Copyright © King's Printer, Victoria, British Columbia, Canada | Licence Disclaimer |
This Act is current to November 26, 2024 | |||
See the Tables of Legislative Changes for this Act’s legislative history, including any changes not in force. |
Part 3 — Protection of Privacy
Division 1 — Collection, Protection and Retention of Personal Information by Public Bodies
25.1 An employee, officer or director of a public body or an employee or associate of a service provider must not collect, use or disclose personal information except as authorized by this Act.
26 A public body may collect personal information only if
(a) the collection of the information is expressly authorized under an Act,
(b) the information is collected for the purposes of law enforcement,
(c) the information relates directly to and is necessary for a program or activity of the public body,
(d) with respect to personal information collected for a prescribed purpose,
(i) the individual the information is about has consented in the prescribed manner to that collection, and
(ii) a reasonable person would consider that collection appropriate in the circumstances,
(e) the information is necessary for the purposes of planning or evaluating a program or activity of a public body,
(f) the information is necessary for the purpose of reducing the risk that an individual will be a victim of domestic violence, if domestic violence is reasonably likely to occur,
(g) the information is collected by observation at a presentation, ceremony, performance, sports meet or similar event
(i) at which the individual voluntarily appears, and
(ii) that is open to the public, or
(h) the information is personal identity information that is collected by
(i) a provincial identity information services provider and the collection of the information is necessary to enable the provincial identity information services provider to provide services under section 69.2, or
(ii) a public body from a provincial identity information services provider and the collection of the information is necessary to enable
(A) the public body to identify an individual for the purpose of providing a service to the individual, or
(B) the provincial identity information services provider to provide services under section 69.2.
27 (1) A public body must collect personal information directly from the individual the information is about unless
(a) another method of collection is authorized by
(ii) the commissioner under section 42 (1) (i), or
(a.1) the collection of the information is necessary for the medical treatment of an individual and it is not possible
(i) to collect the information directly from that individual, or
(ii) to obtain authority under paragraph (a) (i) for another method of collection,
(b) the information may be disclosed to the public body under section 33,
(c) the information is collected for the purpose of
(i) determining suitability for an honour or award including an honorary degree, scholarship, prize or bursary,
(ii) a proceeding before a court or a judicial or quasi-judicial tribunal,
(iii) collecting a debt or fine or making a payment,
(v) reducing the risk that an individual will be a victim of domestic violence, if domestic violence is reasonably likely to occur,
(c.1) the information is collected from a body disclosing it in accordance with a provision of a treaty, arrangement or written agreement that
(i) authorizes or requires the disclosure, and
(ii) is made under an enactment of British Columbia, other than this Act, or an enactment of Canada,
(c.2) the information is collected from a body disclosing it under an enactment of another province or of Canada,
(d) the information is transferred to the public body from another public body in accordance with section 27.1,
(e) the collection of the information is necessary for delivering or evaluating a common or integrated program or activity,
(f) the information is about an employee, other than a service provider, and the collection of the information is necessary for the purposes of managing or terminating an employment relationship between a public body and the employee, or
(g) the information is personal identity information that is collected by a provincial identity information services provider and the collection of the information is necessary to enable the provincial identity information services provider to provide services under section 69.2.
(2) A public body must ensure that an individual from whom it collects personal information is told
(a) the purpose for collecting it,
(b) the legal authority for collecting it, and
(c) the contact information of an officer or employee of the public body who can answer the individual's questions about the collection.
(3) Subsection (2) does not apply if
(a) the information is about law enforcement or anything referred to in section 15 (1) or (2),
(b) the minister responsible for this Act excuses a public body from complying with it because doing so would
(i) result in the collection of inaccurate information, or
(ii) defeat the purpose or prejudice the use for which the information is collected,
(i) is not required, under subsection (1), to be collected directly from the individual the information is about, and
(ii) is not collected directly from the individual the information is about, or
(d) the information is collected by observation at a presentation, ceremony, performance, sports meet or similar event
(i) at which the individual voluntarily appears, and
(ii) that is open to the public.
(4) A public body must notify an employee, other than a service provider, that it will be collecting personal information under subsection (1) (f) unless it is reasonable to expect that the notification would compromise
(a) the availability or the accuracy of the information, or
(b) an investigation or a proceeding related to the employment of the employee.
27.1 (1) Personal information that is received by a public body is not collected by the public body for the purposes of this Act if
(a) the information does not relate to a program or activity of the public body, and
(b) the public body takes no action with respect to the information other than to
(i) read all or a part of it and then delete, destroy or return it, or
(ii) read all or a part of it and then transfer it in accordance with subsection (2).
