This Act is current to March 25, 2020 | |||
See the Tables of Legislative Changes for this Act’s legislative history, including any changes not in force. |
Personal Information Protection Act
[SBC 2003] CHAPTER 63
Assented to October 23, 2003
Part 1 — Introductory Provisions
Definitions
1 In this Act:
“commissioner“ means the commissioner appointed under
section 37
(1) or 39 (1) of the Freedom of Information and Protection of Privacy Act;
“contact information“ means information to enable an
individual at a place of business to be contacted and includes the name, position name
or title, business telephone number, business address, business email or business fax
number of the individual;
“credit report“ has the same meaning as “report” in section 106 of the
Business Practices and Consumer Protection Act;
“credit reporting agency“ has the same meaning as “reporting
agency” in section
106 of the Business Practices and Consumer Protection Act;
“day“ does not include a holiday or a Saturday;
“document“ includes
(a) a thing on or by which information is stored, and
(b) a document in electronic or similar form;
“domestic“ means related to home or family;
“employee“ includes a volunteer;
“employee personal information“ means personal information
about an individual that is collected, used or disclosed solely for the purposes
reasonably required to establish, manage or terminate an employment relationship between
the organization and that individual, but does not include personal information that is
not about an individual’s employment;
“employment“ includes working under an unpaid volunteer work
relationship;
“federal Act“ means the Personal Information Protection and Electronic Documents Act (Canada);
“investigation“ means an investigation related to
(b) a contravention of an enactment of Canada or a province,
(d) the prevention of fraud, or
(e) trading in a security as defined in section 1 of the Securities Act if the investigation is conducted by or on behalf of an organization recognized by the British Columbia Securities
Commission to be appropriate for carrying out investigations of trading in
securities,
if it is reasonable to believe that the breach, contravention, circumstance,
conduct, fraud or improper trading practice in question may occur or may have
occurred;
“organization“ includes a person, an unincorporated
association, a trade union, a trust or a not for profit organization, but does not
include
(a) an individual acting in a personal or domestic capacity or acting as an
employee,
(c) the Provincial Court, the Supreme Court or the Court of Appeal,
(d) the Nisga’a Government, as defined in the
Nisga’a Final Agreement, or
“personal information“ means information about an
identifiable individual and includes employee personal information but does not
include
“proceeding“ means a civil, a criminal or an administrative
proceeding that is related to the allegation of
(b) a contravention of an enactment of Canada or a province, or
“public body“ means
(a) a ministry of the government of British Columbia,
(c) a local public body as defined in the Freedom of Information and Protection of Privacy Act;
“work product information“ means information prepared or
collected by an individual or group of individuals as a part of the individual’s or
group’s responsibilities or activities related to the individual’s or group’s employment
or business but does not include personal information about an individual who did not
prepare or collect the personal information.
Purpose
2
The purpose of this Act is to govern the collection, use and disclosure of
personal information by organizations in a manner that recognizes both the right of
individuals to protect their personal information and the need of organizations to
collect, use or disclose personal information for purposes that a reasonable person would
consider appropriate in the circumstances.
Application
3
(1) Subject to this section, this Act applies to every organization.
(2) This Act does not apply to the following:
(iii) a document of a master of the Supreme Court,
(iv) a document of a justice of the peace, or
(v) a judicial administration record as defined in Schedule 1 of the Freedom of Information and Protection of Privacy Act;
(3) Nothing in this Act affects solicitor-client privilege.
(4) This Act does not limit the information available by law to a party to a
proceeding.
Part 2 — General Rules Respecting Protection of Personal Information by Organizations
Compliance with Act
4
(1) In meeting its responsibilities under this Act, an organization must consider
what a reasonable person would consider appropriate in the circumstances.
(5) An organization must make available to the public
(b) contact information for each individual referred to in paragraph
(a).
Policies and practices
5
An organization must
(c) make information available on request about
(i) the policies and practices referred to in paragraph (a), and
Consent required
6
(1) An organization must not
(a) collect personal information about an individual,
(b) use personal information about an individual, or
(c) disclose personal information about an individual.
(2)
Subsection (1) does not apply if
(a) the individual gives consent to the collection, use or disclosure,
(b) this Act authorizes the collection, use or disclosure without the consent of
the individual, or
(c) this Act deems the collection, use or disclosure to be consented to by the
individual.
