or draft decisions of administrative proceedings;
  • personal information collected, used, or disclosed by a member of the Legislative Assembly of British Columbia, that relates to their functions;
  • a document related to a prosecution if all proceedings related to the prosecution have not been completed;
  • personal information collected, used, or disclosed before PIPA came into effect.

In addition, according to BC’s OIPC, public bodies are also excluded from PIPA compliance. These include “provincial government ministries, local governments, universities, colleges, public school boards, regional health authorities, hospitals, self-regulating professional bodies and Crown corporations (other than BC Rail, to which PIPA applies).”

 

How can I keep my organization PIPA-BC compliant? 

PIPA-BC mandates that consent has to be obtained prior to data collection and processing, similar to PIPEDA or PIPA-AB, which is why compliance with BC-PIPA is summed up by the OPC (Office of the Privacy Commissioner) in 7 guidelines for obtaining meaningful consent as follows: 

Emphasize key elements

Individuals must be given the opportunity to review key elements that impact their privacy decisions. This means that as a covered entity you must emphasize these key elements, such as, what personal information is being collected, with which parties personal information is being shared, or for what purposes personal information is collected, used or disclosed.

Allow individuals to control the level of detail they get and when

Information must be provided to individuals in manageable and easily-accessible ways (potentially including layers) and individuals should be able to control how much more detail they wish to obtain, and when.

Provide individuals with clear options to say ‘yes’ or ‘no’

Individuals cannot be required to consent to the collection, use or disclosure of personal information beyond what is necessary to provide the product or service – they must be given a choice. These choices must be explained clearly and made easily accessible. 

Be innovative and creative

Organizations should design and/or adopt innovative consent processes that are specific to the context and appropriate to the type of interface used.

Consider the consumer's perspective

Consent processes must take into account the consumer's perspective to ensure that they are user-friendly and that the information provided is generally understandable from the point of view of the organization's target audience(s).

Make consent a dynamic and ongoing process

Informed consent is an ongoing process that changes as circumstances change; organizations should not rely on a static moment in time but rather treat consent as a dynamic and interactive process. When an organization plans to introduce significant changes to its privacy practices, it must notify users and obtain consent prior to the changes coming into effect. Organizations should also periodically audit their information management practices to ensure that personal information continues to be handled in the way described to individuals.

Be accountable

Stand ready to demonstrate compliance 

Organizations, when asked, should be in a position to demonstrate compliance, and in particular that the consent process they have implemented is sufficiently understandable from the general perspective of their target audience(s) so as to allow for valid and meaningful consent. 

Your organization can improve its privacy compliance if it follows the below steps: 

  • Make sure to obtain consent prior to collecting personal information.
  • Appoint one or more Data Protection Officers in charge of ensuring compliance with PIPA-BC.
  • Develop best practices in order to stay compliant.
  • Display the policies and practices you have in place for data protection (i.e. Privacy Policy).
  • Limit the collection, use, or disclosure of personal information to only “purposes that a reasonable person would consider appropriate in the circumstances” and that fulfill the purposes your organization has confirmed. 
  • Grant individuals access to their personal information that you hold about them.
  • Correct the personal information of individuals upon request from said individuals. 
  • Respond to data subject access requests in a timely manner. 

What data access rights does PIPA-BC grant? 

PIPA-BC seems to offer only two data access rights to individuals with several others implicit. 

For example, it does not explicitly recognize an individual’s Right to be Informed, but in mandating that prior to obtaining consent you must inform the individual what types of information you are collecting, it does create a platform for this right. 

In the case of the Right to Access, PIPA-BC grants individuals this right, mandating that organizations have to process requests related to this right within set parameters. 

Another expressly granted right is the Right to Rectification, allowing individuals to request that their personal information be corrected. If the organization deems that the request is made on reasonable grounds, it must correct the personal information as soon as possible and also make sure that the new information is communicated to any other organization that it has disclosed this to in the course of the previous year. 

While there is no Right to Erasure under PIPA-BC, organizations are required to destroy any personal information that is no longer required to fulfill the purposes for which it was collected initially. 

