BC PIPA Privacy Breach Reporting: What BC Organizations Need to Know

What is BC PIPA?

British Columbia's Personal Information Protection Act (PIPA, SBC 2003, c 63) is the provincial privacy legislation governing private-sector organizations that collect, use, or disclose personal information in BC. The Office of the Information and Privacy Commissioner for British Columbia (OIPC BC) administers and enforces BC PIPA.

BC PIPA was deemed substantially similar to PIPEDA by the federal government. Private-sector organizations that operate solely within BC for intraprovincial commercial activity are governed by BC PIPA rather than PIPEDA. Organizations with interprovincial or international commercial activity are also subject to PIPEDA.

---

The critical distinction: voluntary regulator reporting, mandatory individual notification

BC PIPA's breach provisions are structured differently from PIPEDA and Alberta PIPA in one important respect: reporting to the OIPC BC is voluntary, not mandatory.

However, notifying affected individuals is mandatory when a breach poses a real risk of significant harm.

This distinction matters. An organization subject only to BC PIPA (no PIPEDA obligation) is legally required to notify affected individuals when RROSH is present, but is not legally required to file a report with the OIPC BC. In practice, voluntary reporting to the OIPC BC is strongly encouraged and is standard best practice for any significant breach.

---

Who is subject to BC PIPA?

BC PIPA applies to every private-sector organization — regardless of size — that:

• Collects, uses, or discloses personal information about individuals in BC
• Does so in the course of commercial activity within the province

It does not apply to government bodies, which are governed by BC's Freedom of Information and Protection of Privacy Act (FIPPA). It also does not apply to federally regulated organizations (banks, telecommunications carriers, airlines), which remain subject to PIPEDA regardless of province.

---

When does a breach trigger BC PIPA obligations?

Like PIPEDA and Alberta PIPA, BC PIPA uses a Real Risk of Significant Harm (RROSH) threshold for both the voluntary regulator report and the mandatory individual notification.

What counts as significant harm under BC PIPA?

Significant harm under BC PIPA includes:

• Bodily harm
• Humiliation
• Damage to reputation or relationships
• Loss of employment, business, or professional opportunities
• Financial loss
• Identity theft
• Negative effects on credit records
• Damage to or loss of property

RROSH factors under BC PIPA

The four RROSH factors under BC PIPA mirror those under PIPEDA:

1. Sensitivity of the personal information — highly sensitive information (health records, SINs, financial data) increases RROSH probability significantly
2. Probability of misuse — confirmed access, malicious intent, and confirmed exfiltration all point toward RROSH
3. Number of individuals affected — broader breaches with sensitive data are more likely to meet RROSH
4. Whether the information has been recovered — unrecovered data in an adversarial breach weighs heavily toward RROSH

---

Voluntary reporting to the OIPC BC

Although not legally required, filing a voluntary report with the OIPC BC is strongly recommended for any breach where RROSH may be present. Reasons to report voluntarily:

Demonstrates accountability. The OIPC BC's accountability framework rewards proactive transparency. Organizations that self-report tend to have better outcomes in any subsequent investigation.

Regulatory guidance. The OIPC BC provides guidance and support during breach response. Filing a voluntary report opens a channel to their office.

Coordination with PIPEDA. If the breach also triggers PIPEDA (mandatory reporting to the OPC), the OPC and OIPC BC coordinate. Filing with both avoids the appearance of selectively disclosing to only one regulator.

Prepares you for future mandatory requirements. BC is expected to update PIPA to include mandatory breach reporting, following the federal model. Organizations with a history of voluntary reporting will be well-positioned.

What to include in a voluntary OIPC BC report

Your voluntary report to the OIPC BC should contain the same information as an OPC or OIPC Alberta report:

• Description of the breach and how it occurred
• Date or approximate date
• Personal information involved and number of individuals affected
• RROSH determination
• Steps taken to contain the breach and reduce harm
• Steps taken to notify affected individuals
• Contact information for your privacy officer or responsible person

Contact the OIPC BC directly at oipc.bc.ca to request their current breach notification form.

---

Mandatory individual notification under BC PIPA

When a breach poses a real risk of significant harm, BC PIPA requires you to notify every affected individual directly, without unreasonable delay.

Requirements for individual notification under BC PIPA

The notification to individuals must include:

• A description of the circumstances of the breach
• The personal information that was involved
• Steps your organization has taken to reduce harm
• Contact information so the individual can ask questions

Direct notification is required. A general public notice or website announcement does not satisfy the obligation unless direct notification to all affected individuals is not reasonably possible.

---

How BC PIPA compares to PIPEDA

| | BC PIPA | PIPEDA | |---|---|---| | Governing body | OIPC BC (oipc.bc.ca) | OPC Canada (priv.gc.ca) | | Regulator reporting | Voluntary | Mandatory when RROSH present | | Individual notification | Mandatory when RROSH present | Mandatory when RROSH present | | Timing language | "Without unreasonable delay" | "As soon as feasible" | | Enforcement | OIPC investigation, compliance orders | OPC investigation, Federal Court referral | | Record-keeping | Required | 24 months minimum |

---

Dual obligations: when BC PIPA and PIPEDA both apply

Many BC organizations are subject to both BC PIPA and PIPEDA because they engage in interprovincial or international commercial activity — e-commerce, suppliers across provincial borders, or federally regulated operations.

When both apply:

• You must notify affected individuals once (a single notification can satisfy both frameworks if it meets each framework's requirements)
• You must file a mandatory OPC report (PIPEDA)
• You should file a voluntary OIPC BC report (BC PIPA best practice)

ClearBreach evaluates all applicable frameworks simultaneously and generates separate regulator reports for each — an OPC PIPEDA report and an OIPC BC voluntary report — when both are triggered.

---

Using ClearBreach for BC PIPA assessments

ClearBreach simultaneously evaluates your breach under PIPEDA, Alberta PIPA, and BC PIPA in a single 15-minute assessment. When BC PIPA obligations are triggered, ClearBreach generates:

• An OIPC BC Breach Report draft — with voluntary reporting language and all required content
• A Verdict Card showing your RROSH determination under each applicable framework
• An Individual Notification Letter covering each framework's notification requirements
• An Internal Incident Record for your compliance file