December 2023

1. Governing Texts

Data protection law in the Province of British Columbia ('BC') is comprised of various federal and provincial statutes. These laws include data protection statutes of general application for both private and public institutions, as well as sector-specific statutes such as health privacy laws and anti-spam legislation.

1.1. Key acts, regulations, directives, bills

Provincially, the Personal Information Protection Act, SBC 2003 c 63 ('PIPA'), and federally, the Personal Information Protection and Electronic Documents Act, SC 2000 c 5 ('PIPEDA') regulate private organizations that collect, use, and disclose personal information. BC's Freedom of Information and Protection of Privacy Act, RSBC 1996 c 165 ('FIPPA') regulates the collection, use, and disclosure of personal information by public bodies, and establishes an individual's right to access records in the custody or control of public bodies.

The sending of commercial electronic messages is regulated federally by An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunication Act, SC 2010 c 23 (commonly referred to as Canada's Anti-Spam Legislation ('CASL')).

BC's E-Health (Personal Health Information Access and Protection of Privacy) Act, SBC 2008 c 38 ('E-Health Act') regulates the collection, use, and disclosure of personal health information by health care bodies.

1.2. Guidelines

The statutory framework in BC is supplemented by a large and growing body of privacy commissioner findings and guidance at the provincial and federal levels, as well as the Canadian Radio-television and Telecommunications Commission ('CRTC') guidance documents in relation to CASL. Below is a sample of available guidelines published by the Office of the Information and Privacy Commissioner for British Columbia ('OIPCBC'), the Office of the Privacy Commissioner of Canada ('OPC'), and the CRTC:

• Guidelines for Obtaining Meaningful Consent ('the Meaningful Consent Guidelines') (jointly issued by the OIPCBC, OPC, and Office of the Information and Privacy Commissioner of Alberta ('OIPCAB');
• Privacy Guide for Businesses (OPC);
• Developing a Privacy Policy under PIPA (OIPCBC);
• Using Overt Video Surveillance (OIPCBC);
• Guide to OIPC Processes (PIPA) (OIPCBC);
• Guide to Employee Privacy Rights (OIPCBC);
• Reasonable Security Measures for Personal Information Disclosures Outside Canada (OIPCBC);
• Privacy breach checklist for public bodies (OIPCBC);
• Privacy breach checklist for private bodies (OIPCBC);
• Questions and Answers regarding the application of PIPEDA, Alberta and British Columbia's Personal Information Protection Acts (OPC) ('the OPC Q&As');
• Guidance on Implied Consent (CRTC); and
• Guidelines on the Commission's approach to Section 9 of Canada's Anti-spam Legislation (CASL) (CRTC).

Guidance documents are provided for information purposes only, they are not considered legal advice of the publisher and are not legally binding.

1.3. Case law

Complaints by individuals regarding breaches of PIPEDA, PIPA, and FIPPA are generally reported to and investigated by the OPC or the OIPCBC, as applicable, as discussed in the section on enforcement decisions below.

While historically, privacy matters have less frequently been pursued in the courts, in recent years the landscape has changed dramatically in Canada. Courts have awarded damages for violations of PIPEDA in a number of cases, and there has been a sharp increase in tort claims and related civil litigation and class action proceedings. Claimants now frequently bypass privacy commissioners and proceed directly to court to seek damages and other relief in respect of privacy matters. In a number of cases, claimants have obtained damages for privacy breaches and certification of class actions, even in the absence of any pecuniary loss flowing from a breach. The volume of privacy-related litigation is steadily increasing in Canada. Moreover, the BC Privacy Act, RSBC 1996 c 373 ('the Privacy Act') creates a statutory tort, actionable without proof of damages, for the wilful and unauthorized violation of the privacy of a person. Its precursor was passed in the wake of concerns over electronic eavesdropping. Since then, significant changes to the legal and technological landscape have reduced recourse to the Privacy Act.

Campbell v. Capital One Financial Corporation, 2022 BCSC 928

In Campbell, the Supreme Court of British Columbia ('the Supreme Court') re-considered whether a common law tort of intrusion upon seclusion exists in BC. The Supreme Court was asked to certify a class action brought against Capital One due to a data breach, resulting in the personal information of approximately six million Canadians being unlawfully accessed. Ultimately, although the class action was certified on other grounds, the Supreme Court concluded that the common law tort of intrusion upon seclusion still does not exist in BC, and even if the tort were recognized in BC, it is unlikely that Capital One's failure to properly safeguard personal information would sufficiently constitute the necessary 'intrusion' element for it to be liable of such a tort.

Chitrakar v. Bell TV, 2013 FC 1103

The plaintiff brought a claim against Bell for breach of privacy, emotional pain, anguish, anxiety, humiliation, and punitive damages as a result of an unauthorized credit check done by Bell prior to the installation of satellite services. The plaintiff filed a complaint with the OPC, who found that the plaintiff's complaint was well-founded. The Federal Court of Canada ('the Federal Court') held that Bell's conduct was reprehensible and violated the plaintiff's privacy rights, specifically by conducting a credit check without the plaintiff's prior consent, contrary to PIPEDA. The Federal Court awarded the plaintiff damages of CAD 10,000 (approx. $7,350), costs of CAD 1,000 (approx. $740), and exemplary damages of an additional CAD 10,000 (approx. $7,350) due to Bell's conduct at the time of the breach of the privacy rights and thereafter, including Bell failing to take the proceedings seriously by failing to appear in court.

Watts v. Klaemt, 2007 BCSC 662

The plaintiff brought an action against the defendant under the Privacy Act for surreptitiously recording the plaintiff's phone conversations with her daughter and son-in-law after the defendant was intimidated by the plaintiff's son-in-law. The defendant subsequently reported the contents of the conversations to the plaintiff's employer, and she was terminated for disclosing confidential information. The Supreme Court held that the defendant's actions constituted a violation of the plaintiff's rights under the Privacy Act. The plaintiff was awarded general damages of CAD 30,000 (approx. $22,050), costs of CAD 1,000 (approx. $740), and punitive damages of CAD 5,000 (approx. $3,680).

2. Scope of Application

2.1. Personal scope

PIPA and PIPEDA

Both PIPA and PIPEDA protect the personal information of individuals. 'Individual' is not defined in PIPA or PIPEDA, but guidance from the OPC, such as the OPC Q&As, clarifies that 'individual' means a natural person. Therefore, neither PIPA nor PIPEDA explicitly protects the personal information of deceased individuals. However, certain provisions of both PIPA and PIPEDA may apply to the personal information of deceased individuals. For instance, the Personal Information Protection Act Regulations specify that if an individual is deceased, the personal representative of the deceased (or the nearest relative if there is no personal representative) may give or refuse consent to the collection, use, or disclosure of personal information of the deceased individual under PIPA. In addition, PIPEDA allows for the disclosure of personal information without knowledge or consent if the disclosure occurs 20 years after the death of the individual whom the information is about. Lastly, if information about a deceased individual contains personal information about a living individual, then PIPA and/or PIPEDA applies with respect to the personal information of the living individual.

