BILL
NUMBER
TITLE CHAPTER
NUMBER
38 PERSONAL INFORMATION PROTECTION ACT c. 63

Commencement:
60  
This Act comes into force on January 1, 2004.

Royal Assent – Oct. 23, 2003  


BILL 38 – 2003
PERSONAL INFORMATION PROTECTION ACT

Contents

Section  
 
Part 1 -- Introductory Provisions
1  Definitions
2  Purpose
3  Application
 
Part 2 -- General Rules Respecting Protection of Personal Information by Organizations
4  Compliance with Act
5  Policies and practices
 
Part 3 -- Consent
6  Consent required
7  Provision of consent
8  Implicit consent
9  Withdrawal of consent
 
Part 4 -- Collection of Personal Information
10  Required notification for collection of personal information
11  Limitations on collection of personal information
12  Collection of personal information without consent
13  Collection of employee personal information
 
Part 5 -- Use of Personal Information
14  Limitations on use of personal information
15  Use of personal information without consent
16  Use of employee personal information
 
Part 6 -- Disclosure of Personal Information
17  Limitations on disclosure of personal information
18  Disclosure of personal information without consent
19  Disclosure of employee personal information
20  Transfer of personal information in the sale of an organization or its business assets
21  Disclosure for research or statistical purposes
22  Disclosure for archival or historical purposes
 
Part 7 -- Access to and Correction of Personal Information
23  Access to personal information
24  Right to request correction of personal information
 
Part 8 -- Administration
25  Definition
26  Circumstances in which request may be made
27  How to make a request
28  Duty to assist individual
29  Time limit for response
30  Content of response
31  Extending the time limit for response
32  Fees
 
Part 9 -- Care of Personal Information
33  Accuracy of personal information
34  Protection of personal information
35  Retention of personal information
 
Part 10 -- Role of Commissioner
36  General powers of commissioner
37  Power to authorize organization to disregard requests
38  Powers of commissioner in conducting investigations, audits or inquiries
39  Evidence in proceedings
40  Protection against libel or slander actions
41  Restrictions on disclosure of information by commissioner and staff
42  Protection of commissioner and staff
43  Delegation by commissioner
44  Annual report of commissioner
 
Part 11 -- Reviews and Orders
45  Definitions
46  Asking for a review
47  How to ask for a review or make a complaint
48  Notifying others of review
49  Mediation may be authorized
50  Inquiry by commissioner
51  Burden of proof
52  Commissioner's orders
53  Duty to comply with orders
 
Part 12 -- General Provisions
54  Protection
55  Non-retaliation
56  Offences and penalties
57  Damages for breach of Act
58  Power to make regulations
59  Review of Act
60  Commencement

HER MAJESTY, by and with the advice and consent of the Legislative Assembly of the Province of British Columbia, enacts as follows:


Part 1 -- Introductory Provisions

Definitions

1 In this Act:

"commissioner" means the commissioner appointed under section 37 (1) or 39 (1) of the Freedom of Information and Protection of Privacy Act;

"contact information" means information to enable an individual at a place of business to be contacted and includes the name, position name or title, business telephone number, business address, business email or business fax number of the individual;

"credit report" has the same meaning as "report" in section 1 of the Credit Reporting Act;

"credit reporting agency" has the same meaning as "reporting agency" in section 1 of the Credit Reporting Act;

"day" does not include a holiday or a Saturday;

"document" includes

(a) a thing on or by which information is stored, and

(b) a document in electronic or similar form;

"domestic" means related to home or family;

"employee" includes a volunteer;

"employee personal information" means personal information about an individual that is collected, used or disclosed solely for the purposes reasonably required to establish, manage or terminate an employment relationship between the organization and that individual, but does not include personal information that is not about an individual's employment;

"employment" includes working under an unpaid volunteer work relationship;

"federal Act" means the Personal Information Protection and Electronic Documents Act (Canada);

"investigation" means an investigation related to

(a) a breach of an agreement,

(b) a contravention of an enactment of Canada or a province,

(c) a circumstance or conduct that may result in a remedy or relief being available under an enactment, under the common law or in equity,

(d) the prevention of fraud, or

(e) trading in a security as defined in section 1 of the Securities Act if the investigation is conducted by or on behalf of an organization recognized by the British Columbia Securities Commission to be appropriate for carrying out investigations of trading in securities,

if it is reasonable to believe that the breach, contravention, circumstance, conduct, fraud or improper trading practice in question may occur or may have occurred;

"organization" includes a person, an unincorporated association, a trade union, a trust or a not for profit organization, but does not include

(a) an individual acting in a personal or domestic capacity or acting as an employee,

(b) a public body,

(c) the Provincial Court, the Supreme Court or the Court of Appeal,

(d) the Nisga'a Government, as defined in the Nisga'a Final Agreement, or

(e) a private trust for the benefit of one or more designated individuals who are friends or members of the family of the settlor;

"personal information" means information about an identifiable individual and includes employee personal information but does not include

(a) contact information, or

(b) work product information;

"proceeding" means a civil, a criminal or an administrative proceeding that is related to the allegation of

(a) a breach of an agreement,

(b) a contravention of an enactment of Canada or a province, or

(c) a wrong or a breach of a duty for which a remedy is claimed under an enactment, under the common law or in equity;

"public body" means

(a) a ministry of the government of British Columbia,

(b) an agency, board, commission, corporation, office or other body designated in, or added by regulation to, Schedule 2 of the Freedom of Information and Protection of Privacy Act, or

(c) a local public body as defined in the Freedom of Information and Protection of Privacy Act;

"work product information" means information prepared or collected by an individual or group of individuals as a part of the individual's or group's responsibilities or activities related to the individual's or group's employment or business but does not include personal information about an individual who did not prepare or collect the personal information.

Purpose

2 The purpose of this Act is to govern the collection, use and disclosure of personal information by organizations in a manner that recognizes both the right of individuals to protect their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.

Application

3 (1) Subject to this section, this Act applies to every organization.