Provision of consent
7
(1) An individual has not given consent under this Act to an organization
unless
(b) the individual’s consent is provided in accordance with this Act.
(b) using deceptive or misleading practices
any consent provided in those circumstances is not validly given.
Implicit consent
8
(1) An individual is deemed to consent to the collection, use or disclosure of
personal information by an organization for a purpose if
(a) is a beneficiary or has an interest as an insured under the plan, policy or
contract, and
Withdrawal of consent
9
(1) Subject to subsections (5) and (6), on giving reasonable
notice to the organization, an individual may withdraw consent to the collection, use or
disclosure of personal information about the individual at any time.
Part 4 — Collection of Personal Information
Required notification for collection of personal
information
10
(1) On or before collecting personal information about an individual from the
individual, an organization must disclose to the individual verbally or in
writing
(a) the purposes for the collection of the information, and
(3) This section does not apply to a collection described in section 8 (1) or
(2).
Limitations on collection of personal information
11
Subject to this Act, an organization may collect personal information only for
purposes that a reasonable person would consider appropriate in the circumstances and
that
(a) fulfill the purposes that the organization discloses under section 10
(1), or
Collection of personal information without consent
12
(1) An organization may collect personal information about an individual without
consent or from a source other than the individual, if
(i) at which the individual voluntarily appears, and
(ii) that is open to the public,
(f) the collection is necessary to determine the individual’s
suitability
(ii) to be selected for an athletic or artistic purpose,
(h) the collection is required or authorized by law,
(i) the information was disclosed to the organization under sections 18 to
22,
(j) the personal information is necessary to facilitate
(i) the collection of a debt owed to the organization, or
(ii) the payment of a debt owed by the organization,
(i) the third party is an individual acting in a personal or domestic
capacity,
(ii) the third party is providing the information to the organization,
and
(iii) the information is necessary for the purposes of providing those
services.
(b) the personal information is disclosed to or collected by the organization
solely
(i) for the purposes for which the information was previously collected,
and
(ii) to assist that organization to carry out work on behalf of the other
organization.
Collection of employee personal information
13
(1) Subject to subsection (2), an organization may collect employee
personal information without the consent of the individual.
(a)
section 12 allows the collection of the employee personal information
without consent, or
Part 5 — Use of Personal Information
Limitations on use of personal information
14
Subject to this Act, an organization may use personal information only for
purposes that a reasonable person would consider appropriate in the circumstances and
that
(a) fulfill the purposes that the organization discloses under section 10
(1),
Use of personal information without consent
15
(1) An organization may use personal information about an individual without the
consent of the individual, if
(i) at which the individual voluntarily appears, and
(ii) that is open to the public,
(f) the use is necessary to determine suitability
(ii) to be selected for an athletic or artistic purpose,
(h) the use is required or authorized by law,
(i) the personal information was disclosed to the organization under sections
18 to 22,
(j) the personal information is needed to facilitate
(i) the collection of a debt owed to the organization, or
(ii) the payment of a debt owed by the organization,
(a) the individual consented to the use of the personal information by the other
organization, and
(b) the personal information is used by the organization solely
(i) for the purposes for which the information was previously collected,
and
(ii) to assist that organization to carry out work on behalf of the other
organization.
Use of employee personal information
16
(1) Subject to subsection (2), an organization may use employee
personal information without the consent of the individual.
(a)
section 15 allows the use of the employee personal information without
consent, or
Part 6 — Disclosure of Personal Information
Limitations on disclosure of personal information
17
Subject to this Act, an organization may disclose personal information only for
purposes that a reasonable person would consider are appropriate in the circumstances and
that
(a) fulfill the purposes that the organization discloses under section 10
(1),
Disclosure of personal information without consent
18
(1) An organization may only disclose personal information about an individual
without the consent of the individual, if
(i) at which the individual voluntarily appears, and
(ii) that is open to the public,
(f) the disclosure is necessary to determine suitability
(ii) to be selected for an athletic or artistic purpose,
(h) the personal information is disclosed in accordance with a provision of a
treaty that
(i) authorizes or requires its disclosure, and
(ii) is made under an enactment of British Columbia or Canada,
(i) to determine whether the offence has taken place, or
(ii) to prepare for the laying of a charge or the prosecution of the
offence,
(m) the disclosure is to a lawyer who is representing the organization,
(o) the disclosure is required or authorized by law, or
(p) the disclosure is in accordance with sections 19 to 22.