PIPEDA applies to all organizations which collect, use, or disclose personal information in the course of commercial activities, as well as to certain employee personal information.

PIPA applies to all organizations which collect, use, or disclose personal information of individuals (regardless of whether the collection, use, or disclosure is in the course of commercial activities), as well as to certain employee personal information. The term 'organization' includes a person, and thus, both PIPA and PIPEDA apply to both corporations and natural persons, as well as associations, partnerships, and trade unions. Neither PIPA nor PIPEDA apply to public bodies, such as the Government of Canada ('Federal Government') and Crown corporations.

FIPPA

FIPPA applies to records in the custody or under the control of public bodies in BC. Thus, FIPPA does not apply to private organizations which are subject to PIPA and/or PIPEDA. In addition, FIPPA does not apply to:

• the office of a person who is a member or officer of the Legislative Assembly; or
• the Court of Appeal, Supreme Court, or Provincial Court of British Columbia ('the Provincial Court').

CASL

CASL applies to individuals and organizations that send electronic messages to electronic addresses within Canada for the purpose of encouraging participation in a commercial activity, whether it is the sole purpose or one of the purposes. CASL does not apply to the activities of federal, provincial, or territorial governments. CASL does apply, however, to Crown corporations, including municipal governments, when the corporation is acting in the course of any commercial activity.

2.2. Territorial scope

PIPA and PIPEDA

PIPA applies to organizations within BC.

PIPEDA applies to all organizations in Canada unless the organization collects, uses, or discloses personal information solely within a Canadian province that has enacted private sector privacy legislation which the Federal Government has deemed substantially similar to PIPEDA. As PIPA has been deemed substantially similar, PIPEDA only applies to organizations in BC in two circumstances. First, PIPEDA applies to personal information that is collected, used, or disclosed by federally regulated businesses, such as banks, telephone companies, shipping companies, and railways. Second, PIPEDA may apply to BC-based organizations when personal information is disclosed over provincial or international borders.

PIPEDA also applies to organizations located outside Canada if the relevant activities of the organization have a real and substantial connection to Canada. The real and substantial connection test is considered on a case-by-case basis. Factors which the OPC has considered in conducting the real and substantial connection test include, but are not limited to:

• the location in which the activity takes place;
• the location to which profits flow;
• the residency of parties involved; and
• the location of the end user.

FIPPA

FIPPA applies to public bodies in BC.

CASL

CASL applies to individuals and organizations that send commercial electronic messages to recipients within Canada.

2.3. Material scope

PIPA and PIPEDA

PIPA applies to the collection, use, or disclosure of personal information within BC. PIPA applies irrespective of whether an activity is commercial in nature.

PIPEDA applies to the collection, use, or disclosure of personal information in the course of commercial activities.

It is often unclear whether PIPA, PIPEDA, or both may apply to a given activity. Many organizations may be subject to PIPA in respect of certain aspects of their operations, and to PIPEDA in respect of other aspects. Although the requirements of PIPA and PIPEDA are substantially similar, there are a number of important differences which can arise in certain circumstances.

The OPC Q&As provide further guidance on whether PIPA, PIPEDA, or both apply to a given activity.

PIPA does not apply to:

• the collection, use, or disclosure of personal information for personal or domestic purposes;
• the collection, use, or disclosure of personal information for journalistic, artistic, or literary purposes;
• personal information to which PIPEDA applies;
• personal information to which FIPPA applies;
• personal information in a court document or record;
• personal information in a note, communication, or draft decision of the decision-maker in an administrative proceeding;
• the collection, use, or disclosure of personal information by a member or officer of the Legislative Assembly of British Columbia ('the Legislative Assembly') of personal information relating to their functions;
• a document related to a prosecution if all proceedings related to the prosecution have not been completed; or
• personal information that was collected before PIPA came into force.

PIPEDA does not apply to:

• any government institution to which the federal Privacy Act, RSC 1985, c P-21 applies;
• the collection, use, or disclosure of personal information for personal or domestic purposes;
• the collection, use, or disclosure of personal information for journalistic, artistic, or literary purposes; or
• the collection, use, or disclosure of personal information that is subject to provincial privacy legislation (such as PIPA or FIPPA).

FIPPA

FIPPA applies to all records in the custody or under the control of public bodies in BC. FIPPA regulates the collection, use, and disclosure of personal information by public bodies and establishes an individual's right to access records in the custody or control of public bodies.

CASL

CASL regulates, among other things, the sending of commercial electronic messages. A 'commercial electronic message' is an electronic message that it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity. A commercial electronic message may take the form of an email, text, sound, voice, or image message.

CASL is an opt-in regime in respect of commercial electronic messages and prohibits the sending of commercial electronic messages unless express or implied consent is obtained, or an exception is applicable, and prescribed requirements are met. CASL does not apply to unsolicited telecommunications that are regulated under the CRTC Unsolicited Telecommunications Rules, such as live voice and automated telemarketing calls to telephone numbers.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

PIPA and FIPPA are administered by the OIPCBC. The OIPCBC has its own unique mandates and powers under PIPA and FIPPA. Nonetheless, the OIPCBC often works collaboratively with the OPC and other provincial and territorial privacy commissioners on investigations and policy matters.

PIPEDA is administered by the OPC, while the CASL is administered by the CRTC.

3.2. Main powers, duties and responsibilities

One of the main roles of the OIPCBC is to investigate and attempt to resolve complaints, make findings, and issue recommendations. Like the OPC, the OIPCBC may initiate investigations, audits, and inquiries upon receiving a privacy complaint. Unlike the OPC, the OIPCBC also has the power to issue binding orders. Currently, neither the OPC nor OIPCBC have the power to issue fines.

In addition, the OIPCBC's mandate includes an important public education and guidance role. The OIPCBC has published many guidance documents, summaries of findings, and other resources for individuals and organizations.

The CRTC shares CASL enforcement duties with the Competition Bureau of Canada and the OPC. The CRTC may investigate and take action against violators of CASL, as well as set administrative monetary penalties. In addition, the CRTC provides public education and guidance for individuals and organizations to promote compliance with CASL.

4. Key Definitions

PIPA

Organization: An 'organization' includes a person, an unincorporated association, a trade union, a trust, or a not-for-profit organization, but does not include:

• public bodies (e.g., provincial government ministries, local governments, universities, colleges, public school boards, regional health authorities, hospitals, self-regulating professional bodies, and Crown corporations);
• various courts;
• the Nisga'a Lisims Government; or
• a private trust for the benefit of one or more designated individuals who are friends or members of the family of the settlor.

Personal information: In general terms, 'personal information' means information about an identifiable individual. Information is generally considered personal information where there is a serious possibility that an individual could be identified through the use of the information alone or in combination with other available information.

PIPA does not define or have equivalent definitions for the following terms:

• sensitive data;
• data processor;
• data subject;
• biometric data;
• health data; and
• pseudonymisation.