(2) For the purpose of subsection (1) (b) (ii), a public body may transfer personal information to
(b) a government institution subject to the Privacy Act (Canada)
if the public body determines the information relates to a program or activity of the other public body or government institution referred to in paragraph (a) or (b).
28 If
(a) an individual's personal information is in the custody or under the control of a public body, and
(b) the personal information will be used by or on behalf of the public body to make a decision that directly affects the individual,
the public body must make every reasonable effort to ensure that the personal information is accurate and complete.
29 (1) An individual who believes there is an error or omission in personal information about the individual that is in the custody or under the control of a public body may request the head of the public body to correct the information.
(2) If no correction is made in response to a request under subsection (1), the head of the public body must annotate the information with the correction that was requested but not made.
(3) On correcting or annotating personal information under this section, the head of the public body must notify any other public body or any third party to whom that information has been disclosed during the one year period before the correction was requested.
(4) On being notified under subsection (3) of a correction or annotation of personal information, a public body must make the correction or annotation on any record of that information in its custody or under its control.
30 A public body must protect personal information in its custody or under its control by making reasonable security arrangements against such risks as unauthorized collection, use, disclosure or disposal.
30.3 An employer, whether or not a public body, must not dismiss, suspend, demote, discipline, harass or otherwise disadvantage an employee of the employer, or deny that employee a benefit, because
(b) the employee, acting in good faith and on the basis of reasonable belief, has disclosed to the commissioner that the employer or any other person has contravened or is about to contravene this Act,
(c) the employee, acting in good faith and on the basis of reasonable belief, has done or stated an intention of doing anything that is required to be done in order to avoid having any person contravene this Act,
(d) the employee, acting in good faith and on the basis of reasonable belief, has refused to do or stated an intention of refusing to do anything that is in contravention of this Act, or
(e) the employer believes that an employee will do anything described in paragraph (b), (c) or (d).
30.5 (1) [Repealed 2021-39-17.]
(2) An employee, officer or director of a public body, or an employee or associate of a service provider, who knows that there has been an unauthorized disclosure of personal information that is in the custody or under the control of the public body must immediately notify the head of the public body.
31 If an individual's personal information
(a) is in the custody or under the control of a public body, and
(b) is used by or on behalf of the public body to make a decision that directly affects the individual,
the public body must ensure that the personal information is retained for at least one year after being used so that the affected individual has a reasonable opportunity to obtain access to that personal information.
Division 2 — Use and Disclosure of Personal Information by Public Bodies
32 A public body may use personal information in its custody or under its control only
(a) for the purpose for which the information was obtained or compiled, or for a use consistent with that purpose,
(b) if the individual the information is about has identified the information and has consented, in the prescribed manner, to the use, or
(c) for a purpose for which the information may be disclosed to the public body under section 33.
33 (1) A public body may disclose personal information in its custody or under its control only as permitted by subsections (2) to (9) or by section 33.3.
(2) A public body may disclose personal information in any of the following circumstances:
(a) in accordance with Part 2;
(b) if the information or disclosure is of a type described in section 22 (4) (e), (f), (h), (i) or (j);
(c) if the individual the information is about has identified the information and has consented, in the prescribed manner, to the disclosure;
(d) for the purpose for which the information was obtained or compiled, or for a use consistent with that purpose within the meaning of section 34 [definition of consistent purpose];
(e) in accordance with an enactment of British Columbia or of Canada that authorizes or requires the disclosure;
(f) if the information is made available to the public under an enactment that authorizes or requires the information to be made public;
(g) in accordance with a provision of a treaty, arrangement or written agreement that
(i) authorizes or requires the disclosure, and
(ii) is made under an enactment of British Columbia, other than this Act, or an enactment of Canada;
(h) to an officer or employee of the public body, or to a minister, if the information is necessary for the performance of the duties of the officer, employee or minister;
(i) to an officer or employee of a public body, or to a minister, if the information is necessary to protect the health or safety of the officer, employee or minister;
(j) to an officer or employee of a public body, or to a minister, if the information is necessary for the purposes of planning or evaluating a program or activity of a public body;
(k) to an officer or employee of a public body or an agency, or to a minister, if the information is necessary for the delivery of a common or integrated program or activity and for the performance of the duties, respecting the common or integrated program or activity, of the officer, employee or minister to whom the information is disclosed;
