Is BC PIPA the same as PIPEDA?

No. PIPEDA is federal; BC PIPA is provincial. BC PIPA is designated substantially similar to PIPEDA but is separately enforced by the BC OIPC.

Is BC PIPA the same as FIPPA?

No. BC PIPA is the private-sector law. The Freedom of Information and Protection of Privacy Act (FIPPA) is the public-sector law for BC public bodies (government, health authorities, post-secondary institutions, etc.). They have related principles but distinct obligations.

When did breach notification become mandatory in BC?

1 February 2023. BC was the most recent of the three substantially-similar provinces (after Alberta in 2010 and federal PIPEDA in 2018) to add mandatory breach notification.

What triggers BC PIPA breach notification?

A breach of security safeguards involving personal information that creates a "real risk of significant harm" to the affected individual. Both the BC OIPC and affected individuals must be notified when this threshold is met.

Do BC MSPs need to comply with BC PIPA?

Yes. BC MSP s are themselves private-sector organisations and also handle personal information for clients. BC PIPA applies to both sets of activities.

What is BC PIPA (Personal Information Protection Act)? Definition, components, and why it matters

Definition

BC PIPA was enacted in 2003 and came into force on 1 January 2004. The federal government has designated it substantially similar to PIPEDA, so it applies to most private-sector activity in BC in place of PIPEDA. Federally-regulated work (banks, telcos, airlines, inter-provincial transportation) remains subject to PIPEDA.

BC PIPA is built around the same Fair Information Principles as PIPEDA and Alberta PIPA, but is a separately enforced provincial statute. The Office of the Information and Privacy Commissioner for British Columbia administers the Act.

BC PIPA was amended in 2021 (effective 2023) to add mandatory breach notification — making BC the most recent of the three substantially-similar provinces to add this obligation. Many BC private-sector organisations are still adapting their breach response procedures to the new regime.

Core components

Reasonable purposes test. Collection, use, and disclosure must be for purposes a reasonable person would consider appropriate.
Consent. Express, implied, deemed, or opt-out depending on context. Sensitive information typically requires more explicit consent.
Privacy Officer. Each organisation must designate a person accountable for compliance.
Mandatory breach notification (since 1 Feb 2023). Organisations must notify the BC OIPC and affected individuals of breaches creating a "real risk of significant harm." Records of all breaches must be maintained.
Subject access rights. Individuals have rights of access and to challenge accuracy.
OIPC oversight. Investigations, orders, and inquiries handled by the BC Office of the Information and Privacy Commissioner.
FIPPA distinction. BC PIPA is the private-sector law. BC public bodies are governed by the separate Freedom of Information and Protection of Privacy Act (FIPPA). The two laws have similar principles but distinct obligations.

Why it matters

For private-sector organisations operating in BC, BC PIPA — not PIPEDA — is the operative privacy law. MSPs based in BC or serving BC clients work primarily under BC PIPA.

The relatively recent breach-notification requirement (February 2023) is the most operationally significant change in BC PIPA in years. BC organisations that were comfortable with the pre-2023 regime now have a regulated detection-and-notification obligation; many have not yet built the detection capability needed to meet it.

For BC MSPs, the BC privacy regime stacks: BC PIPA for general private-sector work, the BC health information regime for health information, plus PIPEDA where federal-jurisdiction work is involved. Many MSP clients fall under more than one.

How Lavawall® helps with BC PIPA (Personal Information Protection Act)

Lavawall® includes BC PIPA as a first-class framework alongside PIPEDA, Alberta PIPA, and Quebec Law 25. The 2023 mandatory breach-notification requirement is mapped to the breach detection and notification workflow that M365 breach detection and identity-threat detection feed.

Lavawall® is hosted in Canada (currently AWS Montreal, migrating to dedicated Calgary servers) so BC data does not leave Canada when stored on Lavawall® itself.

ThreeShield Information Security Corporation, the audit firm that built Lavawall®, supports BC clients on BC PIPA work in addition to its Alberta-base. The BC PIPA control mapping reflects the recent (2023) breach-notification regime, not just the older pre-2023 framework.

For BC MSPs, Lavawall® produces the safeguards evidence, breach-notification workflow, and breach record-keeping that the post-2023 BC PIPA regime expects.

Frequently asked

Is BC PIPA the same as PIPEDA?: No. PIPEDA is federal; BC PIPA is provincial. BC PIPA is designated substantially similar to PIPEDA but is separately enforced by the BC OIPC.
Is BC PIPA the same as FIPPA?: No. BC PIPA is the private-sector law. The Freedom of Information and Protection of Privacy Act (FIPPA) is the public-sector law for BC public bodies (government, health authorities, post-secondary institutions, etc.). They have related principles but distinct obligations.
When did breach notification become mandatory in BC?: 1 February 2023. BC was the most recent of the three substantially-similar provinces (after Alberta in 2010 and federal PIPEDA in 2018) to add mandatory breach notification.
What triggers BC PIPA breach notification?: A breach of security safeguards involving personal information that creates a "real risk of significant harm" to the affected individual. Both the BC OIPC and affected individuals must be notified when this threshold is met.
Do BC MSPs need to comply with BC PIPA?: Yes. BC MSPs are themselves private-sector organisations and also handle personal information for clients. BC PIPA applies to both sets of activities.