PIPEDA

Commercial activity: A 'commercial activity' means any particular transaction, act, conduct, or regular course of conduct that is of a commercial character, including the selling, bartering, or leasing of donor, membership, or other fundraising lists.

Organization: An 'organization' includes an association, a partnership, a person, and a trade union.

Personal information: The definition of 'personal information' in PIPEDA is substantially similar to the definition of 'personal information' in PIPA.

Personal health information: In general terms, 'personal health information' means information concerning a living or deceased individual's physical or mental health or information that is collected with respect to any health service provided to the individual.

Sensitive personal information: Although PIPEDA does not define what constitutes 'sensitive personal information' it provides that any personal information may be sensitive depending on the context, although some information, including medical and income records, is almost always considered sensitive.

PIPEDA does not define or have equivalent definitions for the following terms:

• data processor;
• data subject;
• biometric data; or
• pseudonymisation.

FIPPA

Personal information: 'Personal information' means recorded information about an identifiable individual other than contact information.

Public body: 'Public body' includes:

• provincial government ministries;
• provincial agencies, boards and commissions, and provincial Crown corporations; and
• local public bodies, such as municipalities, regional districts, improvement districts, universities, colleges, school boards, municipal police forces, hospitals, and self-governing professional bodies.

This definition, however, excludes:

• the office of a person who is a member or officer of the Legislative Assembly; or
• the Court of Appeal, Supreme Court, or Provincial Court.

Record: 'Record' includes anything on which information is recorded or stored by graphic, electronic, mechanical, or other means but does not include a computer program or any other mechanism that produces records.

FIPPA does not define or have equivalent definitions for the following terms:

• sensitive data;
• data processor;
• data subject;
• biometric data;
• health data; or
• pseudonymisation.

5. Legal Bases

5.1. Consent

PIPA and PIPEDA require consent prior to the collection, use, or disclosure of personal information unless an exception applies. Under PIPA, an organization must not, as a condition of supplying a product or service, require an individual to consent to the collection, use, or disclosure of personal information beyond what is necessary to provide the product or service. Under PIPEDA, consent is only valid if it is reasonable to expect that an individual to whom the organization's activities are directed would understand the nature, purpose, and consequences of the collection, use, or disclosure of the personal information to which they are consenting.

Consent may be express or implied depending on the circumstances. Implied consent is generally not appropriate when the collection, use, or disclosure relates to sensitive personal information, is outside of the reasonable expectations of the individual, or creates a meaningful residual risk of significant harm.

The OIPCBC, OIPCAB, and OPC, through the Meaningful Consent Guidelines, suggest the following seven principles for obtaining meaningful consent:

1. Allow individuals to quickly review key elements impacting their privacy decisions: In particular, organizations should emphasize what personal information is being collected, with which parties personal information is being shared, for what purposes personal information is being collected, used, or disclosed, and the risk of harm and other consequences associated with the collection, use, or disclosure.
2. Allow individuals to control the level of detail they get and when: Information must be provided to individuals in manageable and easily accessible ways, and individuals should be able to control how much more detail they wish to obtain and when.
3. Provide individuals with clear options to say 'yes' or 'no': Individuals cannot be required to consent to the collection, use, or disclosure of personal information beyond what is necessary to provide the product or service - they must be given a choice. These choices must be explained clearly and made easily accessible.
4. Be innovative and creative: Organizations should design and/or adopt innovative consent processes that are specific to the context and appropriate to the type of interface used.
5. Consider the consumer's perspective: Consent processes must take into account the consumer's perspective to ensure that they are user-friendly and that the information provided is generally understandable from the point of view of the organization's target audience(s).
6. Make consent a dynamic and ongoing process: Informed consent is an ongoing process that changes as circumstances change. As such, organizations should not rely on a static moment in time but rather treat consent as a dynamic and interactive process. When an organization plans to introduce significant changes to its privacy practices, it must notify users and obtain consent prior to the changes coming into effect. Organizations should also periodically audit their information management practices to ensure that personal information continues to be handled in the way described to individuals.
7. Be accountable: Stand ready to demonstrate compliance. Organizations, when asked, should be in a position to demonstrate compliance, and in particular, that the consent process they have implemented is sufficiently understandable from the general perspective of their target audience(s) so as to allow for valid and meaningful consent.

Consent is not required in certain prescribed circumstances. For example, under PIPA and PIPEDA, among other situations, consent is not required if:

• the collection, use, or disclosure is clearly in the interests of the individual, and consent cannot be obtained in a timely way;
• the collection, use, or disclosure is necessary for the medical treatment of the individual, and the individual does not have the legal capacity to give consent; or
• the collection, use, or disclosure is required or authorized by law.

FIPPA

Consent is not required under FIPPA. However, consent is one legal ground for the collection, use, or disclosure of personal information under FIPPA, provided that a reasonable person would consider the collection appropriate in the circumstances.

CASL

CASL requires organizations that send commercial electronic messages to obtain the prior express or implied consent of recipients. Express consent may be written or oral but must involve a proactive action on the part of the recipient (i.e., an 'opt-in' rather than an 'opt-out' action). Consent may also be implied in certain circumstances, including:

• the existence of an existing business or non-business relationship with the recipient;
• the recipient has published the electronic address to which the message is sent, the publication of the email address is not accompanied by a statement that the person does not wish to receive unsolicited commercial electronic messages, and the message is relevant to the recipient's business, role, functions or duties in a business or official capacity; or
• the recipient has disclosed to the sender the electronic address without indicating a wish not to receive unsolicited commercial electronic messages, and the message is relevant to the recipient's business, role, functions, or duties in a business or official capacity.

5.2. Contract with the data subject

This is not an enumerated exclusion from the consent requirements under PIPA or PIPEDA.

CASL allows organizations to send commercial electronic messages without the consent of the recipients if the organization has an existing business or non-business relationship with the recipient. A contract between the parties will often form the basis of such a relationship. For example, the organization and recipient may be parties to a contract for professional services or for membership in a club.

5.3. Legal obligations

PIPA, PIPEDA, and FIPPA allow for the collection, use, or disclosure of personal information without consent for purposes that are required or authorized by law. For example, organizations may collect, use, and disclose an employee's Social Insurance Number ('SIN') to issue a T-4 slip as required by the Income Tax Act, RSC 1985 c 1 (5^th Supp.) without the consent of the employee.

5.4. Interests of the data subject

PIPA and PIPEDA allow for the collection, use, or disclosure of personal information without the consent of the individual if it is clearly in the interests of the individual and consent cannot be obtained in a timely way. For example, a skydiving company would be permitted to collect a client's emergency contact information from the client's friend after an accident involving the client. In addition, PIPA and PIPEDA specify that personal information may be collected, used, or disclosed without the consent of the individual it pertains to, including where the collection, use, or disclosure is clearly necessary for, the medical treatment of the individual and the individual does not have the legal capacity to give consent.

FIPPA allows for a public body to collect, use, and disclose personal information if the information is necessary for the purpose of reducing the risk that an individual will be a victim of domestic violence if domestic violence is reasonably likely to occur. In addition, FIPPA permits the disclosure of information to allow the next of kin or a friend of an injured, ill, or deceased individual to be contacted.

