British Columbia Personal Information Protection Act (BC PIPA)

    Overview

    The British Columbia Personal Information Protection Act (PIPA), effective since January 1, 2004, governs how private sector organizations collect, use, and disclose personal information in British Columbia. It aims to protect personal information while recognizing the need for organizations to collect and use data for legitimate purposes and is superseded by the federal Personal Information Protection and Electronic Documents Act (PIPEDA) when PIPEDA applies.

     

    Regulation Summary

    Timeline
    • May 2003: PIPA received Royal Assent.
    • January 1, 2004: PIPA became effective.
    What Businesses Are Affected
    • Private sector organizations operating in British Columbia.
    • Organizations managing personal information within BC, regardless of where they are based.
    • Non-profit organizations engaging in commercial activities.
    Exemptions
    • Public Bodies: Governed by the Freedom of Information and Protection of Privacy Act (FIPPA).
    • Personal Use: Personal data collected for personal or domestic purposes.
    • Employee Information: Exemptions for certain employee data when directly related to employment.
    Responsibilities for Businesses
    • Accountability: Designate a privacy officer to ensure compliance.
    • Consent: Obtain informed consent before collecting, using, or disclosing personal data.
    • Purpose Limitation: Use data only for specified purposes.
    • Transparency: Provide clear policies about data handling practices.
    • Data Security: Implement measures to protect personal information from unauthorized access or misuse.
    Specific Responsibilities for Website Owners
    • Cookie Use: Notify users about cookies and obtain consent where required.
    • Privacy Policies: Display detailed privacy policies.
    • Access Requests: Respond to access and correction requests within 30 days.
    Additional Requirements
    • Retention and Disposal: Retain personal data only as long as necessary and dispose of it securely.
    • Cross-Border Transfers: Ensure adequate protection for data transferred outside Canada.
    • Breach Reporting: Notify affected individuals and the Office of the Information and Privacy Commissioner (OIPC) in case of significant breaches.
    Data Subject Rights
    • Access: Request access to personal information.
    • Correction: Request correction of inaccuracies.
    • Withdrawal of Consent: Revoke consent for future data use.
    • Complaints: File complaints with the OIPC regarding data mishandling.
    Enforcement
    • Overseen by the Office of the Information and Privacy Commissioner (OIPC).
    • Powers include audits, investigations, and enforcement orders.
    • Penalties: Fines of up to CAD $10,000 (approximately $7,400) for individuals and CAD $100,000 (approximately $74,000) for organizations for non-compliance.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596