(a) the individual consented to the collection of the personal information by the
organization, and
(b) the personal information is disclosed to the other organization
solely
(i) for the purposes for which the information was previously collected,
and
(ii) to assist the other organization to carry out work on behalf of the first
organization.
(a) the personal information was collected by an organization under section 12 (1) (k) or (l),
Disclosure of employee personal information
19
(1) Subject to subsection (2), an organization may disclose employee
personal information without the consent of the individual.
(a)
section 18 allows the disclosure of the employee personal information
without consent, or
Transfer of personal information in the sale of an organization or its
business assets
20
(1) In this section:
“business transaction“ means the purchase, sale, lease,
merger or amalgamation or any other type of acquisition, disposal or financing of an
organization or a portion of an organization or of any of the business or assets of an
organization;
“party“ means a person or another organization that proceeds
with the business transaction.
(i) the business transaction has taken place, and
(ii) the personal information about them has been disclosed to the
party.
Disclosure for research or statistical purposes
21
(1) An organization may disclose, without the consent of the individual, personal
information for a research purpose, including statistical research, only if
Disclosure for archival or historical purposes
22
An organization may disclose, without the consent of the individual, personal
information for archival or historical purposes if
(b) the disclosure is for historical research and is in accordance with section
21,
(c) the information is about someone who has been dead for 20 or more years,
or
(d) the information is in a record that has been in existence for 100 or more
years.
Part 7 — Access to and Correction of Personal Information
Access to personal information
23
(1) Subject to subsections (2) to (5), on request of an
individual, an organization must provide the individual with the following:
(a) the individual’s personal information under the control of the
organization;
(a) is a credit reporting agency, and
(b) receives a request under subsection (1)
must also provide the individual with the names of the sources from which it
received the personal information unless it is reasonable to assume the individual can
ascertain those sources.
(a) the information is protected by solicitor-client privilege;
(i) under a collective agreement,
(f) the information is in a document that is subject to a solicitor’s
lien.
(c) the disclosure would reveal personal information about another
individual;
Right to request correction of personal information
24
(1) An individual may request an organization to correct an error or omission in the
personal information that is
(b) under the control of the organization.
(a) correct the personal information as soon as reasonably possible,
and
Circumstances in which request may be made
26
An individual may make a request of an organization as permitted under sections
23
or 24.
How to make a request
27
For an individual to obtain access to his or her personal information or to
request a correction of his or her personal information, the individual must make a
written request that provides sufficient detail to enable the organization, with a
reasonable effort, to identify the individual and the personal information or correction
being sought.
Duty to assist individual
28
An organization must make a reasonable effort
(b) to respond to each applicant as accurately and completely as reasonably
possible, and
(c) unless section 23 (3), (3.1) or (4) applies, to provide each applicant
with
Time limit for response
29
(1) Subject to this section, an organization must respond to an applicant not later
than
(a) 30 days after receiving the applicant’s request, or
(b) the end of an extended time period if the time period is extended under
section
31.
Content of response
30
(1) In a response under section 28, if access to all or part of the personal
information requested by the applicant is refused, the organization must tell the
applicant
(a) the reasons for the refusal and the provision of this Act on which the refusal
is based,
Extending the time limit for response
31
(1) An organization may extend the time for responding to a request under section 23
for up to an additional 30 days or, with the commissioner’s permission, for a longer
period if
(2) If the time is extended under subsection (1), the organization
must tell the applicant
(a) the reason for the extension,
(b) the time when a response from the organization can be expected, and
Fees
32
(1) An organization must not charge an individual a fee respecting employee personal
information concerning the individual.
(a) must give the applicant a written estimate of the fee before providing the
service, and
(b) may require the applicant to pay a deposit for all or part of the
fee.
Part 9 — Care of Personal Information
Accuracy of personal information
33
An organization must make a reasonable effort to ensure that personal information
collected by or on behalf of the organization is accurate and complete, if the personal
information
(b) is likely to be disclosed by the organization to another
organization.
Protection of personal information
34
An organization must protect personal information in its custody or under its
control by making reasonable security arrangements to prevent unauthorized access,
collection, use, disclosure, copying, modification or disposal or similar
risks.
Retention of personal information
35
(1) Despite subsection (2), if an organization uses an individual’s personal
information to make a decision that directly affects the individual, the organization
must retain that information for at least one year after using it so that the individual
has a reasonable opportunity to obtain access to it.