5.5. Public interest

PIPA allows for the disclosure of personal information without consent where the disclosure is for research, statistical, archival, or historical purposes, provided that, among other requirements, such purpose cannot be accomplished unless the personal information is provided in an individually identifiable form and it is impracticable for the organization to seek the consent of the individual for the disclosure.

PIPEDA

PIPEDA allows for the use and disclosure of personal information without consent for statistical, scholarly study, or research purposes, provided that such purposes cannot be achieved without using or disclosing the information, it is impracticable to obtain consent, and the organization informs the OIPC of the use or disclosure before the information is used or disclosed.

FIPPA

FIPPA also permits the disclosure of personal information for research, statistical, archival, or historical purposes. As with PIPA and PIPEDA, FIPPA states several limitations to such disclosure, including that any data linking must not be harmful to the individuals that information is about and that the benefits to be derived from the data linking must be clearly in the public interest. In addition, FIPPA requires the head of a public body to disclose information that, for any reason, is clearly in the public interest. For example, disclosure would be required where there is a risk of significant harm to the environment or to the health or safety of the public or a group of people.

E-Health Act

The E-Health Act governs the collection, use, and disclosure of personal health information in certain databases designated as 'health information banks'. Under the E-Health Act, personal health information may be collected, used, and disclosed for limited purposes, such as the provision of health services and facilitation of health research. The E-Health Act permits disclosure of personal information without consent in certain circumstances, including for health research purposes.

5.6. Legitimate interests of the data controller

Outsourcing

PIPA allows for the outsourcing of personal information without consent in certain circumstances. Under PIPA, an organization may disclose personal information to another organization without the consent of the individual to whom the information relates if:

• the individual consented to the collection of the personal information by the disclosing organization; and
• the personal information is disclosed to the receiving organization solely for the purposes for which the information was previously collected and to assist the receiving organization in carrying out work on behalf of the disclosing organization.

PIPEDA does not prevent organizations from outsourcing the processing of data. However, the OPC's PIPEDA: Processing Personal Data Across Borders Guidelines ('the OPC's Cross-Border Guidelines') impose additional obligations on organizations who wish to outsource data processing, as discussed in the below section on data transfers.

Importantly, under PIPEDA, once informed individuals have consented to the collection of their information by the organization, the individuals do not have an additional right to refuse to have such information transferred to a third-party for processing. This is because a transfer of personal information for processing by another organization is classified by the OPC's Cross-Border Guidelines as a permitted transfer or use of the information rather than a disclosure.

Therefore, provided that the organization to which the information is transferred uses it for the purpose it was originally collected, additional consent is not required.

Business transactions

PIPA and PIPEDA allow for the disclosure of personal information without consent to prospective parties to business transactions. Under PIPA, an organization may disclose, without consent, personal information about the organization's employees, customers, directors, officers, or shareholders if:

• the prospective party needs the information to decide whether to go ahead with the transaction;
• the prospective party has entered into an agreement to use or disclose the personal information solely for purposes related to the prospective transaction; and
• if the transaction does not proceed, the prospective party has entered into an agreement to return that information to the organization that disclosed it or to destroy it.

PIPEDA allows the disclosure of personal information to a prospective party without consent if, in addition to the above requirements, the agreement between the organization and the prospective party requires the prospective party to protect the personal information by security safeguards appropriate to the sensitivity of the information.

Upon completion of a business transaction, both parties to the transaction may collect, use, and disclose personal information without consent, provided that:

• the organization receiving the personal information uses or discloses it only for those purposes for which it was collected, used, or disclosed by the organization providing it;
• the disclosure is only of personal information that relates directly to the part of the organization or its business assets that are covered by the business transaction; and
• the individuals whose personal information is disclosed are notified that a business transaction has taken place and personal information about them has been disclosed to the organization receiving the information.

The above exceptions to the consent requirement do not apply where personal information is the primary asset being purchased, sold, leased, or otherwise acquired. Consent is required in these circumstances.

FIPPA

Under FIPPA, public bodies may disclose information for several of their own legitimate purposes, including where disclosure is necessary for the processing of information, or to a minister or an officer or employee of a public body or agency if the information is necessary for the delivery of a common or integrated program or activity.

5.7. Legal bases in other instances

Employment

PIPA allows for the collection, use, and disclosure of employee personal information without consent if done solely for the purposes reasonably required to establish, manage, or terminate an employment relationship between the organization and that individual. While PIPA allows for the collection, use, and disclosure of employee personal information without consent within the bounds of reasonableness, it nonetheless requires the employer to be transparent about it.

Accordingly, organizations must notify employees that such data collection, use, and disclosure is occurring, and explain the purpose(s) for the same.

Work product information

Under PIPA, 'work product information' is excluded from the definition of personal information. 'Work product information' is defined in PIPA as information prepared or collected by individuals or a group of individuals as part of the individual's or group's responsibilities or activities related to the individual's or group's employment or business but does not include personal information about an individual who did not prepare or collect the personal information.

PIPEDA does not define work product information or exclude it from the definition of personal information. Under PIPEDA, an organization may disclose personal information to another organization without the consent of the individual to whom the information relates if:

• the information was produced by the individual in the course of their employment, business, or profession; and
• the disclosure is consistent with the purposes for which the information was produced.

Other instances – PIPA and PIPEDA

PIPA and PIPEDA specify other circumstances in which personal information may be collected, used, or disclosed without the consent of the individual it pertains to, including where disclosure is necessary to determine suitability to receive an honor, award, or similar benefit.

FIPPA

Under FIPPA, if the head of a public body reasonably believes that the disclosure of a requested record may harm the business interests of a third party, the head must provide that third party with written notice that disclosure of the record has been requested. The third party may either consent to the disclosure of the record or make written representations to the public body explaining why the information should not be disclosed. The public body must disclose the record unless the third party can demonstrate that disclosure of the record:

• would reveal trade secrets or commercial, financial, labor relations, scientific, or technical information of or about a third party;
• would reveal information that was supplied in confidence; and
• would reasonably be expected to, among other things:
  • harm significantly the competitive position of the third party; or
  • result in undue financial loss or gain to any person or organization.

6. Principles

Accountability

PIPA, PIPEDA, and FIPPA hold organizations and public bodies accountable for information under their control, including information that is not in their custody. Control can take a number of forms and includes an organization's authority or ability to decide how to use, disclose, and store personal information, how long to keep personal information, and how to dispose of it. Organizations can protect personal information that is under their control (but not in their custody) by including privacy protection clauses in contracts or using other means to ensure adequate protection of personal information held by a third party.

PIPA and PIPEDA require the appointment of an individual(s) who are responsible for an organization's compliance with the law. Under PIPA, the name or title, and contact information of this individual must be made available to the public. Under PIPEDA, this information must be made available upon request.

