Protecting personal information
Last updated on January 21, 2026Your organization is legally obligated to protect any personal information that you collect, use or disclose. This includes information about your customers, employees or others.
On this page
- Defining personal information
- Privacy rules for private sector organizations
- How to comply with privacy rules
- The Office of the Information and Privacy Commissioner
- Resources
Defining personal information
Personal information means information about an identifiable individual.
Some examples of personal information include:
- Name, sex, age, weight, height
- Contact information
- Race, ethnic origin, sexual orientation
- Medical information
- Income, purchases and spending habits
- Blood type, DNA code, fingerprints
- Marital or family status
- Religion
- Education
- Employment information
Personal information doesn’t include the contact information of an individual at a place of business.
Privacy rules for private sector organizations
To collect, use or disclose personal information, private sector organizations in B.C. must follow the personal information and privacy rules set out in the Personal Information Protection Act (PIPA), which are based on the 10 principles of privacy protection.
PIPA dictates the personal information and privacy rules that govern private organizations in B.C.
These rules strike a balance between:
- The rights of individuals to control access to and use of their personal information
- An organization’s need to collect and use personal information for legitimate and reasonable purposes
Generally, these rules apply to all private sector organizations including corporations, partnerships, legal representatives, unincorporated associations, trade unions, trusts and not-for-profit organizations. Some specific exclusions apply.
How to comply with privacy rules
Your organization needs to consider how it will comply with and implement these rules. Compliance can generally be achieved by following 4 steps, with resources available to assist.
1. Assign one or more individuals as privacy officers
Every organization must designate at least one privacy officer to oversee privacy practices and ensure compliance with PIPA. Larger or more complex organizations may need multiple officers. The privacy officer serves as the primary contact for privacy-related questions and complaints.
2. Conduct an audit and self-assessment
Conduct internal audits and self-assessments to:
- Understand what personal information you collect
- Determine how this information is used and disclosed
- Review how the information is protected
Organizations should regularly review how they manage personal information to maintain compliance and strengthen privacy management.
3. Develop a privacy policy for your organization
Every organization must have a privacy policy, available upon request, that explains how personal information is collected, used, disclosed, stored and disposed of. The policy must also include a process for handling privacy complaints.
4. Implement and maintain your privacy policy
After developing your policy, ensure it’s followed across all areas of your organization. Provide internal privacy training to keep everyone informed and compliant. Your organization is responsible for all personal information it handles, including those shared with contractors. Service contracts must include clear privacy requirements.
- The government’s privacy protection schedule offers an example of a clear and enforceable contract.
​The Office of the Information and Privacy Commissioner
The Office of the Information and Privacy Commissioner (OIPC) provides independent oversight and enforcement of B.C.'s access and privacy laws, including the:
Freedom of Information and Protection of Privacy Act (FOIPPA)
FOIPPA applies to over 2,900 "public bodies" including ministries, local governments, schools, crown corporations, hospitals, municipal police forces, and more.
Personal Information Protection Act (PIPA)
PIPA applies to any private sector organization that collects, uses, and discloses the personal information of individuals in B.C. PIPA also applies to any organization located within B.C. that collects, uses or discloses personal information of any individual inside or outside of B.C.
The OIPC is an independent from government, and promotes and protects the information and privacy rights of British Columbians. They oversee and enforce FOIPPA and PIPA to make sure organizations under their mandate follow the rules.
The OIPC reports directly to the Legislature, not to Cabinet. This means the OIPC acts as a neutral regulator focused on transparency and accountability across both public and private sectors in B.C.
​Resources
The OIPC provides education and awareness resources to help organizations understand their rights and responsibilities, including:
- Resources for private sector organizations
- Guidance documents to learn about:
- Privacy management guidance
- Self-assessments
- Developing privacy policies
- Responding to privacy complaints