On April 30, 2003, the Government of British Columbia introduced Bill 38, the Personal Information Protection Act. Bill 38 is intended to mirror the Federal Government’s Personal Information Protection and Electronic Documents Act (“PIPEDA”). PIPEDA provides that the Act will apply to all personal information collected, used or disclosed in the course of all provincial commercial activity, unless each province enacts its own parallel legislation before January 1, 2004. Bill 38 is intended to be the provincial parallel privacy legislation for British Columbia governing the collection, use and disclosure of personal information by organizations. It is anticipated that Bill 38 will come into force on January 1, 2004.
Bill 38 affirms the BC Government’s stated intention to introduce legislation governing private sector privacy practices. In 2001, the Special Committee on Information Privacy in the Private Sector, an all-party committee of the Legislative Assembly, unanimously recommended that such legislation should be enacted.
Like PIPEDA, Bill 38 enshrines “fair information practices.” These practices may be summarized as follows:
- Accountability – An organization must designate someone to be internally responsible for compliance.
- Identifying purposes – An organization must identify the purposes for which personal information is collected at or before the time the information is collected.
- Consent – The knowledge and consent of the individual are required for collection, use or disclosure of personal information (except where appropriate).
- Limiting collection – An organization must limit its collection of personal information to that which is necessary for the purposes identified and must collect information only by fair and lawful means.
- Limiting use, disclosure and retention – An organization must not use or disclose personal information for purposes other than those for which it was collected, except with the individual’s consent or as required by law. An organization must retain personal information only as long as is necessary for the fulfillment of the identified purposes.
- Accuracy – An organization must ensure that personal information is as accurate, Complete and up-to-date as is necessary for the purposes for which it is to be used.
- Safeguards – An organization must protect personal information by security safeguards appropriate to the sensitivity of the information.
- Openness – An organization must make readily available to individuals specific information about its policies and practices relating to the management of personal information.
- Individual access – An organization must inform individuals of the existence, use and disclosure of their personal information and must provide individuals access to their personal information. This must include the ability to challenge the accuracy and completeness of the information and have it corrected as appropriate.
- Challenging compliance – An organization must afford individuals mechanisms for challenging compliance with the principles.