FIPPA refers to the 'head' of a public body who is responsible for administering a public body's obligations under FIPPA or delegating administration of those obligations. Although not required under CASL, the CRTC has developed guidelines that suggest identifying a 'point person' in an organization who is responsible and accountable for the organization's compliance with CASL.

Appropriate purpose

PIPA and PIPEDA contain an overarching requirement that organizations may only collect, use, or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. Even if an individual has consented, PIPA and PIPEDA prohibit the collection, use, or disclosure of personal information that does not meet this requirement.

In assessing whether a reasonable person would find a purpose for collecting, using, and disclosing personal information to be appropriate, federal and provincial privacy commissions and the Federal Court have applied the following four-part test in a number of cases:

1. Is the activity demonstrably necessary to meet a specific need?
2. Is the activity likely to be effective in meeting that need?
3. Is the loss of privacy proportional to the benefit gained?
4. Is there a less privacy-invasive way of achieving the same end?

The test provides a useful guide for assessing activities and has often been applied in the workplace and surveillance contexts in particular. However, it will not be applicable in every case, and the OIPCBC has considered other factors to assess whether a reasonable person would find a purpose for collecting, using, and disclosing personal information to be appropriate, including:

• the sensitivity of the personal information;
• the amount of personal information;
• the manner of collection and use of the personal information; and
• other relevant factors, given the circumstances.

Under FIPPA, a public body may collect personal information only if:

• the collection of the information is expressly authorized under an Act;
• the information is collected for the purposes of law enforcement;
• the information relates directly to, and is necessary for, a program or activity of the public body;
• if the personal information is collected for a prescribed purpose, the individual has consented to its collection, and the collection is reasonable in the circumstances;
• the information is necessary for the purposes of planning or evaluating a program or activity of a public body;
• the information is necessary for the purpose of reducing the risk that an individual will be a victim of domestic violence, if domestic violence is reasonably likely to occur;
• the information is collected by observation at a presentation, ceremony, performance, sports meet, or similar event at which the individual voluntarily appears, and that is open to the public; or
• collection of the information is necessary to enable identification of an individual in certain circumstances.

Generally, a public body may use personal information in its custody or under its control only for the purpose for which that information was obtained or compiled or for a use consistent with that purpose.

However, FIPPA outlines several exceptions to this rule. For example, a public body may disclose personal information in its custody or under its control in accordance with a request for access to that record, for research or statistical purposes, for archival or historical purposes, or for other limited purposes.

Accuracy and completeness

PIPA, PIPEDA, and FIPPA impose obligations with respect to the accuracy and completeness of personal information. Under PIPA, organizations must use reasonable efforts to ensure that personal information collected by or on behalf of the organization is accurate and complete if the personal information:

• is likely to be used by the organization to make a decision affecting the individual to whom the personal information relates; or
• is likely to be disclosed to another organization.

Under PIPEDA, organizations must ensure that personal information is accurate, complete, and up to date as is necessary for the purposes for which it is to be used.

Under FIPPA, a public body must make reasonable efforts to ensure that personal information in its custody or under its control is accurate and complete if the personal information will be used to make a decision that directly affects an individual to whom the personal information relates.

Other principles

Other principles underlying PIPA and PIPEDA include:

• consent;
• limiting the collection, use, disclosure, and retention of personal information;
• the use of appropriate safeguards;
• the openness of organizations;
• an individual's access to personal information; and
• an individual's ability to challenge an organization's compliance with PIPA or PIPEDA.

Each of these principles is discussed in more detail elsewhere in this overview.

7. Controller and Processor Obligations

PIPA, PIPEDA, and FIPPA require organizations and public bodies to use reasonable physical, administrative, and technical safeguards to protect personal information from unauthorized access, collection, use, disclosure, copying, modification, or disposal and similar risks. Factors to consider when implementing appropriate safeguards should include the sensitivity of the personal information, the likelihood of a privacy breach, the harm caused if there were a privacy breach, the practices commonly used by other organizations, the type of record containing the personal information, the likelihood of criminal activity or intentional wrongdoing, and the cost of the security measures.

In addition, under PIPA, organizations must develop and follow policies and practices that are necessary for the organization to meet its obligations under PIPA and develop a process to respond to complaints that may arise with respect to the application of PIPA. Organizations must make information about such policies, practices, and processes available upon request.

Under FIPPA, a public body must ensure that personal information in its custody or under its control is stored and accessed only in Canada, subject to limited exceptions.

7.1. Data processing notification

Organizations are not required to notify or register with regulatory authorities under privacy laws in BC.

7.2. Data transfers

PIPA

PIPA only applies to the collection, use, and disclosure of personal information within BC. If personal information is transferred across borders, whether provincial or international, PIPEDA applies to the collection, use, and disclosure of such information.

PIPEDA

PIPEDA allows personal information to be transferred to a domestic or international third party for processing when certain requirements are met. Transferring organizations remain responsible for the personal information transferred to third parties, as the information is considered to remain under the control of the transferring organization.

Organizations must use contractual privacy protection clauses or other means to ensure a comparable level of protection while the information is being processed by the third party. The OPC's Cross-Border Guidelines have clarified that appropriate means include, but are not limited to, ensuring that the third party:

• has appropriate policies and processes in place;
• has trained its staff to ensure information is properly safeguarded at all times; and
• has effective security measures in place.

Although there is no requirement for additional consent for cross-border transfers under PIPEDA, the OPC's Cross-Border Guidelines note that organizations must provide notice to customers that:

• their personal information may be sent to another jurisdiction for processing; and
• while the information is in the other jurisdiction, it may be accessed by the courts, law enforcement, and national security authorities.

Moreover, the OPC's Cross-Border Guidelines have clarified that in situations where neither contractual clauses nor other means are effective in safeguarding personal information due to the uncertain nature of the foreign regime or the sensitivity of the information, consent may be required.

FIPPA

Under FIPPA, personal information may be stored and accessed outside of Canada. However, if the personal information is considered sensitive personal information, it may only be disclosed to be stored outside of Canada if, prior to such disclosure, the public body conducts a Privacy Impact Assessment ('PIA') and is satisfied with its findings related to the risks.

7.3. Data processing records

Under PIPEDA, organizations must record the purposes for which personal information is collected. Organizations that use collected personal information for a new purpose must document the new purpose.

As discussed further in the section on the right to rectification below, organizations and public bodies subject to PIPA, PIPEDA, and FIPPA are required to correct any recorded personal information that is shown to be incorrect. In addition, under PIPA, organizations must send the corrected personal information to each organization to which the personal information was disclosed by the organization during the previous year. Therefore, organizations subject to PIPA must also maintain records of such disclosures.

7.4. Data protection impact assessment

Organizations subject to PIPA or PIPEDA are not required to conduct a PIA. However, the OIPCBC's Guide to Privacy Impact Assessments for the Private Sector ('the PIA Guide') recommends the use of a PIA before new products, services, or information systems are introduced, or existing ones are significantly changed. In addition, an organization may choose to complete a PIA as part of its policies and procedures undertaken to give effect to its obligations under PIPA or PIPEDA. For the purpose of transparency, organizations may publicly post their PIAs. In addition, and within the PIA, organizations' privacy officers may provide their thoughts or comments on the initiative being assessed.

