ClearBreach
Get early access

Guides

BC PIPAAll sectors

BC PIPA Breach Reporting Requirements for SMEs

By Yong Du

BC PIPA requires notifying individuals when RROSH is present. OIPC BC reporting is voluntary — not mandatory. Check your obligations under BC privacy law.

What is BC PIPA?

British Columbia's Personal Information Protection Act (PIPA, SBC 2003, c 63) governs how private-sector organizations collect, use, and disclose personal information in BC. The OIPC BC administers and enforces it. Organizations with interprovincial or international commercial activity are also subject to federal PIPEDA. When a breach triggers BC PIPA obligations, ClearBreach generates your individual notification letter, OIPC BC voluntary report, and internal incident record automatically.

On this page:

Is reporting a BC PIPA breach to the OIPC BC mandatory?

No. Under BC PIPA, reporting a breach to the OIPC BC is voluntary, not mandatory. However, notifying affected individuals is mandatory when a breach poses a real risk of significant harm. Organizations should voluntarily report to the OIPC BC as a best practice for any significant breach.

BC PIPA's breach provisions differ from PIPEDA and Alberta PIPA in this one important respect. All three frameworks require mandatory individual notification when RROSH is present — only the regulator reporting component differs. Under PIPEDA and Alberta PIPA, regulator reporting is mandatory. Under BC PIPA, it is not.

Who is subject to BC PIPA?

BC PIPA applies to every private-sector organization that collects, uses, or discloses personal information about individuals in BC in the course of commercial activity within the province, regardless of size. Government bodies are governed by FIPPA instead. Federally regulated organizations remain subject to PIPEDA regardless of province.

BC PIPA does not apply to:

  • Government bodies — governed by BC's Freedom of Information and Protection of Privacy Act (FIPPA)
  • Federally regulated organizations (banks, telecommunications carriers, airlines) — governed by PIPEDA regardless of province

When does a breach trigger BC PIPA obligations?

A breach triggers BC PIPA obligations when it poses a real risk of significant harm (RROSH) to affected individuals. RROSH is assessed across four factors: information sensitivity, probability of misuse, number of individuals affected, and whether the data was recovered.

What counts as significant harm under BC PIPA?

Significant harm under BC PIPA includes:

  • Bodily harm
  • Humiliation
  • Damage to reputation or relationships
  • Loss of employment, business, or professional opportunities
  • Financial loss
  • Identity theft
  • Negative effects on credit records
  • Damage to or loss of property

What factors determine RROSH under BC PIPA?

The four RROSH factors under BC PIPA mirror those under PIPEDA:

  1. Sensitivity of the personal information — highly sensitive information (health records, SINs, financial data) increases RROSH probability significantly
  2. Probability of misuse — confirmed access, malicious intent, and confirmed exfiltration all point toward RROSH; lost or stolen devices present a common uncertainty scenario where access cannot be confirmed or ruled out
  3. Number of individuals affected — broader breaches with sensitive data are more likely to meet RROSH
  4. Whether the information has been recovered — unrecovered data in an adversarial breach weighs heavily toward RROSH

Generate your individual notification letter and OIPC BC voluntary report automatically. ClearBreach runs your RROSH assessment under BC PIPA, PIPEDA, and Alberta PIPA simultaneously and produces all required documents in under 15 minutes — entirely in your browser.

Should I voluntarily report a breach to the OIPC BC?

Yes. Voluntary reporting demonstrates accountability and opens a channel to regulator guidance. If the breach also triggers PIPEDA mandatory reporting, the OPC and OIPC BC coordinate. Voluntary reporting is low-risk and best practice for any significant BC PIPA breach.

Specific reasons to file a voluntary report:

Demonstrates accountability. The OIPC BC's accountability framework rewards proactive transparency. Organizations that self-report tend to have better outcomes in any subsequent investigation.

Regulatory guidance. The OIPC BC provides guidance and support during breach response. Filing a voluntary report opens a channel to their office.

Coordination with PIPEDA. If the breach also triggers PIPEDA, the OPC and OIPC BC coordinate. Filing with both avoids the appearance of selectively disclosing to only one regulator.

Prepares you for future mandatory requirements. BC is expected to update PIPA to include mandatory breach reporting, following the federal model. Organizations with a history of voluntary reporting will be well-positioned.

What should a voluntary OIPC BC breach report include?

Your voluntary report to the OIPC BC should contain:

  • Description of the breach and how it occurred
  • Date or approximate date
  • Personal information involved and number of individuals affected
  • RROSH determination
  • Steps taken to contain the breach and reduce harm
  • Steps taken to notify affected individuals
  • Contact information for your privacy officer or responsible person

Contact the OIPC BC directly at oipc.bc.ca to request their current breach notification form.

When must I notify individuals of a breach under BC PIPA?

You must notify individuals directly and without unreasonable delay once you determine the breach poses a real risk of significant harm. A general public notice or website announcement does not satisfy this obligation unless direct notification to all affected individuals is not reasonably possible.

What must an individual notification include under BC PIPA?

The notification to individuals must include:

  • A description of the circumstances of the breach
  • The personal information that was involved
  • Steps your organization has taken to reduce harm
  • Contact information so the individual can ask questions

How does BC PIPA compare to PIPEDA and Alberta PIPA?

