What is the Office of the Information and Privacy Commissioner for British Columbia (OIPC)?

Welcome to the inaugural installment of a series dedicated to exploring the OIPC. In this series, I will take you through the essential elements of the OIPC, covering key topics such as governing legislation, jurisdiction, the complaint review process, requests for personal information reviews, and the protocol for responding to privacy breaches. Stay tuned to learn all about the OIPC!

This post focuses on the background of the OIPC and its governing legislation.

Background

The OIPC was established in 1993 to provide independent oversight and enforcement of British Columbia’s access and privacy laws. The Commissioner enforces the Freedom of Information and Protection of Privacy Act (FIPPA), Personal Information Protection Act (PIPA), and E-Health (Personal Health Information Access and Protection of Privacy) Act (E-Health Act). The Privacy Act covers disputes between private citizens and is outside of the Commissioner’s jurisdiction. The OIPC also issues policies to assist citizens understanding of how they will apply these statutes.

Freedom of Information and Protection of Privacy Act (FIPPA)

FIPPA regulates the rights of individuals as they relate to the public sector. It establishes an individual’s right to access records related to their own “personal information” in the control of a “public body” (FIPPA, S.2 & S.3). Exceptions are outlined in division 2 (S.12-22). For this memo, I will refer to public and private organizations subjected either to FIPPA or PIPA as “organizations”.

FIPPA also sets out terms under which a public organization can collect, use, and disclose personal information. FIPPA requires that public organizations take reasonable steps to protect the privacy of personal information. Public organizations are required to have privacy management programs in place and to report breaches.

Personal information for the purpose of both FIPPA and PIPA means information about an identifiable individual. The information can be used in combination with other information. For example, an unnamed health report can still be identifying if it can be linked with other information to the person. Employee personal information is included, but not business contacts or work product information. Statistical information is also not included.

Personal Information Protection Act (PIPA)

PIPA regulates the rights of individuals as they relate to the private sector. It applies to private entities collecting, using, and disclosing the personal information of British Columbia residents. It applies to all private entities collecting personal information unless they are exempted in s.3(1). PIPA also applies to entities located within the province that collect, use, or disclose the information of any individual inside or outside the province.

The OIPC has created a guide for businesses and organizations subject to PIPA that can be given to clients. It does not describe the operation of PIPA processes as this memo does. Instead, it gives advice to industry about business practices to implement in order to be compliant with PIPA.

PIPA does not apply to:

• Personal mailing lists, artistic works, and journalistic information (s.(3(2(a,b)): For example, a newspaper is not subject to PIPA but their employee personal information contained in their database is. If they collect their subscriber’s information, that is as well.
• Information subject to FIPPA (s.3(2)(c)): For example, a government ministry may have disclosed personal information to a private sector contractor, but the information is in the control of the ministry and thus FIPPA applies rather than PIPA.
• Federal enterprises which are subject to PIPEDA (s.3(2)(c)): the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA applies to federally regulated businesses as well as BC based organizations who have caused the personal information of residents for other provinces to be affected. For example, personal information held with a bank or telephone company is regulated by PIPEDA even if the company is located in BC,
• Personal information collected by a member or officer of the Legislative Assembly that relates to their functions (s.3(2)(g)).
• Court documents (s.3(2)(e,h)).

It is not possible to contract out of PIPA.

Both FIPPA and PIPA are reviewed every six years by a special committee of the legislature. The opinions of the public and interest groups are solicited, and at the end of the process the committee issues a public report that sets out recommendations.

E-Health (Personal Health Information Access and Protection of Privacy) Act

The E-Health Act regulates the rights of individuals as they relate to their personal health information. Many of the powers, duties, and functions of the Commissioner in relation to the Act are delegated to the Deputy Commissioner and other Directors and Registrars.

If you have questions about the topics discussed in this post, or any other related questions, please get in touch with Jaeda Lee or any other member of our Privacy and Data Protection group.