The Personal Information Protection Act (PIPA) is British Columbia‘s private sector privacy law that came into force on January 1, 2004. PIPA governs how businesses collect, use, and disclose the personal information of their employees and customers.
At its core, PIPA serves to balance two principles:
The Act allows private organizations to collect, use, and disclose personal information reasonably. Section 4(2) of PIPA defines reasonable purpose as what a logical individual would find relevant in a specific situation.
What defines a reasonable purpose are factors such as:
PIPA applied to every private organization.
However, the act doesn’t apply to public entities under the FIPPA (Freedom of Information and Protection of Privacy Act). Public institutions like local governments, colleges, universities, regional health authorities, hospitals, provincial governments, and self-regulating professional bodies are not subject to PIPA.
According to section 1 of PIPA, personal information is data that can identify an individual directly or in combination with other information. Such information includes:
Non-identifiable data or aggregate information like statistical information isn’t personal information. The general information that enables daily business operations doesn’t qualify as personal data under PIPA.
The act doesn’t apply when you’re handling personal information for personal, domestic, journalistic, artistic, or literal purposes.
According to section 3(5) of PIPA, when a part of PIPA conflicts with another British Columbia Act or regulation, the section of PIPA would overrule it unless the conflicting act states that PIPA doesn’t apply.
You have a legal responsibility for all personal data your company controls.
PIPA applies the reasonable person test to determine whether your organization follows its regulations. You must employ the correct procedures to receive and respond to issues and questions about your practices and policies of collecting, using, and disclosing personal information.
The Act requires businesses to have an officer manage their company’s compliance and publicize their name and contact information.
According to section 4 (2) of PIPA, your organization is responsible for the personal data you control — even those you don’t own.
Control in this context means the power to determine how to use, share, and store personal data. Control also means the authority to decide how long to keep personal data and dispose of it. For instance, an organization controls a contractor’s personal information throughout the terms of its contract.
According to PIPA, your organization controls all personal information that:
Your business is responsible for all personal information under its control. To protect the data, formulate a privacy protection clause in contracts. That way, you’ll ensure that personal data under your control is secure, including those in the custody of third parties.
Section 4(1) requires you to handle personal data reasonably regardless of the circumstances. That translates into devising privacy policies for handling personal data throughout its lifecycle.
You need to establish a reasonable purpose to handle personal data and know what information will help your business achieve its goal.
Here are some principles that will help you establish secure information practices:
The four principles above are requirements by PIPA and form great information practice.
Section 5 of PIPA requires organizations to develop and practice personal data protection procedures and policies. To remain compliant, consider the following when designing privacy policies:
According to section 4(3) of PIPA, your business must assign one or more individuals to ensure your business complies with the act’s regulation. Whoever you choose, you should publicize their identity and contact information to answer questions about PIPA and handle your access and complaints.
Compunet will readily offer you an experienced team member to handle everything involving PIPA. We have helped hundreds of businesses in British Columbia for years, and we can help you, too. Contact us today to get started on compliance.