PIPA — British Columbia’s Personal Data Protection Laws
The Personal Information Protection Act (PIPA) is British Columbia‘s private sector privacy law that came into force on January 1, 2004. PIPA governs how businesses collect, use, and disclose the personal information of their employees and customers.
At its core, PIPA serves to balance two principles:
- Individuals’ right to protect and access the information that a private organization collects
- How organizations protect the privacy rights of personal information
The Act allows private organizations to collect, use, and disclose personal information reasonably. Section 4(2) of PIPA defines reasonable purpose as what a logical individual would find relevant in a specific situation.
What defines a reasonable purpose are factors such as:
- The type of information
- The personal data size you collect
- The intended use of personal information you’re collecting
- Whom you intend to share the personal data with
Organizations Under PIPA
PIPA applied to every private organization.
However, the act doesn’t apply to public entities under the FIPPA (Freedom of Information and Protection of Privacy Act). Public institutions like local governments, colleges, universities, regional health authorities, hospitals, provincial governments, and self-regulating professional bodies are not subject to PIPA.
Information that PIPA Considers to Be Personal
According to section 1 of PIPA, personal information is data that can identify an individual directly or in combination with other information. Such information includes:
- An individual’s name
- ID number
- Home phone number
- Home address
- Physical description
- Blood type
- Education qualification
- Street address
- Personal health number
Non-identifiable data or aggregate information like statistical information isn’t personal information. The general information that enables daily business operations doesn’t qualify as personal data under PIPA.
The act doesn’t apply when you’re handling personal information for personal, domestic, journalistic, artistic, or literal purposes.
PIPA Overrides Other Acts of British Columbia
According to section 3(5) of PIPA, when a part of PIPA conflicts with another British Columbia Act or regulation, the section of PIPA would overrule it unless the conflicting act states that PIPA doesn’t apply.
Your Organization is Responsible for Personal Information You Control
You have a legal responsibility for all personal data your company controls.
PIPA applies the reasonable person test to determine whether your organization follows its regulations. You must employ the correct procedures to receive and respond to issues and questions about your practices and policies of collecting, using, and disclosing personal information.
The Act requires businesses to have an officer manage their company’s compliance and publicize their name and contact information.
Example of Personal Information Under Your Organization’s Control
According to section 4 (2) of PIPA, your organization is responsible for the personal data you control — even those you don’t own.
Control in this context means the power to determine how to use, share, and store personal data. Control also means the authority to decide how long to keep personal data and dispose of it. For instance, an organization controls a contractor’s personal information throughout the terms of its contract.
According to PIPA, your organization controls all personal information that:
- Are in documents that employees, officers, owners, or directors of your organization create to execute the organization’s operations
- Are in documents created by an outside consultant for your organization
- Individuals share with your business
- That another person in your organization discloses to you
- You or your employees handle
- Your business relies on executing daily operations
- Are integrated with other documents that your organization hold
Your business is responsible for all personal information under its control. To protect the data, formulate a privacy protection clause in contracts. That way, you’ll ensure that personal data under your control is secure, including those in the custody of third parties.
Establish the Reasonable Purpose to Handle Personal Data
Section 4(1) requires you to handle personal data reasonably regardless of the circumstances. That translates into devising privacy policies for handling personal data throughout its lifecycle.
You need to establish a reasonable purpose to handle personal data and know what information will help your business achieve its goal.
Here are some principles that will help you establish secure information practices:
- Limit personal data collection to only what’s necessary for the purpose you’ve identified
- Only handle personal data that is relevant to the situation
- Don’t lure a person to consent to personal data collection, use, or disclosure beyond necessary so that they can do business with you
- Utilize legal and fair means to collect personal data
The four principles above are requirements by PIPA and form great information practice.
Design Privacy Policies and Procedures
Section 5 of PIPA requires organizations to develop and practice personal data protection procedures and policies. To remain compliant, consider the following when designing privacy policies:
- Know the type of personal information you need to collect
- Understand the purpose of the personal information you collect
- Only collect personal information that you need
- Identify the methods of collecting personal information and inform the people you’re collecting data from the purpose of your data collection
- Ensure your purpose for handling personal information is reasonable and appropriate
- Match the use of data with what you say when collecting it
- Verify that the personal information you’re collecting, using, and disclosing is correct, complete, and updated
- Secure the storage for the personal information you’re handling
- Ensure the people with access to the personal information within the organization qualify to access the data
- Only disclose personal information reasonably — and for the purpose, you promised the data owner
- Decide the retaining period for personal information and when you should dispose of it. When disposing of, do so safely
- Examine the need to change your practice without violating PIPA
Compunet Will Assign a Privacy Officer to Ensure Your Business is PIPA Compliant
According to section 4(3) of PIPA, your business must assign one or more individuals to ensure your business complies with the act’s regulation. Whoever you choose, you should publicize their identity and contact information to answer questions about PIPA and handle your access and complaints.
Compunet will readily offer you an experienced team member to handle everything involving PIPA. We have helped hundreds of businesses in British Columbia for years, and we can help you, too. Contact us today to get started on compliance.