Guidance Documents

This Guide addresses the most common procedures that the Office of the Information and Privacy Commissioner (OIPC) uses under the Personal Information Protection Act (PIPA). For all complaints and requests for review, the OIPC’s overriding policy is to encourage the parties to resolve the issues by settlement. OIPC staff are authorized to attempt mediation of all matters before they are referred to a more formal process.

Use this document to take action when a privacy breach has occurred. These key steps apply to public bodies under the Freedom of Information and Protection of Privacy Act (FIPPA) and have been updated to include information about the legislation’s mandatory breach notification requirements.

Privacy impact assessments (PIAs) help you understand the implications your planned initiatives will have on people's privacy and personal information. This template guides you through the process of developing a PIA.

In emergency situations, privacy laws in BC authorize public bodies or private organizations to responsibly disclose an individual’s personal information, including information about their mental, emotional, or other health conditions, to third parties who may be able to help in a crisis. Privacy legislation in BC accommodates the disclosure of personal information in the event it could prevent a tragedy. BC’s Freedom of Information and Protection of Privacy Act (FIPPA) sets out how public bodies can collect, use, and disclose personal information. BC’s Personal Information Protection Act (PIPA) sets out how private sector organizations can collect, use, and disclose personal information. This guidance document informs public bodies and private sector organizations about the circumstances under which they can disclose personal information of an individual to a third party without the individual’s consent in emergency situations.

The Office of the Information and Privacy Commissioner (OIPC) wants to help your organization meet your legal obligations and the expectations of your clients and customers for the privacy and security of their personal information.

In this document, Canadian federal, provincial and territorial privacy authorities identify considerations for the application of key privacy principles to generative AI technologies.

The Freedom of Information and Protection of Privacy Act (FIPPA) regulates the information and privacy practices of public bodies including BC government, local governments, crown corporations, and local police forces, etc.

This guidance is designed to provide best practices for political organizations – including political parties, riding associations, candidates, campaign staff, and volunteers – and their handling of personal information as part of the campaign process. BC’s Personal Information Protection Act (PIPA) applies to the collection, use, and disclosure of “personal information” by political parties in British Columbia.

In November 2021, the data residency provisions of the Freedom of Information and Protection of Privacy Act (FIPPA) were amended to remove the prohibition (with certain exceptions) on disclosure of personal information outside of Canada. The new legislative framework permits the disclosure of personal information outside of Canada in accordance with B.C. Reg. 294/2021.1 And critically, public bodies’ obligations under s. 30 of FIPPA to implement reasonable security measures continue to apply to any disclosure of personal information outside Canada. Therefore, a careful assessment under s. 30 is necessary before any disclosure of personal information outside of Canada.

This document aims to help organizations subject to BC’s Personal Information Protection Act (PIPA) understand what conditions must be present before they can consider conducting random searches for drugs and alcohol. This guide applies to employers who search their own employees as well as employers that use contractors. It also applies to unionized and non-unionized workplaces. This document does not deal with workplace drug or alcohol testing through breath or other samples, nor does it deal with searches or testing after a workplace accident, where an employer or organization might have reasonable cause to suspect an individual is impaired.

On October 17, 2018, cannabis became legal in Canada. The Personal Information Protection Act (PIPA) applies to any private organization that collects, uses, and discloses the personal information of individuals in BC.

This document aims to help readers understand what constitutes a “common or integrated program or activity” (CIPA) under BC’s Freedom of Information and Protection of Privacy Act (FIPPA), and the obligations associated with them.

The Public Health Officer (PHO) has made two orders requiring the collection of personal information at restaurants, bars, gatherings and events.

This document provides recommended guidance for educators to help them choose online learning tools that comply with the requirements of BC’s Freedom of Information and Protection of Privacy Act (FIPPA). It includes information about recent, temporary changes to FIPPA in response to the COVID-19 crisis that allow for the use of tools that store information outside of Canada.

This document offers suggestions for organizations to refer to when investigating a privacy complaint made to them under the Personal Information Protection Act (PIPA).