More specifically, the PIA Guidance outlines that organizations should complete a PIA whenever there is a new or substantively changed initiative. PIAs should include a general description of the initiative being assessed, which outlines the purpose of the initiative, its benefits, the larger process (if any) that it is part of, how it functions, and the parties involved. PIAs should also outline what the PIA does not cover in the assessment of a particular initiative. Specific information on what should be included in a PIA is in the PIA Guidance and the Privacy Impact Assessment ('PIA') Template.

Public bodies subject to FIPPA are required to conduct a PIA to determine whether a current or proposed enactment, system, project, program, or activity involves personal information and, if so, how the public body will protect the information collected or used. In addition, public bodies are required to conduct a PIA prior to disclosing any sensitive personal information to be stored outside of Canada.

7.5. Data protection officer appointment

PIPA and PIPEDA require all organizations or public bodies to designate an individual(s) to be accountable for ensuring the organization's compliance with the relevant legislation. These individuals are referred to as privacy officers.

For organizations subject to PIPA, the position name or title and the contact information of the privacy officer(s) must be made publicly available. The privacy officer(s) may also be the contact person for answering questions about PIPA and for handling access requests and complaints. The privacy officer(s) will be required to perform many roles with respect to privacy, including:

• establishing and implementing program controls;
• coordinating with other appropriate persons responsible for related disciplines and functions within the organization;
• being responsible for the ongoing assessment and revision of program controls;
• representing the organization in the event of a complaint investigation by a privacy commissioner's office; and
• advocating privacy within the organization itself.

For organizations subject to PIPEDA, the privacy officer(s) must act as the point of contact for individuals with compliance concerns. The name or title, and the address, of the privacy officer(s) must be made readily available. Guidance from the OPC, including the PIPEDA Self-Assessment Tool and the Getting Accountability Right with a Privacy Management Program Guide, outlines recommended and required responsibilities of privacy officers, which include informing and monitoring compliance, as well as acting as a point of contact, among other responsibilities.

Under FIPPA, the head of a public body must develop a privacy management program for the public body. Further, the head of a public body, or an individual delegated by the head of the public body, must assume the duties of a privacy officer. The OIPCBC's Guide to Accountable Privacy Management in BC's Public Sector states that the privacy officer is responsible for ensuring the public body's compliance with FIPPA generally and for management and direction of a privacy management program. The privacy officer may play many other roles, including:

• creating all privacy policies and procedures;
• representing the public body in the event of an OIPCBC investigation; and
• designing and implementing employee training and education.

7.6. Data breach notification

PIPA does not currently require organizations to notify individuals or the OIPCBC of breaches involving personal information.

Under PIPEDA, organizations must notify individuals and the OPC of breaches involving personal information if it is reasonable to believe that the breach creates a real risk of significant harm to the individual. The organization must also inform other organizations or government institutions of the breach if the notifying organization believes that those other organizations or government institutions may be able to reduce the risk of the harm that could result from the breach or mitigate that harm. Significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the individual's credit record, and damage to or loss of property. Factors relevant to determining whether a breach creates a real risk of significant harm include the sensitivity of the personal information at issue and the probability that the personal information is or will be misused.

FIPPA requires public bodies to notify affected individuals and the OIPCBC without unreasonable delay if a privacy breach has occurred, which includes the theft or loss, or the unauthorized collection, use, or disclosure of personal information in custody or control of the public body that could reasonably be expected to result in significant harm to the individual.

Certain types of organizations, such as financial institutions, health care providers, and others, may be subject to a variety of sector specific privacy obligations.

7.7. Data retention

PIPA, PIPEDA, and FIPPA impose obligations with respect to the retention of personal information. Under PIPA and FIPPA, if an organization or public body uses an individual's personal information to make a decision that directly affects the individual, the organization or public body must retain that information for at least one year after using it so that the individual has a reasonable opportunity to obtain access to it. Under PIPEDA, organizations must retain personal information that has been used to make a decision about an individual long enough to allow the individual access to the information after the decision has been made.

Under PIPA, organizations must destroy or anonymize personal information as soon as it is reasonable to assume that the purpose for which that personal information was collected is no longer being served by retention of the personal information and retention is no longer necessary for legal or business purposes. Under PIPEDA, organizations should develop guidelines and implement procedures to govern the destruction of personal information. FIPPA does not specify the period of time that organizations must keep personal information that is not used to make a decision about an individual.

7.8. Children's data

PIPA and PIPEDA do not define 'child' or 'children' or require organizations or public bodies to make efforts to verify that parents or guardians have provided consent on behalf of children. However, the OPC Children Guidance provides organizations with tips regarding the collection, use, and, disclosure of youth information, including:

• limiting, or avoiding altogether, the collection of personal information;
• being cautious of 'inadvertent' collection;
• making sure users can understand the organization's privacy policies and practices or know how to engage their parents/guardians; and
• making clear who is agreeing to terms and conditions.

In addition, the Meaningful Consent Guidelines state that the OPC takes the position that in all but exceptional circumstances, any child under the age of 13 is unable to meaningfully consent to the collection, use, and disclosure of personal information. The OIPCBC has not set a specific threshold but rather states that organizations must consider whether the individual understands the nature and consequences of their privacy choices. If a child is unable to meaningfully consent, such consent should be obtained from their parents or guardians.

7.9. Special categories of personal data

PIPEDA, PIPA, and FIPPA impose heightened levels of care with respect to sensitive personal information. However, these acts do not define what constitutes sensitive personal information, instead stating that any information can be sensitive depending on the context. PIPA and PIPEDA specify that organizations may only collect personal information that a reasonable person would consider appropriate in the circumstances.

PIPEDA lists medical records and income records as examples of personal information which will almost always be considered sensitive. The OPC Personal Information Guidance further clarifies that sensitive personal information includes, but is not limited to:

• medical information;
• financial information;
• work performance information;
• SINs; and
• live-streaming of young children.

7.10. Controller and processor contracts

Under PIPA and PIPEDA, organizations remain responsible for personal information transferred to third parties, as the information is considered to remain under the organization's control. Under PIPEDA, organizations must use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.

Under FIPPA, a public body may disclose personal information in its custody or under its control for a research or statistical purpose if the person to whom the information is disclosed has signed an agreement to comply with FIPPA and the public body's policies and procedures relating to the confidentiality of personal information. In addition, the agreement must impose conditions relating to:

• security and confidentiality;
• the removal or destruction of individual identifiers at the earliest reasonable time; and
• the prohibition of any subsequent use or disclosure of the information in question in an individually identifiable form without the express authorization of that public body.

The E-Health Act requires information-sharing agreements for disclosure and prescribes the contents of such agreements. Among other requirements, information-sharing agreements under the E-Health Act must include a requirement that protected information disclosed under the agreement will not be used or disclosed for the purpose of market research.