(2) This Act does not apply to the following:

(a) the collection, use or disclosure of personal information, if the collection, use or disclosure is for the personal or domestic purposes of the individual who is collecting, using or disclosing the personal information and for no other purpose;

(b) the collection, use or disclosure of personal information, if the collection, use or disclosure is for journalistic, artistic or literary purposes and for no other purpose;

(c) the collection, use or disclosure of personal information, if the federal Act applies to the collection, use or disclosure of the personal information;

(d) personal information if the Freedom of Information and Protection of Privacy Act applies to the personal information;

(e) personal information in

(i) a court document,

(ii) a document of a judge of the Court of Appeal, Supreme Court or Provincial Court, or a document relating to support services provided to a judge of those courts,

(iii) a document of a master of the Supreme Court,

(iv) a document of a justice of the peace, or

(v) a judicial administration record as defined in Schedule 1 of the Freedom of Information and Protection of Privacy Act;

(f) personal information in a note, communication or draft decision of the decision maker in an administrative proceeding;

(g) the collection, use or disclosure by a member or officer of the Legislature or Legislative Assembly of personal information that relates to the exercise of the functions of that member or officer;

(h) a document related to a prosecution if all proceedings related to the prosecution have not been completed;

(i) the collection of personal information that has been collected on or before this Act comes into force.

(3) Nothing in this Act affects solicitor-client privilege.

(4) This Act does not limit the information available by law to a party to a proceeding.

(5) If a provision of this Act is inconsistent or in conflict with a provision of another enactment, the provision of this Act prevails unless another Act expressly provides that the other enactment, or a provision of it, applies despite this Act.


Part 2 -- General Rules Respecting Protection of Personal Information by Organizations

Compliance with Act

4 (1) In meeting its responsibilities under this Act, an organization must consider what a reasonable person would consider appropriate in the circumstances.

(2) An organization is responsible for personal information under its control, including personal information that is not in the custody of the organization.

(3) An organization must designate one or more individuals to be responsible for ensuring that the organization complies with this Act.

(4) An individual designated under subsection (3) may delegate to another individual the duty conferred by that designation.

(5) An organization must make available to the public

(a) the position name or title of each individual designated under subsection (3) or delegated under subsection (4), and

(b) contact information for each individual referred to in paragraph (a).

Policies and practices

5 An organization must

(a) develop and follow policies and practices that are necessary for the organization to meet the obligations of the organization under this Act,

(b) develop a process to respond to complaints that may arise respecting the application of this Act, and

(c) make information available on request about

(i) the policies and practices referred to in paragraph (a), and

(ii) the complaint process referred to in paragraph (b).


Part 3 -- Consent

Consent required

6 (1) An organization must not

(a) collect personal information about an individual,

(b) use personal information about an individual, or

(c) disclose personal information about an individual.

(2) Subsection (1) does not apply if

(a) the individual gives consent to the collection, use or disclosure,

(b) this Act authorized the collection, use or disclosure is authorized without the consent of the individual, or

(c) this Act deems the collection, use or disclosure to be consented to by the individual.

Provision of consent

7 (1) An individual has not given consent under this Act to an organization unless

(a) the organization has provided the individual with the information required under section 10 (1), and

(b) the individual's consent is provided in accordance with this Act.

(2) An organization must not, as a condition of supplying a product or service, require an individual to consent to the collection, use or disclosure of personal information beyond what is necessary to provide the product or service.

(3) If an organization attempts to obtain consent for collecting, using or disclosing personal information by

(a) providing false or misleading information respecting the collection, use or disclosure of the information, or

(b) using deceptive or misleading practices

any consent provided in those circumstances is not validly given.

Implicit consent

8 (1) An individual is deemed to consent to the collection, use or disclosure of personal information by an organization for a purpose if

(a) at the time the consent is deemed to be given, the purpose would be considered to be obvious to a reasonable person, and

(b) the individual voluntarily provides the personal information to the organization for that purpose.

(2) An individual is deemed to consent to the collection, use or disclosure of personal information for the purpose of his or her enrollment and coverage under an insurance, pension, benefit or similar plan if he or she is a beneficiary or has an interest as an insured under the plan.

(3) An organization may collect, use or disclose personal information about an individual for specified purposes if

(a) the organization provides the individual with a notice, in a form the individual can reasonably be considered to understand, that it intends to collect, use or disclose the individual's personal information for those purposes,

(b) the organization gives the individual a reasonable opportunity to decline within a reasonable time to have his or her personal information collected, used or disclosed for those purposes,

(c) the individual does not decline, within the time allowed under paragraph (b), the proposed collection, use or disclosure, and

(d) the collection, use or disclosure of personal information is reasonable having regard to the sensitivity of the personal information in the circumstances.

(4) Subsection (1) does not authorize an organization to collect, use or disclose personal information for a different purpose than the purpose to which that subsection applies.

Withdrawal of consent

9 (1) Subject to subsections (5) and (6), on giving reasonable notice to the organization, an individual may withdraw consent to the collection, use or disclosure of personal information about the individual at any time.

(2) On receipt of notice referred to in subsection (1), an organization must inform the individual of the likely consequences to the individual of withdrawing his or her consent.

(3) An organization must not prohibit an individual from withdrawing his or her consent to the collection, use or disclosure of personal information related to the individual.

(4) Subject to section 35, if an individual withdraws consent to the collection, use or disclosure of personal information by an organization, the organization must stop collecting, using or disclosing the personal information unless the collection, use or disclosure is permitted without consent under this Act.

(5) An individual may not withdraw consent if withdrawing the consent would frustrate the performance of a legal obligation.

(6) An individual may not withdraw a consent given to a credit reporting agency in the circumstances described in section 12 (1) (g) or 15 (1) (g).


Part 4 -- Collection of Personal Information

Required notification for collection of personal information

10 (1) On or before collecting personal information about an individual from the individual, an organization must disclose to the individual verbally or in writing

(a) the purposes for the collection of the information, and

(b) on request by the individual, the position name or title and the contact information for an officer or employee of the organization who is able to answer the individual's questions about the collection.