More than ever before, retailers have to be prepared to deal with customers who ask questions about the type and amount of personal information retailers collect, what they intend to do with it, and how they will protect it from misuse. This document answers frequently asked questions about retailers and PIPA.

Effective May 25, 2018, some organizations subject to PIPA must also comply with the European Union (EU) General Data Protection Regulation (GDPR).2 The GDPR applies to organizations that have an established presence in the EU, offer goods and services to individuals in the EU, or monitor the behaviour of individuals in the EU. Organizations that do not comply with the GDPR face significant fines.

Joint guidance with Office of the Privacy Commissioner of Canada and Office of the Information and Privacy Commissioner of Alberta. As direct-to-consumer genetic tests become increasingly available, particularly over the Internet, it is important to understand their privacy risks. This document explains some of the key privacy risks associated with these tests, informs individuals of their rights and encourages them to ask themselves a series of questions before buying one online.

This guidance document discusses the privacy impacts of employee monitoring programs. Employees have a right to privacy in the workplace, which Canadian courts have upheld and must be respected by public and private organizations.

This guide is for public bodies and organizations that are interested in sharing personal information. It describes information sharing and explains the role and value of information sharing agreements (ISAs) to ensure compliance with BC’s Freedom of Information and Protection of Privacy Act (FIPPA) and the Personal Information Protection Act (PIPA). This guide also recommends provisions that should be included in an ISA.

Smartphones and tablets have become the most personal of computers we’ve ever used. They have social media content, location-tagged photos and streams of text messages. This kind of personal information didn’t exist on our laptops and desktop computers. And because we carry our mobile devices everywhere, the information on them is at greater risk of loss and theft. Here are 15 tips to help you protect your devices.

Bring Your Own Device or BYOD as it is commonly known, is a popular arrangement for many private sector organizations in Canada. With BYOD, however, there is an increased blurring of the lines between professional and personal lives, with employee concerns that their privacy is at risk, not to mention issues associated with consumers’ personal information.

This guidance document gives an overview of the issues employers should consider before implementing IT security tools that collect employee personal information.

Whenever personal information is being used outside of the office there is an increased risk that it will be lost or compromised. Public bodies and private organizations must keep paper and electronic records safe and secure as required by the Freedom of Information and Protection of Privacy Act (FIPPA) and the Personal Information Protection Act (PIPA).

Hiring employees who are a good fit for a job is an essential component of the operations of any public body. Knowing how an applicant has performed in a previous workplace is an important part of the hiring process and checking references is a practice that gives the prospective employer some idea of how the applicant might perform in the future.

This guidance document is intended to set out the basics of what an organization should consider when developing a website privacy policy.

This guidance document is intended to help SMEs understand what their privacy responsibilities are and to offer some suggestions to address privacy considerations in the cloud.

The Internet is an efficient, inexpensive and effective tool to communicate tribunal decisions to the public. However, tribunal members should write decisions to reflect the fact that the Internet provides access to tribunals’ decisions to unlimited persons for unlimited uses. In many cases, a tribunal can comply with FIPPA and accomplish its goals with respect to openness, accountability and transparency through the publication of decisions that do not include the names of parties or witnesses or other personally identifiable information.

The Office of the Information and Privacy Commissioner is often asked by public bodies and private organizations to comment on various matters, including proposed policies, legislation, projects, programs, systems and other matters, or compliance issues. This policy statement confirms the basis on which we do this and the nature of any comments we make, whether verbal or written.

To help organizations achieve compliance with private sector privacy legislation, we have developed these guidelines, which set out the principles for evaluating the use of video surveillance and for ensuring that its impact on privacy is minimized. These guidelines apply to overt video surveillance of the public by private sector organizations in publicly accessible areas. These guidelines do not apply to covert video surveillance, such as that conducted by private investigators on behalf of insurance companies, nor do they apply to the surveillance of employees.

This document offers suggestions for public bodies to use in investigating complaints that a search conducted in response to an access request made under FIPPA was not adequate.