(l) to comply with a subpoena, warrant or order issued or made by a court or person in Canada with jurisdiction to compel the production of information in Canada;
(m) to the Attorney General or legal counsel for the public body
(i) for the purpose of preparing or obtaining legal advice for the government or public body, or
(ii) for use in civil proceedings involving the government or public body;
(n) to the minister responsible for the Coroners Act or a person referred to in section 31 (1) of that Act, for the purposes of that Act;
(o) for the purpose of collecting amounts owing to the government or a public body by
(ii) a corporation of which the individual the information is about is or was a director or officer;
(i) a payment to be made to or by the government or a public body,
(ii) authorizing, administering, processing, verifying or cancelling a payment, or
(iii) resolving an issue regarding a payment;
(q) for the purposes of licensing, registering, insuring, investigating or disciplining persons regulated by governing bodies of professions or occupations;
(r) if the information was collected by observation at a presentation, ceremony, performance, sports meet or similar event
(i) that was open to the public, and
(ii) at which the individual the information is about appeared voluntarily;
(s) to the auditor general or a prescribed person or body for audit purposes;
(t) if the disclosure is necessary for
(i) installing, implementing, maintaining, repairing, troubleshooting or upgrading an electronic system or equipment that includes an electronic system, or
(ii) data recovery that is undertaken following the failure of an electronic system,
that is used by the public body, or by a service provider for the purposes of providing services to a public body;
(u) if the disclosure is necessary for the processing of information and the following apply:
(i) the processing does not involve the intentional accessing of the information by an individual;
(ii) any processing done outside of Canada is temporary;
(v) if the information is metadata and the following apply:
(i) the metadata is generated by an electronic system;
(ii) the metadata describes an individual's interaction with the electronic system;
(iii) if practicable, information in individually identifiable form has been removed from the metadata or destroyed;
(iv) in the case of disclosure to a service provider, the public body has prohibited subsequent use or disclosure of information in individually identifiable form without the express authorization of the public body;
(i) was disclosed on social media by the individual the information is about,
(ii) was obtained or compiled by the public body for the purpose of enabling the public body to engage individuals in public discussion or promotion respecting proposed or existing initiatives, policies, programs or activities of the public body or respecting legislation relating to the public body, and
(iii) is disclosed for a use that is consistent with the purpose described in subparagraph (ii);
(x) to an Indigenous governing entity for the purposes of a program or activity that supports the exercise of the rights recognized and affirmed by section 35 of the Constitution Act, 1982.
(3) A public body may disclose personal information in any of the following circumstances:
(i) the head of the public body determines that compelling circumstances that affect anyone's health or safety exist, and
(ii) notice of disclosure is mailed to the last known address of the individual the information is about, unless the head of the public body considers that the notice could harm anyone's health or safety;
(b) for the purpose of reducing the risk that an individual will be a victim of domestic violence, if domestic violence is reasonably likely to occur;
(c) to enable the next of kin or a friend of an injured, ill or deceased individual to be contacted;
(d) to a public body, or a law enforcement agency in Canada, to assist in a specific investigation
(i) undertaken with a view to a law enforcement proceeding, or
(ii) from which a law enforcement proceeding is likely to result;
(e) to a member of the Legislative Assembly who has been requested by the individual the information is about to assist in resolving a problem;
(f) to a representative of a bargaining agent who has been authorized in writing by the employee the information is about to make an inquiry;
(g) to the digital archives or museum archives of government or the archives of a public body, for archival purposes;
(h) for a research purpose, including statistical research, if
(i) the research purpose cannot be accomplished unless the information is disclosed in individually identifiable form, or the research purpose has been approved by the commissioner,
(ii) the information is disclosed on condition that it not be used for the purpose of contacting a person to participate in the research unless
(A) the research is in relation to health issues, and
(B) the commissioner has approved the research purpose, the use of the information for the purpose of contacting a person to participate in the research and the manner in which contact is to be made, including the information to be made available to the person contacted,
(iii) any data-linking is not harmful to the individual the information is about and the benefits to be derived from the data-linking are clearly in the public interest,
(iv) the head of the public body has approved conditions relating to the following:
(A) security and confidentiality;
(B) the removal or destruction of individual identifiers at the earliest reasonable time;
(C) the prohibition of subsequent use or disclosure of the information in individually identifiable form without the express authorization of the public body, and
(v) the person to whom the information is disclosed has signed an agreement to comply with the approved conditions, this Act and the public body's policies and procedures relating to the confidentiality of personal information.