(2) On or before collecting personal information about an individual from another organization without the consent of the individual, an organization must provide the other organization with sufficient information regarding the purpose of the collection to allow that other organization to determine whether the disclosure would be in accordance with this Act.

(3) This section does not apply to a collection described in section 8 (1) or (2).

Limitations on collection of personal information

11 Subject to this Act, an organization may collect personal information only for purposes that a reasonable person would consider appropriate in the circumstances and that

(a) fulfill the purposes that the organization discloses under section 10 (1), or

(b) are otherwise permitted under this Act.

Collection of personal information without consent

12 (1) An organization may collect personal information about an individual without consent or from a source other than the individual, if

(a) the collection is clearly in the interests of the individual and consent cannot be obtained in a timely way,

(b) the collection is necessary for the medical treatment of the individual and the individual is unable to give consent,

(c) it is reasonable to expect that the collection with the consent of the individual would compromise the availability or the accuracy of the personal information and the collection is reasonable for an investigation or a proceeding,

(d) the personal information is collected by observation at a performance, a sports meet or a similar event

(i) at which the individual voluntarily appears, and

(ii) that is open to the public,

(e) the personal information is available to the public from a source prescribed for the purposes of this paragraph,

(f) the collection is necessary to determine the individual's suitability

(i) to receive an honour, award or similar benefit, including an honorary degree, scholarship or bursary, or

(ii) to be selected for an athletic or artistic purpose,

(g) the organization is a credit reporting agency that collects the personal information to create a credit report and the individual consents at the time the original collection takes place to the disclosure for this purpose,

(h) the collection is required or authorized by law,

(i) the information was disclosed to the organization under sections 18 to 22, or

(j) the personal information is necessary to facilitate

(i) the collection of a debt owed to the organization, or

(ii) the payment of a debt owed by the organization.

(2) An organization may collect personal information from or on behalf of another organization without consent of the individual to whom the information relates, if

(a) the individual previously consented to the collection of the personal information by the other organization, and

(b) the personal information is disclosed to or collected by the organization solely

(i) for the purposes for which the information was previously collected, and

(ii) to assist that organization to carry out work on behalf of the other organization.

Collection of employee personal information

13 (1) Subject to subsection (2), an organization may collect employee personal information without the consent of the individual.

(2) An organization may not collect employee personal information without the consent of the individual unless

(a) section 12 allows the collection of the employee personal information without consent, or

(b) the collection is reasonable for the purposes of establishing, managing or terminating an employment relationship between the organization and the individual.

(3) An organization must notify an individual that it will be collecting employee personal information about the individual and the purposes for the collection before the organization collects the employee personal information without the consent of the individual.

(4) Subsection (3) does not apply to employee personal information if section 12 allows it to be collected without the consent of the individual.


Part 5 -- Use of Personal Information

Limitations on use of personal information

14 Subject to this Act, an organization may use personal information only for purposes that a reasonable person would consider appropriate in the circumstances and that

(a) fulfill the purposes that the organization discloses under section 10 (1),

(b) for information collected before this Act comes into force, fulfill the purposes for which it was collected, or

(c) are otherwise permitted under this Act.

Use of personal information without consent

15 (1) An organization may use personal information about an individual without the consent of the individual, if

(a) the use is clearly in the interests of the individual and consent cannot be obtained in a timely way,

(b) the use is necessary for the medical treatment of the individual and the individual does not have the legal capacity to give consent,

(c) it is reasonable to expect that the use with the consent of the individual would compromise an investigation or proceeding and the use is reasonable for purposes related to an investigation or a proceeding,

(d) the personal information is collected by observation at a performance, a sports meet or a similar event

(i) at which the individual voluntarily appears, and

(ii) that is open to the public,

(e) the personal information is available to the public from a source prescribed for the purposes of this paragraph,

(f) the use is necessary to determine suitability

(i) to receive an honour, award or similar benefit, including an honorary degree, scholarship or bursary, or

(ii) to be selected for an athletic or artistic purpose,

(g) the personal information is used by a credit reporting agency to create a credit report if the individual consented to the disclosure for this purpose,

(h) the use is required or authorized by law,

(i) the personal information was disclosed to the organization under sections 18 to 22,

(j) the personal information is needed to facilitate

(i) the collection of a debt owed to the organization, or

(ii) the payment of a debt owed by the organization,

(k) a credit reporting agency is permitted to collect the personal information without consent under section 12 and the information is not used by the credit reporting agency for any purpose other than to create a credit report, or

(l) the use is necessary to respond to an emergency that threatens the life, health or security of an individual.

(2) An organization may use personal information collected from or on behalf of another organization without the consent of the individual to whom the information relates, if

(a) the individual consented to the use of the personal information by the other organization, and

(b) the personal information is used by the organization solely

(i) for the purposes for which the information was previously collected, and

(ii) to assist that organization to carry out work on behalf of the other organization.

Use of employee personal information

16 (1) Subject to subsection (2), an organization may use employee personal information without the consent of the individual.

(2) An organization may not use employee personal information without the consent of the individual unless

(a) section 15 allows the use of the employee personal information without consent, or

(b) the use is reasonable for the purposes of establishing, managing or terminating an employment relationship between the organization and the individual.

(3) An organization must notify an individual that it will be using employee personal information about the individual and the purposes for the use before the organization uses the employee personal information without the consent of the individual.

(4) Subsection (3) does not apply to employee personal information if section 15 allows it to be used without the consent of the individual.


Part 6 -- Disclosure of Personal Information

Limitations on disclosure of personal information

17 Subject to this Act, an organization may disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances and that

(a) fulfill the purposes that the organization discloses under section 10 (1),

(b) for information collected before this Act comes into force, fulfill the purposes for which it was collected, or

(c) are otherwise permitted under this Act.

