The Personal Information Protection Act at a Glance

Whereas the Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c. 165, governs the collection, use and disclosure of private information by public bodies, the Personal Information Protection Act, S.B.C. 2003, c. 63, regulates the collection, use and disclosure of “personal information” by private organizations. There is also the Privacy Act, R.S.B.C. 1996, c. 373, which makes it a tort, actionable without proof of damage, for a person to wilfully violate the privacy of another; however, that Act is aimed at such things as eavesdropping, surreptitious video surveillance and the unauthorized use of another’s name or portrait. This article concerns the Personal Information Protection Act (“PIPA”), as that statute applies to private organizations and regulates the manner in which they can collect, use and disclose “personal information”.

“Personal Information” is given a very broad definition under PIPA as follows:

“Personal Information” means information about an identifiable individual and includes employee personal information but does not include
(a) contact information, or
(b) work product information.

“Contact Information” is defined as “information to enable an individual at a place of business to be contacted and includes the name, position name or title, business telephone number, business address, business email or business fax number of the individual”. It follows that any contact information of a non-business nature is “information about an identifiable individual” and therefore constitutes “personal information” within the meaning of PIPA.

Under Section 6 of PIPA, an organization is prohibited from collecting, using or disclosing “personal information” about an individual unless the individual consents, or PIPA either authorizes the collection, use or disclosure without the consent of the individual, or deems the collection, use or disclosure to be consented to by the individual.

Section 18 regulates the disclosure of personal information without an individual’s consent and provides a number of exceptions where consent is not required. For example, where the disclosure is necessary for the medical treatment of the individual or where the information is already publicly available or where the disclosure is required or authorized by law. One must have a closer look at the section to analyze whether any of the exceptions apply in their case.

Section 8 regulates deemed consent. It provides the following:

8 (1) An individual is deemed to consent to the collection, use or disclosure of personal information by an organization for a purpose if
(a) at the time the consent is deemed to be given, the purpose would be considered to be obvious to a reasonable person, and
(b) the individual voluntarily provides the personal information to the organization for that purpose.
(2) An individual is deemed to consent to the collection, use or disclosure of personal information for the purpose of his or her enrollment or coverage under an insurance, pension, benefit or similar plan, policy or contract if he or she
(a) is a beneficiary or has an interest as an insured under the plan, policy or contract, and
(b) is not the applicant for the plan, policy or contract.
(3) An organization may collect, use or disclose personal information about an individual for specified purposes if
(a) the organization provides the individual with a notice, in a form the individual can reasonably be considered to understand, that it intends to collect, use or disclose the individual’s personal information for those purposes,
(b) the organization gives the individual a reasonable opportunity to decline within a reasonable time to have his or her personal information collected, used or disclosed for those purposes,
(c) the individual does not decline, within the time allowed under paragraph (b), the proposed collection, use or disclosure, and
(d) the collection, use or disclosure of personal information is reasonable having regard to the sensitivity of the personal information in the circumstances.
(4) Subsection (1) does not authorize an organization to collect, use or disclose personal information for a different purpose than the purpose to which that subsection applies.

A private organization must therefore be cognizant of the information that it discloses. The definition of “personal information” is very broad and encompasses information that one would not normally think of as being private. Unless consent is either not required (S. 18) or consent is deemed to have been given (S. 8), a private organization could easily find itself running afoul of this legislation and potentially expose itself to civil claims.

Contact Alex Bayley of DuMoulin Boskovich LLP for your legal needs.