Right to Data Portability and Right to Not be Subject to Automated Decision-Making are not provided to individuals under this privacy regulation, but the Right to Opt-Out/Object is, however, mandated here. Individuals can withdraw consent at any time but they must be informed of the implications of withdrawing consent. Organizations can retain the collected data for the period in which it is necessary to fulfill its purpose and they are under no obligation to inform any other organization of the consent withdrawal. 

PIPA BC compliant website with Clym

Book a Demo

How to address data subject access requests under PIPA-BC?

Sections (25) through (32) address the way organizations have to handle data subject access requests and outline the following steps: 

  • An individual, called here an ‘applicant,’ may send a request for access to personal information or for correcting their personal information that your organization holds about them;
  • The request has to be written and provide your organization with “sufficient detail to enable [you], with a reasonable effort, to identify the individual and the personal information or correction being sought.”
  • You must make a reasonable effort to answer every request “as accurately and completely as reasonably possible” and “to provide each applicant with (i) the requested personal information, or (ii) if the requested personal information cannot be reasonably provided, with a reasonable opportunity to examine the personal information.” There are exceptions to this as follows: 
    • the information is protected by solicitor-client privilege; 
    • you are a credit reporting agency;
    • the disclosure could reasonably be expected to threaten the safety or physical or mental health of an individual other than the individual who made the request;
    • the disclosure can reasonably be expected to cause immediate or grave harm to the safety or to the physical or mental health of the individual who made the request;
    • the disclosure would reveal personal information about another individual;
    • the disclosure would reveal the identity of an individual who has provided personal information about another individual and the individual providing the personal information does not consent to disclosure of his or her identity.
  • You must respond to an applicant’s request no later than 30 days after receiving the request.
  • If the request is refused you must provide the applicant with the following information:
    • the reasons for the refusal;
    • the name, position title, business address and business telephone number of an officer or employee of the organization who can answer the applicant's questions about the refusal;
    • that they can ask for a review within 30 days of being notified of the refusal, as stated in section 47 of the law. 
  • You may extend the time for responding to a request by another 30 days or, with the commissioner’s permission, for a longer period of time if the applicant has failed to provide sufficient information for you to identify them, if the personal information requested is too large and gathering it all would interfere with your organization’s operations, or if you need more time to consult with other organizations or public bodies before you can decide whether to grant the applicant access or not to the personal information. 
  • Charging fees for access is not allowed when the applicant requests access to their employee personal information. However, when the applicant requests access to their personal information, section 32 allows for charging “a minimal fee for access to the individual's personal information that is not employee personal information concerning the individual.” If you charge the applicant a fee for services provided while responding to their access request you must give the applicant a written estimate of the costs before providing said services and you may also require them to pay a deposit for all or part of the fee. The OIPC-BC advised that the minimal fee should cover only “the actual costs you incurred in producing the record” and this fee “must never generate any profit.”

Enforcement and penalties

PIPA-BC is enforced by the Office of the Information and Privacy Commissioner (OIPC) who handles complaints from individuals and organizations. 

In the initial stages of receiving a complaint, the OIPC will usually encourage the individual to first try to resolve the matter directly with your organization and if they accept the individual’s complaint they will try to mediate a settlement. If this is not achieved, under certain circumstances, they may hold a formal inquiry and may compel testimony, order production of evidence or enter premises, as part of the powers granted to them. The OIPC can issue orders which they can then publish and your organization has 30 days to comply with an order unless you ask the BC Supreme Court to overturn the order within those 30 days. 

Offenses under PIPA-BC incur fines of no more than $10,000 for individuals and no more than $100,000 for organizations.

 

Data Subject Rights - GDPR vs. PIPA-BC

GDPR

  • Right to access data
  • Right to correct inaccurate data
  • Right to the portability of data
  • Right to delete personal information
  • Right to information about how entities are sharing your data
  • Right to restrict processing
  • Right to object to processing
  • Right to object to automated processing

PIPA-BC

  • Right to access
  • Right to rectification 

 

How can Clym help?

Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:

  • All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
  • Seamless integration into your website;
  • Adaptability to your users’ location and applicable regulation;
  • Customizable branding;
  • Ready Compliance: Covering 30+ data privacy regulations;
  • Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.

You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.

illustration of means of contact

Questions?

If you would like to learn more, our compliance experts are happy to support you.

Leave us a Message
support@clym.io
+1 980 446 8535 +1 866 275 2596