(4) In addition to the authority under any other provision of this section, the digital archives or museum archives of government or archives of a public body may disclose personal information in its custody or under its control for archival or historical purposes if
(a) the disclosure would not be an unreasonable invasion of personal privacy under section 22,
(b) the information is about an individual who has been deceased for 20 or more years, or
(c) the information is in a record that has been in existence for 100 or more years.
(5) In addition to the authority under any other provision of this section, a board or a francophone education authority, as those are defined in the School Act, may disclose personal information in its custody or under its control to a museum, an archives or a similar institution that is or forms part of a public body or an organization, as the latter is defined in the Personal Information Protection Act, if
(a) the disclosure would not be an unreasonable invasion of personal privacy under section 22 of this Act,
(b) the information is about an individual who has been deceased for 20 or more years, or
(c) the information is in a record that has been in existence for 100 or more years.
(6) In addition to the authority under any other provision of this section, a public body that is a law enforcement agency may disclose personal information
(a) to another law enforcement agency in Canada, or
(b) to a law enforcement agency in a foreign state under an arrangement, written agreement or treaty or under provincial or Canadian legislative authority.
(7) In addition to the authority under any other provision of this section, the Insurance Corporation of British Columbia may disclose personal information
(i) licensing or registering motor vehicles or drivers, or
(ii) verifying motor vehicle registration, insurance or driver licences, or
(i) the information was obtained or compiled by the Insurance Corporation of British Columbia for the purposes of insurance it provides, and
(ii) the disclosure is necessary to investigate, manage or settle a specific insurance claim.
(8) In addition to the authority under any other provision of this section, a provincial identity information services provider may disclose personal identity information
(a) to enable the provincial identity information services provider to provide a service under section 69.2, or
(b) to a public body if the disclosure is necessary to enable the public body to identify an individual for the purpose of providing a service to the individual.
(9) In addition to the authority under any other provision of this section, a public body may disclose personal identity information to a provincial identity information services provider if the disclosure is necessary to enable
(a) the public body to identify an individual for the purpose of providing a service to the individual, or
(b) the provincial identity information services provider to provide a service under section 69.2.
33.1 A public body may disclose personal information outside of Canada only if the disclosure is in accordance with the regulations, if any, made by the minister responsible for this Act.
33.3 (1) A public body may disclose to the public a record that is within a category of records established under section 71 (1).
(2) A ministry may disclose to the public a record that is within a category of records established under section 71.1 (1).
34 For the purposes of section 32 (a) or 33 (2) (d) or (w), a use of personal information is consistent with the purpose for which the information was obtained or compiled if the use
(a) has a reasonable and direct connection to that purpose, and
(b) is necessary for performing the statutory duties of, or for operating a program or activity of, the public body that uses or discloses the information.
Division 3 — Data-linking Programs
36.1 (1) This section does not apply to a data-linking program that is part of research for the purpose of which personal information may be disclosed under section 33 (3) (h).
(2) A public body conducting a data-linking program must comply with the regulations, if any, made for the purposes of this section.
Division 4 — Privacy Management Programs and Privacy Breach Notifications
36.2 The head of a public body must develop a privacy management program for the public body and must do so in accordance with the directions of the minister responsible for this Act.
36.3 (1) In this section, "privacy breach" means the theft or loss, or the collection, use or disclosure that is not authorized by this Part, of personal information in the custody or under the control of a public body.
(2) Subject to subsection (5), if a privacy breach involving personal information in the custody or under the control of a public body occurs, the head of the public body must, without unreasonable delay,
(a) notify an affected individual if the privacy breach could reasonably be expected to result in significant harm to the individual, including identity theft or significant
(iii) damage to reputation or relationships,
(iv) loss of employment, business or professional opportunities,
(vi) negative impact on a credit record, or
(vii) damage to, or loss of, property, and
(b) notify the commissioner if the privacy breach could reasonably be expected to result in significant harm referred to in paragraph (a).
(3) The head of a public body is not required to notify an affected individual under subsection (2) if notification could reasonably be expected to
(a) result in immediate and grave harm to the individual's safety or physical or mental health, or
(b) threaten another individual's safety or physical or mental health.
(4) If notified under subsection (2) (b), the commissioner may notify an affected individual.
(5) A notification under subsection (2) (a) or (b) must be made in the prescribed manner.
Contents | Part 1 | Part 2 | Part 3 | Part 4 | Part 5 | Part 5.1 | Part 6 | Schedule 1 | Schedule 2 | Schedule 3
Copyright © King's Printer, Victoria, British Columbia, Canada