Is Your Organization Privacy Compliant?

Organizations often only become aware of their privacy obligations after a complaint is made to the Privacy Commissioner or a privacy breach has occurred. All British Columbia organizations should proactively ensure that their privacy policies and procedures are in compliance with the Personal Information and Protection Act (“PIPA”). PIPA applies to the collection, use and disclosure of personal information by all private sector organizations in British Columbia as well as organizations responsible to safeguard personal information in its possession. Personal information includes any information about an identifiable individual.

Three key steps to ensuring your organization is privacy compliant are:

1.  Appoint a designated privacy officer. The privacy officer is the individual responsible for ensuring that your organization complies with PIPA and is a contact for anyone who has questions with respect to your organization’s privacy policies.

2.  Develop and/or update your privacy policy to ensure compliance with your organizations privacy practices and the current privacy jurisprudence. The Office of the Information and Privacy Commissioner for BC sets out the following 13 helpful questions for your organization to ask when reviewing its privacy policy (or drafting its first privacy policy):

(a)  What personal information do we collect?

(b)  For what purposes do we collect personal information?

(c)  Do we only collect personal information that we really need for our purposes?

(d)  How do we collect personal information and what do we tell individuals the purpose for collection is?

(e)  What do we use personal information for and are those uses reasonable and appropriate? Do these uses match what we tell individuals?

(f)  How do we obtain consent for collecting, using and disclosing personal information?

(g)  How do we ensure that the personal information is correct, complete and current?

(h)  Where do we keep personal information and how is it secured?

(i)  Who, within our organization, has access to or uses the personal information, and for what purposes? Are we limiting access on a need-to-know basis?

(j)  Who is personal information disclosed to outside our organization and why?

(k)  Should we be disclosing personal information to others for the purposes we disclose it?

(l)  How long do we retain the personal information? When is it disposed of and how? Is it disposed of securely?

(m) How do we respond to complaints or questions from individuals about our information practices?

(n)  In light of PIPA, should we change any of our practices?

3.  Ensure that the necessary safeguards are in place to protect your organization from privacy breaches and policies in place to quickly respond in the unfortunate event of a privacy breach. 

We would be pleased to assist you in drafting or revising your privacy policies to ensure PIPA compliance. For more information, please contact Nicole K. Skuggedal at or a member of Privacy & Data Management Group.


About Us

Lawson Lundell's Labour and Employment Law Blog provides updates on the most recent legal developments impacting the Canadian workplace and offers practical tips for employers. We cover a range of topics, including labour relations, employment law, collective bargaining, human rights, employment standards, employment equity, workers' compensation, business immigration, privacy, occupational health and safety and pensions and employee benefits. 

Legal Disclaimer: The information made available on this webpage is for information purposes only. It does not constitute legal advice, and should not be relied on as such. Please contact our firm if you need legal advice or have questions about the content of this webpage. 




Recent Posts



Jump to Page