8. Data Subject Rights

8.1. Right to be informed

PIPA and PIPEDA do not explicitly recognize an individual's right to be informed of the collection, use, or disclosure of personal information, provided that certain conditions are met with respect to the collection, use, or disclosure of such information. However, an individual's consent is only valid if it is reasonable to expect that the individual understands the nature, purpose, and consequences of the collection, use, or disclosure of the personal information to which they are consenting. In limiting the collection of personal information to that which is necessary, organizations must specify the type of information collected as part of their information-handling policies and practices.

FIPPA imposes requirements on the collection of consent by public bodies. In general, individuals' consent for the collection, use, or disclosure of their personal information must specify who may collect the personal information and the purpose of the collection of the personal information.

8.2. Right to access

PIPA and PIPEDA

Under PIPA and PIPEDA, individuals have a general right to obtain access to their personal information held by organizations. Access requests must be processed in accordance with the applicable statute and within prescribed timeframes. Organizations are permitted to refuse access only in specified circumstances, including if the information is protected by solicitor-client privilege or if granting access would reveal confidential commercial information. Under PIPA, organizations must refuse access to personal information if:

• the disclosure could reasonably be expected to threaten the safety or physical or mental health of another individual;
• the disclosure could reasonably be expected to cause immediate or serious harm to the safety or to the physical or mental health of the individual who made the request;
• the disclosure would reveal personal information about another individual; or
• the disclosure would reveal the identity of the person who provided the organization with the applicant's personal information, and that person does not consent to the disclosure of their identity.

FIPPA

FIPPA outlines a procedure by which an individual may request access to any record in the custody or under the control of a public body, including records containing sensitive Federal Government information and personal information of other individuals. Thus, FIPPA aims to balance the two competing principles of an individual's right to access records in the custody or under the control of public bodies and the protection of sensitive information contained in those records.

The procedure for requesting access to a record is as follows: applicants submit a written request to the public body that they believe has custody or control of the desired record. The request must identify the record(s) sought and, if the applicant is acting on behalf of another person, provide written proof of the authority of the applicant to make the request. The head of a public body must respond to a request within 30 days unless an enumerated time limit extension is applicable. The response must inform the applicant whether or not the applicant is entitled to access the record or part of the record and if so entitled, how access will be granted. An applicant has a right of access to any record in the custody or under the control of a public body unless disclosure of the record would:

• reveal the substance of deliberations of the Executive Council of British Columbia of the Legislative Assembly or any of its committees;
• reveal advice or recommendations developed by or for a public body or a minister;
• breach solicitor-client privilege;
• harm a law enforcement matter;
• harm relations between the Federal Government of BC and another government agency;
• harm the financial or economic interests of a public body;
• result in harm to the conservation of heritage sites or vulnerable ecosystems;
• threaten individual or public safety;
• harm the business interests of a third party;
• result in the unreasonable invasion of a third party's personal privacy; or
• disclose information relating to abortion services.

Whether or not a request for access is made, the head of a public body must disclose to the public information about a significant risk of harm to the environment or the health and safety of the public or make other disclosures that are clearly in the public interest.

Applicants may request the OIPCBC to review a public body's decision regarding access to a record. Upon such a request, the OIPCBC must make an order requiring the public body to disclose the record or refuse access to the record. Such an order may also confirm the public body's decision or require the public body to reconsider its decision. Within 30 days of being given an OIPCBC order, a public body must comply with the order or apply for judicial review of the order.

Under PIPA, PIPEDA, and FIPPA, public bodies are required to sever exempt information from non-exempt information where possible.

8.3. Right to rectification

Individuals have a right to request the correction of personal information about themselves under PIPEDA, PIPA, and FIPPA.

Under PIPEDA, if an individual demonstrates that personal information about the individual held by an organization is incorrect, the organization must amend the personal information. Depending upon the nature of the information, amendments may include correction, deletion, or addition of information. Where appropriate, the amended information must be transmitted to third parties that have access to the relevant information.

Under PIPA, an individual may request an organization to correct an error or omission in the personal information that is about the individual and under the control of the organization. If an organization is satisfied on reasonable grounds that such correction should be implemented, the organization must correct the personal information as soon as reasonably possible and send the corrected personal information to each organization to which the personal information was disclosed by the organization during the previous year.

Under FIPPA, an individual may request the head of the public body that has the incorrect information in its custody or control to correct the information. If the public body finds that correction is justified, it must notify any other public body or third party to whom that information had been disclosed during the previous year.

8.4. Right to erasure

There is no right to erasure under PIPA, PIPEDA, or FIPPA. Rather, under PIPA and PIPEDA, personal information that is no longer required to fulfill the purposes for which it was collected, for legal or business purposes, or because it was used to make a decision about an individual must be destroyed, erased, or anonymized. Organizations subject to PIPEDA must develop guidelines and implement procedures to govern the destruction of personal information.

8.5. Right to object/opt-out

PIPA and PIPEDA allow individuals to withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. Organizations must inform individuals of the implications of withdrawing consent. However, organizations are entitled to retain the data for the period in which it is necessary to fulfill the purpose for which it was collected and are not required to contact other organizations to which it has disclosed information to inform those organizations of the withdrawal of consent. Neither PIPA nor PIPEDA requires organizations to inform individuals of their right to withdraw consent or how to exercise that right.

In addition, individuals may challenge an organization's compliance with the organization's obligations under the relevant act by submitting complaints to the organization's privacy officer or another designated individual. Organizations must develop procedures for responding to such complaints.

8.6. Right to data portability

Neither PIPA, PIPEDA, nor FIPPA provides individuals with the right to data portability.

8.7. Right not to be subject to automated decision-making

Neither PIPA, PIPEDA, nor FIPPA provides individuals with the right not to be subject to automated decision-making.

8.8. Other rights

An individual may file a complaint with the OPC or the OIPCBC against an organization for contravening PIPA or PIPEDA.

If an organization breaches PIPA and the OIPCBC makes a final order against the organization or convicts the organization of such an offence, an individual affected by the order or the conduct resulting in the conviction may sue the organization for damages for actual harm the individual has suffered as a result of the organization's breach of its obligations under PIPA.

9. Penalties

The OIPCBC and OPC have issued many findings, touching on virtually every aspect of data protection law, including those described above. As noted above, the OIPCBC has the power to issue binding orders under PIPA and FIPPA but does not have the power to issue fines. The OPC does not currently have the power to issue orders or fines.

9.1 Enforcement decisions

This section summarizes findings of various privacy commissions, which illustrate relevant privacy law principles. Of the findings summarized in this section, only orders of the OIPCBC are binding.

Collection beyond what is reasonable to provide the product or service

Order P10-01, [2010] B.C.I.P.C.D. No. 7

A restaurant required the complainant to present identification before serving him alcohol because the parent organization had a policy of requiring identification from all customers. The complainant felt that this collection of personal information was unnecessary because he was, from his appearance, clearly of legal drinking age (the complainant was 60 years old). The OIPCBC found that the collection of his personal information was not necessary for the purpose of serving him alcohol and contravened Section 7(2) of PIPA. The OIPCBC ordered the organization to change its policy with respect to all franchises in BC so as not to require identification from customers who are clearly of legal drinking age.