The key distinction: PIPEDA and Alberta PIPA both require mandatory reporting to their respective regulators when RROSH is present. BC PIPA makes regulator reporting voluntary. All three frameworks require mandatory direct notification to affected individuals when RROSH is present.

BC PIPA Alberta PIPA PIPEDA
Governing body OIPC BC (oipc.bc.ca) OIPC Alberta (oipc.ab.ca) OPC Canada (priv.gc.ca)
Regulator reporting Voluntary Mandatory when RROSH present Mandatory when RROSH present
Individual notification Mandatory when RROSH present Mandatory when RROSH present Mandatory when RROSH present
Timing — regulator Voluntary — no fixed deadline Without unreasonable delay As soon as feasible
Timing — individuals Without unreasonable delay Without unreasonable delay As soon as feasible
Enforcement OIPC investigation, compliance orders OIPC investigation, compliance orders OPC investigation, Federal Court referral
Record-keeping Required Required 24 months minimum

For Alberta-specific obligations, see Alberta PIPA Breach Notification Requirements. For PIPEDA obligations, see PIPEDA Breach Reporting Requirements.

What do I do when both BC PIPA and PIPEDA apply?

When both frameworks apply, notify affected individuals once using a notification that satisfies both. File a mandatory OPC report under PIPEDA. File a voluntary OIPC BC report under BC PIPA best practice. ClearBreach generates separate regulator submissions for each framework automatically.

Many BC organizations are subject to both BC PIPA and PIPEDA because they engage in interprovincial or international commercial activity — e-commerce, suppliers across provincial borders, or federally regulated operations.

When both apply:

  • You must notify affected individuals once (a single notification can satisfy both frameworks if it meets each framework's requirements)
  • You must file a mandatory OPC report (PIPEDA)
  • You should file a voluntary OIPC BC report (BC PIPA best practice)

Scenario-specific BC PIPA guidance

For detailed guidance on common breach types that frequently trigger BC PIPA obligations alongside PIPEDA and Alberta PIPA:

Using ClearBreach for BC PIPA assessments

Run your BC PIPA assessment and generate your compliance documents automatically. ClearBreach evaluates your breach under PIPEDA, Alberta PIPA, and BC PIPA simultaneously in a single 15-minute browser-based assessment. When BC PIPA obligations are triggered, ClearBreach generates:

  • An OIPC BC Breach Report draft — with voluntary reporting language and all required content
  • A Verdict Card showing your RROSH determination under each applicable framework
  • An Individual Notification Letter covering each framework's notification requirements
  • An Internal Incident Record for your compliance file

Frequently asked questions

Do BC businesses have to report a data breach?

Yes, in two respects. BC private-sector organizations are governed by BC's Personal Information Protection Act (PIPA). When a breach poses a real risk of significant harm (RROSH) to affected individuals, notification to those individuals is mandatory. Reporting to the Office of the Information and Privacy Commissioner for BC is voluntary — not legally required — but strongly recommended. Organizations that also engage in interprovincial or international commercial activity must additionally report to the federal Office of the Privacy Commissioner under PIPEDA, where reporting is mandatory when RROSH is present.

Is BC PIPA breach reporting mandatory or voluntary?

Reporting a breach to the OIPC BC is currently voluntary under BC PIPA — there is no mandatory reporting requirement to the regulator equivalent to PIPEDA or Alberta PIPA. However, notification to affected individuals is required when a breach poses a real risk of significant harm. Voluntary reporting to the OIPC is strongly encouraged and is considered best practice for breaches that would trigger PIPEDA or Alberta PIPA obligations.

Do I have to notify individuals after a breach under BC PIPA?

Yes. BC PIPA requires organizations to notify affected individuals when a breach poses a real risk of significant harm. The notification obligation to individuals is not voluntary — only the regulator reporting component is. You must notify individuals directly and without unreasonable delay once you determine RROSH is present.

What is the difference between BC PIPA and PIPEDA breach reporting?

The key difference is that PIPEDA mandates reporting to the OPC when RROSH is present, while BC PIPA makes reporting to the OIPC BC voluntary. Both require direct notification to affected individuals when RROSH is present. When both PIPEDA and BC PIPA apply to your organization, PIPEDA's mandatory reporting obligation takes precedence — you must report to the OPC.

Does BC PIPA apply to small businesses?

Yes. BC PIPA applies to every private-sector organization that collects, uses, or discloses personal information about individuals in BC in the course of commercial activity within the province, regardless of size. Organizations engaged in interprovincial or international commercial activity are also subject to PIPEDA.

Should I voluntarily report a breach to OIPC BC even if it is not mandatory?

Yes, in most cases. Voluntarily reporting demonstrates accountability and good faith to the regulator. The OIPC BC provides guidance and support during breach response. If the breach also triggers PIPEDA obligations, the OPC will coordinate with the OIPC BC in any case. The OIPC BC voluntary report is low-risk and high-goodwill — there is no enforcement consequence for filing it.

This guide is not legal advice. It provides practical guidance on Canadian privacy breach obligations. Consult a qualified privacy lawyer before submitting reports to regulators.

Run your formal assessment now

ClearBreach generates your verdict and all required documents automatically — in under 15 minutes.

Get early access

See a sample verdict →