Disclosure of personal information without consent

18 (1) An organization may only disclose personal information about an individual without the consent of the individual, if

(a) the disclosure is clearly in the interests of the individual and consent cannot be obtained in a timely way,

(b) the disclosure is necessary for the medical treatment of the individual and the individual does not have the legal capacity to give consent,

(c) it is reasonable to expect that the disclosure with the consent of the individual would compromise an investigation or proceeding and the disclosure is reasonable for purposes related to an investigation or a proceeding,

(d) the personal information is collected by observation at a performance, a sports meet or a similar event

(i) at which the individual voluntarily appears, and

(ii) that is open to the public,

(e) the personal information is available to the public from a source prescribed for the purposes of this paragraph,

(f) the disclosure is necessary to determine suitability

(i) to receive an honour, award or similar benefit, including an honorary degree, scholarship or bursary, or

(ii) to be selected for an athletic or artistic purpose,

(g) the disclosure is necessary in order to collect a debt owed to the organization or for the organization to repay an individual money owed to them by the organization,

(h) the personal information is disclosed in accordance with a provision of a treaty that

(i) authorizes or requires its disclosure, and

(ii) is made under an enactment of British Columbia or Canada,

(i) the disclosure is for the purpose of complying with a subpoena, warrant or order issued or made by a court, person or body with jurisdiction to compel the production of personal information,

(j) the disclosure is to a public body or a law enforcement agency in Canada, concerning an offence under the laws of Canada or a province, to assist in an investigation, or in the making of a decision to undertake an investigation,

(i) to determine whether the offence has taken place, or

(ii) to prepare for the laying of a charge or the prosecution of the offence,

(k) there are reasonable grounds to believe that compelling circumstances exist that affect the health or safety of any individual and if notice of disclosure is mailed to the last known address of the individual to whom the personal information relates,

(l) the disclosure is for the purpose of contacting next of kin or a friend of an injured, ill or deceased individual,

(m) the disclosure is to a lawyer who is representing the organization,

(n) the disclosure is to an archival institution if the collection of the personal information is reasonable for research or archival purposes,

(o) the disclosure is required or authorized by law, or

(p) the disclosure is in accordance with sections 19 to 22.

(2) An organization may disclose personal information to another organization without consent of the individual to whom the information relates, if

(a) the individual consented to the collection of the personal information by the organization, and

(b) the personal information is disclosed to the other organization solely

(i) for the purposes for which the information was previously collected, and

(ii) to assist the other organization to carry out work on behalf of the first organization.

(3) An organization may disclose personal information to another organization without consent of the individual to whom the information relates, if the organization was authorized by section 12 (2) to collect the personal information from or on behalf of the other organization.

Disclosure of employee personal information

19 (1) Subject to subsection (2), an organization may disclose employee personal information without the consent of the individual.

(2) An organization may not disclose employee personal information without the consent of the individual unless

(a) section 18 allows the disclosure of the employee personal information without consent, or

(b) the disclosure is reasonable for the purposes of establishing, managing or terminating an employment relationship between the organization and the individual.

(3) An organization must notify an individual that it will be disclosing employee personal information about the individual and the purposes for the disclosure before the organization discloses employee personal information about the individual without the consent of the individual.

(4) Subsection (3) does not apply to employee personal information if section 18 allows it to be disclosed without the consent of the individual.

Transfer of personal information in the sale of an organization or its business assets

20 (1) In this section:

"business transaction" means the purchase, sale, lease, merger or amalgamation or any other type of acquisition, disposal or financing of an organization or a portion of an organization or of any of the business or assets of an organization;

"party" means a person or another organization that proceeds with the business transaction.

(2) An organization may disclose personal information about its employees, customers, directors, officers or shareholders without their consent, to a prospective party, if

(a) the personal information is necessary for the prospective party to determine whether to proceed with the business transaction, and

(b) the organization and prospective party have entered into an agreement that requires the prospective party to use or disclose the personal information solely for purposes related to the prospective business transaction.

(3) If an organization proceeds with a business transaction, the organization may disclose, without consent, personal information of employees, customers, directors, officers and shareholders of the organization to a party on condition that

(a) the party must only use or disclose the personal information for the same purposes for which it was collected, used or disclosed by the organization,

(b) the disclosure is only of personal information that relates directly to the part of the organization or its business assets that is covered by the business transaction, and

(c) the employees, customers, directors, officers and shareholders whose personal information is disclosed are notified that

(i) the business transaction has taken place, and

(ii) the personal information about them has been disclosed to the party.

(4) A prospective party may collect and use personal information without the consent of the employees, customers, directors, officers and shareholders of the organization in the circumstances described in subsection (2) if the prospective party complies with the conditions applicable to that prospective party under that subsection.

(5) A party may collect, use and disclose personal information without the consent of the employees, customers, directors, officers and shareholders of the organization in the circumstances described in subsection (3) if the party complies with the conditions applicable to that party under that subsection.

(6) If a business transaction does not proceed or is not completed, a prospective party must destroy or return to the organization any personal information the prospective party collected under subsection (2) about the employees, customers, directors, officers and shareholders of the organization.

(7) This section does not authorize an organization to disclose personal information to a party or prospective party for purposes of a business transaction that does not involve substantial assets of the organization other than this personal information.

(8) A party or prospective party is not authorized by this section to collect, use or disclose personal information that an organization disclosed to it in contravention of subsection (7).

Disclosure for research or statistical purposes

21 (1) An organization may disclose, without the consent of the individual, personal information for a research purpose, including statistical research, only if

(a) the research purpose cannot be accomplished unless the personal information is provided in an individually identifiable form,

(b) the disclosure is on condition that it will not be used to contact persons to ask them to participate in the research,

(c) linkage of the personal information to other information is not harmful to the individuals identified by the personal information and the benefits to be derived from the linkage are clearly in the public interest,

(d) the organization to which the personal information is to be disclosed has signed an agreement to comply with the following:

(i) this Act;

(ii) the policies and procedures relating to the confidentiality of personal information of the organization that collected the personal information;

(iii) security and confidentiality conditions;

(iv) a requirement to remove or destroy individual identifiers at the earliest reasonable opportunity;

(v) prohibition of any subsequent use or disclosure of that personal information in individually identifiable form without the express authorization of the organization that disclosed the personal information, and

(e) it is impracticable for the organization to seek the consent of the individual for the disclosure.

(2) Subsection (1) does not authorize an organization to disclose personal information for market research purposes.