Implied consent

PIPEDA Case Summary #2005-311

A woman alleged that an insurance company had collected her personal information without her knowledge or consent when it conducted surveillance and videotaped her activities. The woman was in a motor vehicle accident. She subsequently filed a lawsuit against the driver of the other vehicle. The woman claimed that her injuries resulted in a loss of income and prevented her from performing domestic duties. The insurance company representing the other driver stated that the woman's testimony at the examination for the discovery hearing and her medical reports revealed inconsistencies with respect to the injuries claimed. As such, the insurance company hired a private investigator to conduct surveillance on the woman to record and observe her functional abilities on a day-to-day basis. The information collected by the insurance company, including the investigator's surveillance footage, was used in court. The woman complained to the OPC stating that the insurance company and private investigator had collected her personal information without her knowledge or consent. The OPC found that the complaint was not well-founded and stated that when an individual initiates a lawsuit, they impliedly consent to the other party to the suit, collecting information required to defend itself against the damages sought by the individual filing the suit.

PIPEDA Case Summary #2020-004

A joint investigation was launched by the OPC, the OIPCBC, and the OIPCAB into a corporation's implementation of interactive mall directories with built-in cameras that collected personal information using facial analytics technology. This technology took temporary digital images of faces of individuals within the field of view of the camera and used facial recognition software to convert those images into biometric numerical representations of the individual faces. The OPC, the OIPCBC, and the OIPCAB found that the process constituted the collection and use of personal information, including sensitive biometric information, without valid consent. The corporation's privacy policy, located at guest services and referred to by stickers displayed at mall entrances, constituted inadequate consent. Individuals would not, while using a mall directory, reasonably expect their image to be captured and used to create a biometric representation of their face. In addition, the privacy policy language was overly broad and not sufficient to support meaningful consent. If the corporation wished to continue the use of the software, it was required to obtain express opt-in consent of all users and could not cause the use of the software to be conditional on users' consent to the collection of their personal information.

Collection, use, and disclosure for reasonable purposes

OIPCBC Document # P07-10-MS

A non-profit society operated a subsidized housing facility where the tenancy agreement required tenants not to engage in any criminal conduct in the facility. Reports emerged which suggested that the society was implementing mandatory drug testing for all tenants. In response, the OIPCBC initiated an investigation to determine whether a reasonable person would consider the collection of personal information in the form of drug testing appropriate in the circumstances. The investigation revealed that random drug testing was not mandatory for all tenants. Rather, the society operated programs that required abstinence from drugs and alcohol, and although consent to mandatory random drug testing was a precondition of participating in the programs, participation in the programs was itself voluntary. Moreover, collection of drug test results was reasonable in the circumstances because impairment resulting from the use of alcohol or drugs could undermine the effectiveness of the programs.

PIPEDA Case Summary #2001-22

An individual signed up for internet with a telecommunications company. The company requested the individual's SIN. According to the individual, a company representative had implied that providing the SIN was a condition of obtaining the company's services. While the company's written policy was to collect SINs from persons requesting services, the policy did not insist on obtaining SINs in cases where individuals refused and specified that the collection of SINs was not a condition of providing services. The OPC cited its longstanding position that SINs should not be used as a universal identifier and that citizens should not give out their SIN unless legally required to do so for purposes of the limited number of Federal Government programs authorized for such collection. Therefore, the OPC found that a reasonable person would not consider the company's collection of SINs appropriate in the circumstances.

Exceptions to consent

PIPEDA Case Summary #2006-342

A management company requested that the owner of a townhouse complete and disclose forms summarizing the terms of leases between the owner and her tenants. The owner completed the forms but refused to provide particulars on how much rent her tenants paid or when the payments were due. The owner complained to the OPC about the management company's request for the information. The OPC disagreed with the owner and noted that the Ontario Condominium Act of 1998 obligated the owner to disclose the leases, or summaries thereof, to the management corporation. Thus, disclosure of the lease summaries was authorized by law and did not require consent of the tenants.

Disclosure of personal information in the context of a business transaction

Builders Energy Services Ltd., Stikeman Elliott LLP, Shtabsky & Tussman LLP and Remote Wireline Services Ltd., P2005-IR-005

During the course of a share purchase transaction, the vendor provided its lawyers with a schedule listing personal information about its employees, including home addresses and SINs. The vendor's lawyers disclosed the schedule to the purchaser's lawyers, who subsequently filed the schedule on the System for Electronic Document Analysis and Retrieval ('SEDAR'). One of the affected employees filed a complaint with the OIPCAB, which determined that disclosure of employees' home addresses and SINs was not necessary for the purpose of the transaction. Thus, disclosure of the schedules from the vendor's lawyer to the purchaser's lawyer and from the purchaser's lawyer to SEDAR, all without the employees' consent, contravened Alberta's Personal Information Protection Act.

Protection of personal information

PIPEDA Case Summary #2003-226

A telecommunications company instructed employees to send applications for long term disability benefits ('LTD') to its human resources office by facsimile. A former employee of the company complained to the OPC that the company did not have appropriate security safeguards in place to protect the personal medical information contained in the applications. The OPC agreed with the complainant and found that sending personal medical information to a fax machine in an unlocked, accessible room was inappropriate. Moreover, there was no legitimate reason for human resources personnel to review the LTD applications since applications of that type could only be properly assessed by qualified medical practitioners.

PIPEDA Case Summary #2023-002

The complainant alleged that Agronomy Company of Canada Ltd. did not adequately safeguard personal information in its possession, which resulted in the compromise of the complainant's and many others, personal information. The compromised personal information included sensitive information such as social insurance numbers, dates of birth, driver's license numbers, names, addresses, phone numbers, bank account numbers, credit card information, passport information, and electronic signatures. The OPC agreed that Agronomy lacked appropriate safeguards commensurate to the sensitivity of the information in question, particularly because the types of information involved could be used for identity theft. In particular, Agronomy lacked multifactor authentication for administrator accounts, segregation of the personal information in its network, an encrypted network, and detection and response tools. Further, Agronomy did not have a comprehensive privacy policy or policies, practices and training for the protection of personal information and PIPEDA compliance.

Access to records – harm to third party business interests

Order F18-28, [2018] B.C.I.P.C.D. No. 31

An applicant made a request to the South Coast British Columbia Transportation Authority ('TransLink') for access to its purchase of services agreement with Canadian Pacific Railway Company ('CP'). TransLink informed CP of its decision to grant the applicant's request and disclose the agreement. CP consented to the disclosure of most of the agreement but objected to the disclosure of the terms detailing the calculation of charges and payments on the basis that disclosure of those terms would harm its business interests. The OIPCBC ordered disclosure of the full agreement. The information in the agreements was not 'supplied', as CP contended, but was rather negotiated between the two parties. Moreover, disclosure of existing contract pricing, which results in the heightening of competition, does not constitute significant harm or significant interference with competitive or negotiating positions under FIPPA.