This purpose of this tool is to assist British Columbia private sector organizations in determining if the Personal Information Protection Act (PIPA) will apply to them.
It lists the type of private sector organizations that PIPA applies to and those that are exempt from its coverage. This guide also describes the types of information and information purposes that are exempt from coverage by PIPA and clarifies the relationship between PIPA and other provincial and federal privacy legislation.
Covered by PIPA
1. PIPA applies to every organization except where noted.
2(a) PIPA defines an "organization" as including
- a person (e.g., corporation, partnership)*
- an unincorporated association
- a trade union
- a trust or,
- a not-for-profit organization.
* According to the Interpretation Act, "person" includes a corporation, partnership or party, and the personal or other legal representatives of a person to whom the context can apply according to law.
(b) It is important to note that the definition of "organization" is illustrative rather than exhaustive. For example, an entity may still be covered by PIPA even though it is not specifically included in the definition because, as noted below, it is not specifically excluded.
Not Covered by PIPA
3. PIPA further qualifies the term "organization" by stating that some entities are not organizations (and so are not covered by PIPA). The following entities are deemed not to be organizations for the purpose of PIPA:
- an individual acting in a personal or domestic capacity or acting as an employee,
- a public body as defined in the Freedom of Information and Protection of Privacy Act,
- the Provincial Court, the Supreme Court or Court of Appeal,
- the Nisga'a Government, as defined in the Nisga'a Final Agreement, or
- a private trust for the benefit of one or more designated individuals who are friends or members of the family of the settlor.
4. Certain types of personal information and certain collection, use or disclosure purposes are also exempt from PIPA's coverage. So even where an organization would otherwise be covered by PIPA, if the personal information falls under one of the excepted categories, that personal information is not covered by PIPA.
5. Further to items 3 and 4, PIPA does not apply to the following entities, personal information, and collection, use or disclosure purposes:
Personal or Domestic Purposes
While PIPA would apply to an individual who collects, uses or discloses personal information in a commercial capacity (i.e., home-based mail-order business, wedding videographer), it does not apply where an individual collects, uses or discloses personal information solely for personal or domestic purposes (i.e., Christmas card mailing list, home movies).
Individual acting as an employee
An organization is responsible for the personal information its employees (including volunteers) collect, use and disclose and the ways in which its employees handle personal information. PIPA applies to the organization - not the individual employee.
For example, PIPA would apply to a society raising funds to send children to camp. Any personal information collected by the society's employees and volunteers during the fundraising drive is collected on behalf of the society. It is the society, therefore, that is responsible for the methods the canvassers use to collect personal information and the manner in which the canvassers handle the personal information.
Journalistic, artistic or literary purposes
PIPA does not apply to the collection, use or disclosure of personal information solely for journalistic, artistic or literary purposes. This exemption reflects the Charter right to freedom of expression for newspapers.
PIPA does, however, still apply to the media to the extent that the media collects, uses or discloses personal information for other unrelated purposes, such as marketing. PIPA will also apply to the personal employee information of journalists
The Freedom of Information and Protection of Privacy Act applies
PIPA does not apply to a public body, as defined in Schedule 1 of the Freedom of Information and Protection of Privacy Act (FOIPP Act), or to the personal information in the custody or control of a public body. This is because these bodies, and the personal information in the custody or control of these bodies, are already covered by the FOIPP Act.
Some examples of public bodies are:
- a ministry of the government of British Columbia
- a provincial agency, board, commission, corporation, etc. listed in Schedule 2 of the FOIPP Act
- a municipality
- a municipal police board
- a hospital
- a regional health authority
- a university
- a school board
- health care body, and
- a self-governing body of a profession or occupation (e.g., College of Physicians and Surgeons)
Contractors to public bodies
In addition to personal information held by public bodies, the FOIPP Act also applies to personal information that, while not in the custody of (i.e., physically held by) the public body, is under its control (i.e., ownership, responsibility).
For example, a third party organization, such as a data processor or an independent contractor, may receive personal information from a public body or collect personal information for a public body in the course of carrying out work on behalf of the public body under a contract. While the personal information may be in the custody of the third party organization, it remains under the control of the public body. Therefore, the FOIPP Act applies to this personal information and PIPA does not.
However, if a public body discloses personal information to a third party organization and does not retain control over the information, the collection, use and subsequent disclosure of the personal information by the organization is covered by PIPA.
The Personal Information Protection and Electronic Documents Act applies
The federal Personal Information Protection and Electronic Documents Act (PIPEDA) applies to federally-regulated organizations such as banks, telecommunications companies, airlines, railways and interprovincial trucking companies. It also applies to personal information that any organization discloses across borders for a commercial purpose (e.g., the sale or lease of client lists).
Even if the organization or personal information is located in British Columbia, if the federal Personal Information Protection and Electronic Documents Act (PIPEDA) applies to it (i.e., to the extent that the organization is federally-regulated or the personal information is disclosed across borders for a commercial purpose) then PIPA does not apply.
Court, Judicial and Quasi-Judicial Records
PIPA does not apply to the Provincial Court, the Supreme Court, the Court of Appeal or any court document.
PIPA does not apply to any document of a judge of the aforementioned courts (including those relating to support services provided to a judge), a master of the Supreme Court or a justice of the peace. It also does not apply to a judicial administration record which is a record containing information relating to a judge, master or a justice of the peace (e.g., a scheduling record of judges and trials).
PIPA similarly does not apply to a note, communication or draft decision of a decision maker in an administrative proceeding.
Prosecution documents
PIPA does not apply to documents related to a prosecution if all proceedings related to the prosecution have not been completed.
MLAs and Officers of the Legislature
PIPA does not apply to the collection, use or disclosure of personal information by a Member of the Legislative Assembly or an Officer of the Legislature (e.g., Auditor General, Ombudsman, Information and Privacy Commissioner, etc.) that relates to the exercise of the functions of that member or officer.
The Collection of Personal Information Collected on or before PIPA Comes into force
PIPA does not apply to the collection of personal information that was collected on or before it came into force (i.e., before January 1, 2004).
It is important to note that it is only the collection process that is "grandfathered". What this means is that an organization that collected personal information before PIPA came into force will not have to recollect that information under the new rules.
However, PIPA does apply to how an organization uses, secures and discloses the personal information that was collected before it came into force and individuals will have a right of access and a right to request correction of their personal information that was collected before PIPA came into force.
In order to comply with PIPA, an organization will have to ensure that it only uses and discloses personal information that it collected before PIPA came into force for purposes that a reasonable person would consider appropriate in the circumstances and that fulfills the purposes for which it was originally collected.
This page was last updated December 11, 2003.
|