Disclosure for archival or historical purposes

22 An organization may disclose personal information for archival or historical purposes if

(a) a reasonable person would not consider the personal information to be too sensitive to the individual to be disclosed at the proposed time,

(b) the disclosure is for historical research and is in accordance with section 21,

(c) the information is about someone who has been dead for 20 or more years, or

(d) the information is in a record that has been in existence for 100 or more years.


Part 7 -- Access to and Correction of Personal Information

Access to personal information

23 (1) Subject to subsections (2) to (5), on request of an individual, an organization must provide the individual with the following:

(a) the individual's personal information under the control of the organization;

(b) information about the ways in which the personal information referred to in paragraph (a) has been and is being used by the organization;

(c) the names of the individuals and organizations to whom the personal information referred to in paragraph (a) has been disclosed by the organization.

(2) An organization that

(a) is a credit reporting agency, and

(b) receives a request under subsection (1)

must also provide the individual with the names of the sources from which it received the personal information unless it is reasonable to assume the individual can ascertain those sources.

(3) An organization is not required to disclose personal information under subsection (1) in the following circumstances:

(a) the personal information is protected by solicitor-client privilege;

(b) the disclosure of the personal information would reveal confidential commercial information that if disclosed, could, in the opinion of a reasonable person, harm the competitive position of the organization;

(c) the personal information was collected without consent, as allowed under section 12, for the purposes of an investigation and the investigation and associated proceedings and appeals have not been completed;

(d) the organization is a credit reporting agency and the personal information was last disclosed by the agency in a credit report more than 12 months before the request under subsection (1) was made;

(e) the personal information was collected or created by a mediator or arbitrator in the conduct of a mediation or arbitration for which he or she was appointed to act

(i) under a collective agreement,

(ii) under an enactment, or

(iii) by a court.

(4) An organization must not disclose personal information under subsection (1) in the following circumstances:

(a) the disclosure could reasonably be expected to threaten the safety or physical or mental health of an individual other than the individual who made the request;

(b) the disclosure can reasonably be expected to cause immediate or grave harm to the safety or to the physical or mental health of the individual who made the request;

(c) the disclosure would reveal personal information about another individual;

(d) the disclosure would reveal the identity of an individual who has provided personal information about another individual and the individual providing the personal information does not consent to disclosure of his or her identity.

(5) If an organization is able to remove the information referred to in subsection (3) (a), (b) or (c) or (4) from a document that contains personal information about the individual who requested it, the organization must provide the individual with access to the personal information after the information referred to in subsection (3) (a), (b) or (c) or (4) is removed.

Right to request correction of personal information

24 (1) An individual may request an organization to correct an error or omission in the personal information that is

(a) about the individual, and

(b) under the control of the organization.

(2) If an organization is satisfied on reasonable grounds that a request made under subsection (1) should be implemented, the organization must

(a) correct the personal information as soon as reasonably possible, and

(b) send the corrected personal information to each organization to which the personal information was disclosed by the organization during the year before the date the correction was made.

(3) If no correction is made under subsection (2), the organization must annotate the personal information under its control with the correction that was requested but not made.

(4) When an organization is notified under subsection (2) of a correction of personal information, the organization must correct the personal information under its control.


Part 8 -- Administration

Definition

25 In this Part, "applicant" means an individual who makes a request under section 27.

Circumstances in which request may be made

26 An individual may make a request of an organization as permitted under sections 23 or 24.

How to make a request

27 For an individual to obtain access to his or her personal information or to request a correction of his or her personal information, the individual must make a written request that provides sufficient detail to enable the organization, with a reasonable effort, to identify the individual and the personal information or correction being sought.

Duty to assist individual

28 An organization must make a reasonable effort

(a) to assist each applicant,

(b) to respond to each applicant as accurately and completely as reasonably possible, and

(c) unless section 23 (3) or (4) applies, to provide each applicant with

(i) the requested personal information, or

(ii) if the requested personal information cannot be reasonably provided, with a reasonable opportunity to examine the personal information.

Time limit for response

29 (1) Subject to this section, an organization must respond to an applicant not later than

(a) 30 days after receiving the applicant's request, or

(b) the end of an extended time period if the time period is extended under section 31.

(2) If an organization asks the commissioner under section 37 for authorization to disregard a request, the 30 days referred to in subsection (1) of this section does not include the period from the start of the day the request is made under section 37 to the end of the day a decision is made by the commissioner with respect to that application.

(3) If an applicant asks the commissioner under section 46 to review a fee estimate, the 30 days referred to in subsection (1) of this section does not include the period from the start of the day the applicant asks for the review to the end of the day the commissioner makes a decision.

Content of response

30 (1) In a response under section 28, if access to all or part of the personal information requested by the applicant is refused, the organization must tell the applicant,

(a) the reasons for the refusal and the provision of this Act on which the refusal is based,

(b) the name, position title, business address and business telephone number of an officer or employee of the organization who can answer the applicant's questions about the refusal, and

(c) that the applicant may ask for a review under section 47 within 30 days of being notified of the refusal.

(2) Despite subsection (1) (c), the organization may refuse in a response to confirm or deny the existence of personal information collected as part of an investigation.

Extending the time limit for response

31 (1) An organization may extend the time for responding to a request under section 23 for up to an additional 30 days or, with the commissioner's permission, for a longer period if

(a) the applicant does not give enough detail to enable the organization to identify the personal information requested,

(b) a large amount of personal information is requested or must be searched and meeting the time limit would unreasonably interfere with the operations of the organization, or

(c) more time is needed to consult with another organization or public body before the organization is able to decide whether or not to give the applicant access to a requested document.

(2) If the time is extended under subsection (1), the organization must tell the applicant

(a) the reason for the extension,

(b) the time when a response from the organization can be expected, and

(c) the rights of the applicant to complain about the extension and request that an order be made under section 52 (3) (b).

Fees

32 (1) An organization must not charge an individual a fee respecting employee personal information concerning the individual.

(2) An organization may charge an individual who makes a request under section 23 a minimal fee for access to the individual's personal information that is not employee personal information concerning the individual.