(b) retention is no longer necessary for legal or business purposes.
Part 10 — Role of Commissioner
General powers of commissioner
36
(1) In addition to the commissioner’s powers and duties under Part 11 with
respect to reviews, the commissioner is responsible for monitoring how this Act is
administered to ensure that its purposes are achieved, and may do any of the
following:
(b) make an order described in section 52 (3), whether or not a review is
requested;
(c) inform the public about this Act;
(d) receive comments from the public about the administration of this
Act;
(g) comment on the implications of automated systems for the protection of
personal information;
(a) a duty imposed under this Act has not been performed,
(b) an extension of time for responding to a request is not in accordance with
section 29,
(c) a fee required by an organization under this Act is not reasonable,
Power to authorize organization to disregard requests
37
If asked by an organization, the commissioner may authorize the organization to
disregard requests under section 23 or 24 that
Powers of commissioner in conducting investigations, audits or
inquiries
38
(1) For the purposes of conducting an investigation or an audit under section 36
or an inquiry under section 50, the commissioner may make an order
requiring a person to do either or both of the following:
(1.1) The commissioner may apply to the Supreme Court for an order
(a) directing a person to comply with an order made under subsection
(1), or
(i) found in any premises entered under paragraph (c), or
(ii) provided under this Act, and
(b) if the commissioner specifies a period, within the period
specified.
Maintenance of order at hearings
38.1
(1) At an oral hearing, the commissioner may make orders or give directions that he
or she considers necessary for the maintenance of order at the hearing, and, if any
person disobeys or fails to comply with any order or direction, the commissioner may
call on the assistance of any peace officer to enforce the order or
direction.
(3) Without limiting subsection (1), the commissioner, by order,
may
(a) impose restrictions on a person’s continued participation in or attendance at
a hearing, and
Contempt proceeding for uncooperative person
38.2
(1) The failure or refusal of a person subject to an order under section 38
to do any of the following makes the person, on application to the Supreme Court by the
commissioner, liable to be committed for contempt as if in breach of an order or
judgment of the Supreme Court:
(a) attend before the commissioner;
(b) take an oath or make an affirmation;
(d) produce documents in the person’s custody or under their control.
Evidence in proceedings
39
(1) The commissioner and anyone acting for or under the direction of the
commissioner must not give or be compelled to give evidence in a court or in any other
proceedings in respect of any information obtained in performing their duties or
exercising their powers or functions under this Act, except
(a) in a prosecution for perjury in respect of sworn testimony,
Protection against libel or slander actions
40
Anything said, any information supplied or any record produced by a person during
an investigation or inquiry by the commissioner is privileged in the same manner as if the
investigation or inquiry were a proceeding in a court.
Restrictions on disclosure of information by commissioner and
staff
41
(1) The commissioner and anyone acting for or under the direction of the
commissioner must not disclose any information obtained in performing their duties or
exercising their powers and functions under this Act, except as provided in subsections
(2) to (6).
(a) conduct an investigation, audit or inquiry under this Act, or
(b) establish the grounds for findings and recommendations contained in a report
under this Act.
Protection of commissioner and staff
42
No proceedings lie against the commissioner, or against a person acting on behalf
of or under the direction of the commissioner, for anything done, reported or said in good
faith in the exercise or performance or the intended exercise or performance of a duty,
power or function under this Part or Part 11.
Delegation by commissioner
43
(1) The commissioner may delegate to any person any duty, power or function of the
commissioner under this Act, except the power to delegate under this section.
Annual report of commissioner
44
(1) The commissioner must report annually to the Speaker of the Legislative Assembly
on the work of the commissioner’s office under this Act.
(2) The Speaker must lay the annual report before the Legislative Assembly as soon
as possible.
Definitions
45
In this Part:
“complaint“ means a complaint referred to in section 36
(2);
“inquiry“ means an inquiry under section
50;
“request“ means a request made in writing to the commissioner
under section
46 to
“review“ means a review of a decision, act or failure to act
of an organization
Asking for a review
46
(1) An individual who has asked an organization for access to or the correction of
their personal information may ask the commissioner to conduct a review of the resulting
decision, act or failure to act of the organization.
How to ask for a review or make a complaint
47
(1) An individual may ask for a review or make a complaint by delivering a request
to the commissioner.
(2) A request must be delivered within
(b) a longer period allowed by the commissioner.
