Privacy and Data Protection: What B.C. Companies Need to Know

It’s no secret that we are entering a pivotal time for privacy. Balancing an individual’s rights while taking advantage of new technological opportunities must be a priority for organizations in the coming years.

B.C. companies need to become familiar with two pieces of privacy legislation:

• the B.C. Personal Information Protection Act (PIPA) which applies to the collection, use or disclosure of personal information within BC, regardless of whether the activity is commercial in nature; and
• the Personal Information Protection and Electronic Documents Act (PIPEDA), which is a federal privacy law that applies to federally regulated businesses (for example, banks, telephone companies, airlines, etc) governing the collection, use, and disclosure of personal information by private sector organizations in the course of commercial activities. PIPEDA may also apply to BC-based organizations where personal information from other provinces has been affected.

While understanding the ins and outs of PIPA and PIPEDA can be challenging, the requirements of both legislations are substantially similar. We’ve listed some key considerations that should be top of mind for organizations when it comes to privacy and data protection.

1. Consent: Organizations must obtain meaningful consent from individuals before collecting, using, or disclosing their personal information. This means that individuals must be informed about the purpose for which their information will be used and must provide their consent for that specific purpose.
2. Purpose Limitation: Organizations must only collect, use, and disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.
3. Security: Organizations must take reasonable steps to protect the personal information they hold from unauthorized access, disclosure, or misuse.
4. Access and Correction: Individuals have the right to access their personal information held by an organization and to request that any inaccuracies be corrected.
5. Accountability: Organizations are accountable for the personal information they collect, use, and disclose, including information not in their custody. They must have policies and procedures in place to ensure compliance with PIPA and/or PIPEDA.
6. Cross-border Data Transfers: If personal information is transferred to a service provider or third party outside of Canada for processing, organizations must take appropriate steps to protect the information and ensure compliance with PIPA and/or PIPEDA.

It is important for B.C. companies to comply with PIPA and PIPEDA, as failure to do so can result in significant fines and reputational damage. Companies can also demonstrate their commitment to privacy and data protection by implementing privacy policies, training employees on privacy best practices, and appointing a privacy officer to oversee privacy-related matters.

Have questions about your organization’s privacy and data protection policies? Reach out to a member of our team. Our interdisciplinary team of privacy, cybersecurity and data protection lawyers assist public and private organizations in navigating the complex and evolving privacy and data protection landscape at the provincial and federal levels in Canada. We work with our clients to help them understand the legislative requirements and operationalize practices that are compliant with current regulations. Read more about our specific expertise in this area here.