(3) If an individual is required by an organization to pay a fee for services provided to the individual to enable the organization to respond to a request under section 23, the organization

(a) must give the applicant a written estimate of the fee before providing the service, and

(b) may require the applicant to pay a deposit for all or part of the fee.


Part 9 -- Care of Personal Information

Accuracy of personal information

33 An organization must make a reasonable effort to ensure that personal information collected by or on behalf of the organization is accurate and complete, if the personal information

(a) is likely to be used by the organization to make a decision that affects the individual to whom the personal information relates, or

(b) is likely to be disclosed by the organization to another organization.

Protection of personal information

34 An organization must protect personal information in its custody or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks.

Retention of personal information

35 (1) Despite subsection (2), if an organization uses an individual's personal information to make a decision that directly affects the individual, the organization must retain that information for at least one year after using it so that the individual has a reasonable opportunity to obtain access to it.

(2) An organization must destroy its documents containing personal information, or remove the means by which the personal information can be associated with particular individuals, as soon as it is reasonable to assume that

(a) the purpose for which that personal information was collected is no longer being served by retention of the personal information, and

(b) retention is no longer necessary for legal or business purposes.


Part 10 -- Role of Commissioner

General powers of commissioner

36 (1) In addition to the commissioner's powers and duties under Part 11 with respect to reviews, the commissioner is responsible for monitoring how this Act is administered to ensure that its purposes are achieved, and may do any of the following:

(a) whether a complaint is received or not, initiate investigations and audits to ensure compliance with any provision of this Act, if the commissioner is satisfied there are reasonable grounds to believe that an organization is not complying with this Act;

(b) make an order described in section 52 (3), whether or not a review is requested;

(c) inform the public about this Act;

(d) receive comments from the public about the administration of this Act;

(e) engage in or commission research into anything affecting the achievement of the purposes of this Act;

(f) comment on the implications for protection of personal information of programs proposed by organizations;

(g) comment on the implications of automated systems for the protection of personal information;

(h) comment on the implications for protection of personal information of the use or disclosure of personal information held by organizations for document linkage;

(i) authorize the collection of personal information by an organization from sources other than the individual to whom the personal information relates;

(j) bring to the attention of an organization any failure of the organization to meet the obligations established by this Act.

(2) Without limiting subsection (1), the commissioner may investigate and attempt to resolve complaints that

(a) a duty imposed by this Act or the regulations has not been performed,

(b) an extension of time for responding to a request is not in accordance with section 29,

(c) a fee required by an organization under this Act is not reasonable,

(d) a correction of personal information requested under section 24 has been refused without justification, and

(e) personal information has been collected, used or disclosed by an organization in contravention of this Act.

Power to authorize organization to disregard requests

37 If asked by an organization, the commissioner may authorize the organization to disregard requests under section 23 or 24 that

(a) would unreasonably interfere with the operations of the organization because of the repetitious or systematic nature of the requests, or

(b) are frivolous or vexatious.

Powers of commissioner in conducting investigations, audits or inquiries

38 (1) In conducting an investigation or an audit under section 36 or an inquiry under section 50 the commissioner has the power, privileges and protection of a commissioner under sections 12, 15 and 16 of the Inquiry Act.

(2) The commissioner may

(a) examine any information in a document, including personal information, and obtain copies or extracts of documents containing information

(i) found in any premises entered under paragraph (c), or

(ii) provided under this Act,

(b) require an individual or an organization to produce documents, and

(c) at any reasonable time, enter any premises, other than a personal residence, occupied by an organization, after satisfying any reasonable security requirements of the organization relating to the premises.

(3) If information to which solicitor-client privilege applies is disclosed by a person to the commissioner at the request of the commissioner, or obtained by or disclosed to the commissioner under subsection (1) or (2) (a) or (b), the solicitor-client privilege is not affected by the way in which the commissioner has received the information.

(4) The commissioner may require an individual to attempt to resolve the individual's dispute with an organization in the way directed by the commissioner before the commissioner begins or continues a review or investigation under this Act of an applicant's complaint against the organization.

(5) Despite any other enactment or any privilege afforded by the law of evidence, an organization must provide to the commissioner any document, or a copy of any document, required under subsection (1) or (2) (a) or (b)

(a) if the commissioner does not specify a period for the purpose, within 10 days of the date of the commissioner's request for the document, or

(b) if the commissioner specifies a period, within the period specified.

(6) If an organization is required to produce a document under subsection (1) or (2) (a) or (b) and it is not practicable to make a copy of the document, the organization must provide access for the commissioner to examine the document at its site.

(7) Subject to subsection (8), after completing a review, investigating a complaint, or conducting an audit, the commissioner must return a document, or a copy of a document, produced by the individual or organization.

(8) On request from an individual or an organization, the commissioner must return a document, or a copy of a document, produced by the individual or organization within 10 days of the date on which the commissioner receives the request.

Evidence in proceedings

39 (1) The commissioner and anyone acting for or under the direction of the commissioner must not give or be compelled to give evidence in a court or in any other proceedings in respect of any information obtained in performing their duties or exercising their powers or functions under this Act, except

(a) in a prosecution for perjury in respect of sworn testimony,

(b) in a prosecution for an offence under this Act, or

(c) in an application for judicial review or an appeal from a decision with respect to that application.

(2) Subsection (1) applies also in respect of evidence of the existence of proceedings conducted before the commissioner.

Protection against libel or slander actions

40 Anything said, any information supplied or any record produced by a person during an investigation or inquiry by the commissioner is privileged in the same manner as if the investigation or inquiry were a proceeding in a court.

Restrictions on disclosure of information by commissioner and staff

41 (1) The commissioner and anyone acting for or under the direction of the commissioner must not disclose any information obtained in performing their duties or exercising their powers and functions under this Act, except as provided in subsections (2) to (5).

(2) The commissioner may disclose, or may authorize anyone acting on behalf of or under the direction of the commissioner to disclose, information that is necessary to

(a) conduct an investigation, audit or inquiry under this Act, or

(b) establish the grounds for findings and recommendations contained in a report under this Act.