(3) The time limit in subsection (2) (a) does not apply to a request
respecting
Notifying others of review
48
(1) On receiving a request for a review, the commissioner must give a copy of the
request to
(a) the organization concerned, and
(b) any other person that the commissioner considers appropriate.
(2) The commissioner may act under subsection (1) on receiving a
request respecting a complaint.
Mediation may be authorized
49
The commissioner may authorize a mediator to investigate and to try to settle the
matter on which a request is based.
Inquiry by commissioner
50
(1) If a matter is not referred to a mediator or is not settled under section 49,
the commissioner may conduct an inquiry and decide all questions of fact and law arising
in the course of the inquiry.
(2) An inquiry may be conducted in private.
(4) The commissioner may decide
(a) whether representations are to be made verbally or in writing, and
(a) specifies a later date, and
(i) the individual who made the request,
(ii) the organization concerned, and
(iii) any person given a copy of the request
of the date specified under paragraph (a).
Burden of proof
51
At an inquiry into a decision to refuse an individual
(a) access to all or part of an individual’s personal information,
(b) information respecting the use or disclosure of the individual’s personal
information, or
it is up to the organization to prove to the satisfaction of the commissioner that
the individual has no right of access to his or her personal information or no right to
the information requested respecting the use or disclosure of the individual’s personal
information or no right to the names of the sources from which a credit reporting agency
received personal information about the individual.
Commissioner’s orders
52
(1) On completing an inquiry under section 50, the commissioner
must dispose of the issues by making an order under this section.
(ii) to disclose to the individual the ways in which the personal information has
been used,
if the commissioner determines that the organization is not authorized or
required to refuse access by the individual to the personal information;
(b) confirm or reduce the extension of a time limit under section
31;
(c) confirm, excuse or reduce a fee, or order a refund, in the appropriate
circumstances;
(f) require an organization to destroy personal information collected in
contravention of this Act.
(4) The commissioner may specify any terms or conditions in an order made under this
section.
(5) The commissioner must give a copy of an order made under this section to all of
the following:
(a) the individual who made the request;
(b) the organization concerned;
Duty to comply with orders
53
(1) Not later than 30 days after being given a copy of an order of the commissioner,
the organization concerned must comply with the order unless an application for judicial
review of the order is brought before that period ends.
Protection
54
An organization must not dismiss, suspend, demote, discipline, harass or otherwise
disadvantage an employee of the organization, or deny that employee a benefit,
because
Non-retaliation
55
A person who has reasonable grounds to believe that an organization has
contravened or is about to contravene a provision of this Act or the regulations and who,
in good faith, notifies the commissioner of the particulars of the matter, whether or not
the person makes a complaint under section 46 (2), may request that the commissioner keep
the person’s identity confidential with respect to the notification.
Offences and penalties
56
(1) Subject to subsection (2), an organization or person commits an
offence if the organization or person
(a) uses deception or coercion to collect personal information in contravention of
this Act,
(e) contravenes section 54, or
(f) fails to comply with an order made by the commissioner under this
Act.
(2) An organization or person that commits an offence under subsection
(1) is liable,
(a) if an individual, to a fine of not more than $10 000, and
(b) if a person other than an individual, to a fine of not more than $100
000.
(4) Section
5 of the Offence Act does not apply to this Act or the regulations.
Damages for breach of Act
57
(1) If the commissioner has made an order under this Act against an organization and
the order has become final as a result of there being no further right of appeal, an
individual affected by the order has a cause of action against the organization for
damages for actual harm that the individual has suffered as a result of the breach by
the organization of obligations under this Act.
Power to make regulations
58
(1) The Lieutenant Governor in Council may make regulations referred to in section 41
of the Interpretation Act.
(a) prescribing procedures to be followed in making and responding to requests
under this Act;
(f) respecting fees, including circumstances in which fees
(ii) must not be above a prescribed amount or percentage;
(h) for any other purpose contemplated by this Act.
(3) A regulation under subsection (2) (b) may
(c) provide differently for different categories of experts.
Review of Act
59
(1) Within 3 years after January 1, 2004, a special committee of the Legislative
Assembly must begin a comprehensive review of this Act and must submit a report
respecting this Act to the Legislative Assembly within one year after the date of the
appointment of the special committee.
Copyright (c) Queen’s Printer, Victoria, British
Columbia, Canada