(3) In conducting an investigation, audit or inquiry under this Act and in a report under this Act, the commissioner and anyone acting for or under the direction of the commissioner must take every reasonable precaution to avoid disclosing and must not disclose

(a) any personal information an organization would be required or authorized to refuse to disclose if it were contained in personal information requested under section 27, or

(b) whether information exists, if an organization in refusing to provide access does not indicate whether the information exists.

(4) The commissioner may disclose to the Attorney General information relating to the commission of an offence against an enactment of British Columbia or Canada if the commissioner considers there is evidence of an offence.

(5) The commissioner may disclose, or may authorize anyone acting for or under the direction of the commissioner to disclose, information in the course of a prosecution, application or appeal referred to in section 39.

Protection of commissioner and staff

42 No proceedings lie against the commissioner, or against a person acting on behalf of or under the direction of the commissioner, for anything done, reported or said in good faith in the exercise or performance or the intended exercise or performance of a duty, power or function under this Part or Part 11.

Delegation by commissioner

43 (1) The commissioner may delegate to any person any duty, power or function of the commissioner under this Act, except the power to delegate under this section.

(2) A delegation under subsection (1) must be in writing and may contain any conditions or restrictions the commissioner considers appropriate.

Annual report of commissioner

44 (1) The commissioner must report annually to the Speaker of the Legislative Assembly on the work of the commissioner's office under this Act.

(2) The Speaker must lay the annual report before the Legislative Assembly as soon as possible.


Part 11 -- Reviews and Orders

Definitions

45 In this Part:

"complaint" means a complaint referred to in section 36 (2);

"inquiry" means an inquiry under section 50;

"request" means a request made in writing to the commissioner under section 46 to

(a) resolve a complaint, or

(b) conduct a review;

"review" means a review of a decision, act or failure to act of an organization

(a) respecting access to or the correction of personal information about the individual who requests the review, and

(b) referred to in the request for the review.

Asking for a review

46 (1) An individual who has asked an organization for access to or the correction of their personal information may ask the commissioner to conduct a review of the resulting decision, act or failure to act of the organization.

(2) An individual may make a complaint to the commissioner.

(3) If the commissioner is satisfied that section 38 (4) applies to an individual who has made a request, the commissioner may defer beginning or adjourn the review to allow an attempt to be made under that section to resolve the dispute.

How to ask for a review or make a complaint

47 (1) An individual may ask for a review or make a complaint by delivering a request to the commissioner.

(2) A request must be delivered within

(a) 30 days of the date on which the person making the request is notified of the circumstances on which the request is based, or

(b) a longer period allowed by the commissioner.

(3) The time limit in subsection (2) (a) does not apply to a request respecting

(a) a failure by an organization to respond within a required time period established by this Act, or

(b) a complaint.

Notifying others of review

48 (1) On receiving a request for a review, the commissioner must give a copy of the request to

(a) the organization concerned, and

(b) any other person that the commissioner considers appropriate.

(2) The commissioner may act under subsection (1) on receiving a request respecting a complaint.

Mediation may be authorized

49 The commissioner may authorize a mediator to investigate and to try to settle the matter on which a request is based.

Inquiry by commissioner

50 (1) If a matter is not referred to a mediator or is not settled under section 49, the commissioner may conduct an inquiry and decide all questions of fact and law arising in the course of the inquiry.

(2) An inquiry may be conducted in private.

(3) The individual who makes a request, the organization concerned and any person given a copy of the request must be given an opportunity to make representations to the commissioner during the inquiry.

(4) The commissioner may decide

(a) whether representations are to be made verbally or in writing, and

(b) whether a person is entitled to be present during, to have access to or to comment on representations made to the commissioner by another person.

(5) The individual who makes a request, the organization concerned and any person given a copy of the request may be represented at the inquiry by counsel or by an agent.

(6) If the matter on which a complaint is based is referred under section 49 to a mediator and is not settled by the mediation, the inquiry respecting the complaint must be completed within 30 days of the day on which the mediation ends.

(7) If a complaint is not referred under section 49 to a mediator and the commissioner decides to hold an inquiry respecting the review, the inquiry must be completed within 30 days of the day on which the request is delivered under section 47 (1).

(8) An inquiry respecting a review must be completed within 90 days of the day on which the request is delivered under section 47 (1), unless the commissioner

(a) specifies a later date, and

(b) notifies

(i) the individual who made the request,

(ii) the organization concerned, and

(iii) any person given a copy of the request

of the date specified under paragraph (a).

(9) The period of an adjournment under section 46 (3) must not be included for the purpose of calculating a deadline under subsection (7) or (8) of this section.

Burden of proof

51 At an inquiry into a decision to refuse an individual

(a) access to all or part of the individual's personal information, or

(b) information respecting the collection, use or disclosure of the individual's personal information,

it is up to the organization to prove to the satisfaction of the commissioner that the individual has no right of access to his or her personal information or no right to the information requested respecting the collection, use or disclosure of the individual's personal information.

Commissioner's orders

52 (1) On completing an inquiry under section 50, the commissioner must dispose of the issues by making an order under this section.

(2) If the inquiry is into a decision of an organization to give or to refuse to give access to all or part of an individual's personal information, the commissioner must, by order, do one of the following:

(a) require the organization

(i) to give the individual access to all or part of his or her personal information under the control of the organization,

(ii) to disclose to the individual the ways in which the personal information has been used, or

(iii) to disclose to the individual names of the individuals and organizations to whom the personal information has been disclosed by the organization,

if the commissioner determines that the organization is not authorized or required to refuse access by the individual to the personal information;

(b) either confirm the decision of the organization or require the organization to reconsider its decision, if the commissioner determines that the organization is authorized to refuse the individual access to his or her personal information;

(c) require the organization to refuse the individual access to all or part of his or her personal information, if the commissioner determines that the organization is required to refuse that access.

(3) If the inquiry is into a matter not described in subsection (2), the commissioner may, by order, do one or more of the following:

(a) confirm that a duty imposed by this Act or the regulations has been performed or require that a duty imposed by this Act or the regulations be performed;

(b) confirm or reduce the extension of a time limit under section 31;

(c) confirm, excuse or reduce a fee, or order a refund, in the appropriate circumstances;

(d) confirm a decision not to correct personal information or specify how personal information is to be corrected;

(e) require an organization to stop collecting, using or disclosing personal information in contravention of this Act, or confirm a decision of an organization to collect, use or disclose personal information;

(f) require an organization to destroy personal information collected in contravention of this Act.

(4) The commissioner may specify any terms or conditions in an order made under this section.

(5) The commissioner must give a copy of an order made under this section to all of the following:

(a) the individual who made the request;

(b) the organization concerned;

(c) any person given notice under section 48;

(d) the minister responsible for this Act.

Duty to comply with orders

53 (1) Not later than 30 days after being given a copy of an order of the commissioner, the organization concerned must comply with the order unless an application for judicial review of the order is brought before that period ends.

(2) If an application for judicial review is brought before the end of the period referred to in subsection (1), the order of the commissioner is stayed from the date the application is brought until a court orders otherwise.


Part 12 -- General Provisions

Protection

54 An organization must not dismiss, suspend, demote, discipline, harass or otherwise disadvantage an employee of the organization, or deny that employee a benefit, because

(a) the employee, acting in good faith and on the basis of reasonable belief, has disclosed to the commissioner that the organization or any other person has contravened or is about to contravene this Act,

(b) the employee, acting in good faith and on the basis of reasonable belief, has done or stated an intention of doing anything that is required to be done in order to avoid having any person contravene this Act,

(c) the employee, acting in good faith and on the basis of reasonable belief, has refused to do or stated an intention of refusing to do anything that is in contravention of this Act, or

(d) the organization believes that an employee will do anything described in paragraph (a), (b) or (c).

Non-retaliation

55 A person who has reasonable grounds to believe that an organization has contravened or is about to contravene a provision of this Act or the regulations and who, in good faith, notifies the commissioner of the particulars of the matter, whether or not the person makes a complaint under section 46 (2), may request that the commissioner keep the person's identity confidential with respect to the notification.

Offences and penalties

56 (1) Subject to subsection (2), an organization or person commits an offence if the organization or person

(a) uses deception or coercion to collect personal information in contravention of this Act,

(b) disposes of personal information with an intent to evade a request for access to the personal information,

(c) obstructs the commissioner or an authorized delegate of the commissioner in the performance of his or her duties or powers under this Act,

(d) knowingly makes a false statement to the commissioner, or knowingly misleads or attempts to mislead the commissioner, in the course of the commissioner's performance of his or her duties or powers under this Act,

(e) contravenes section 54, or

(f) fails to comply with an order made by the commissioner under this Act.

(2) An organization or person that commits an offence under subsection (1) is liable,

(a) if an individual, to a fine of not more than $10 000, and

(b) if a person other than an individual, to a fine of not more than $100 000.

(3) A person or organization is not liable to prosecution for an offence against this or any other Act because the person or organization complies with a requirement of the commissioner under this Act.

(4) Section 5 of the Offence Act does not apply to this Act or the regulations.

Damages for breach of Act

57 (1) If the commissioner has made an order under this Act against an organization and the order has become final as a result of there being no further right of appeal, an individual affected by the order has a cause of action against the organization for damages for actual harm that the individual has suffered as a result of the breach by the organization of obligations under this Act or the regulations.

(2) If an organization has been convicted of an offence under this Act and the conviction has become final as a result of there being no further right of appeal, a person affected by the conduct that gave rise to the offence has a cause of action against the organization convicted of the offence for damages for actual harm that the person has suffered as a result of the conduct.

Power to make regulations

58 (1) The Lieutenant Governor in Council may make regulations referred to in section 41 of the Interpretation Act.

(2) Without limiting subsection (1), the Lieutenant Governor in Council may make regulations as follows:

(a) prescribing procedures to be followed in making and responding to requests under this Act;

(b) authorizing the disclosure of personal information relating to the mental or physical health of individuals to medical or other experts to determine, for the purposes of section 23, if disclosure of that information could reasonably be expected to result in grave and immediate harm to the safety of or the mental or physical health of those individuals;

(c) prescribing procedures to be followed or restrictions considered necessary with respect to the disclosure and examination of information referred to in paragraph (b);

(d) prescribing special procedures for giving individuals access to personal information about their mental or physical health;

(e) prescribing the classes of individuals who may act for minors, incompetents, deceased persons or any other individuals under this Act and regulating the manner in which, and the extent to which, any rights or powers of individuals under this Act may be exercised on their behalf;

(f) respecting fees, including circumstances in which fees

(i) are not payable, or

(ii) must not be above a prescribed amount or percentage;

(g) prescribing sources of personal information for the purposes of section 12 (1) (e), 15 (1) (e) or 18 (1) (e);

(h) for any other purpose contemplated by this Act.

(3) A regulation under subsection (2) (b) may

(a) specify categories of experts to whom personal information relating to the mental or physical health of individuals may be disclosed to assess whether its disclosure to other persons could reasonably be expected to result in grave and immediate harm to the safety of or the mental or physical health of those individuals;

(b) impose on members of category of experts obligations respecting the use and disclosure of personal information obtained to make an assessment described in paragraph (a);

(c) provide differently for different categories of experts.

(4) A regulation made under subsection (1) or (2) may provide differently for different organizations, individuals, classes of organizations or classes of individuals.

Review of Act

59 (1) Within 3 years after January 1, 2004, a special committee of the Legislative Assembly must begin a comprehensive review of this Act and must submit a report respecting this Act to the Legislative Assembly within one year after the date of the appointment of the special committee.

(2) At least once every 6 years, a special committee of the Legislative Assembly must act as described in subsection (1).

(3) A report submitted under subsection (1) or (2) may include any recommended amendments to this Act or any other Act.

(4) For the purposes of subsection (2), the first 6 year period begins on the submission of the report under subsection (1) to the Legislative Assembly.

Commencement

60 This Act comes into force on January 1, 2004.

 


[Return to: 2003 Bills Home Page]