BC PIPA - the Personal Information Protection Act - applies to every private-sector business operating in British Columbia. If you collect names, emails, or any identifying information about customers or employees, PIPA applies to you. This checklist covers the IT controls you need to document before a complaint or audit lands on your desk.
What PIPA Requires at a Minimum
PIPA requires that you identify the purposes for collecting personal information before or at the time of collection, and that you obtain meaningful consent. Implied consent is acceptable for many routine business purposes, but it needs to be documented. You cannot simply assume consent exists.
You are also required to protect personal information using safeguards appropriate to the sensitivity of the data. For most BC SMBs, this means encrypted storage, access controls, and a written security policy. The Office of the Information and Privacy Commissioner for BC (OIPC) looks for evidence of these controls.
Individuals have the right to access their own information and request corrections. Your IT systems need to support this: you must be able to locate, export, and in some cases delete records tied to a specific individual within a reasonable timeframe.
Data Inventory: Start Here
Before you can protect personal information, you need to know where it lives. Run a data discovery exercise across your file shares, CRM, email archives, cloud storage, and any third-party SaaS tools. Map what categories of personal data exist, where they are stored, and who can access them.
North Star recommends a simple spreadsheet: data type, system, retention period, access roles, and encryption status. This document becomes your evidence of compliance when the OIPC calls.
Access Controls and Authentication
PIPA requires that access to personal information be limited to those who need it for the identified purpose. Role-based access control (RBAC) in your Microsoft 365, CRM, and line-of-business apps is the practical implementation of this principle.
Multi-factor authentication is not explicitly named in PIPA, but it is considered a baseline safeguard for any system holding sensitive data. If you are breached because MFA was disabled, the OIPC will note that you failed to take reasonable steps.
Breach Notification Under PIPA
BC PIPA does not have a mandatory breach notification requirement equivalent to PIPEDA's federal rules - but Alberta PIPA does, and many BC businesses operate across both provinces. Regardless of the legal minimum, notifying affected individuals after a breach is considered best practice and reduces liability.
Your incident response plan should include a decision tree: what constitutes a breach, who decides whether notification is required, and what the notification template looks like. North Star can help you build this into a documented runbook.
Retention and Destruction
Personal information must not be kept longer than necessary. Define a retention schedule: how long you keep customer records, employee records, and contact lists. Document it. Then enforce it with automated deletion or archival policies in your email and document systems.
Physical destruction - shredding paper records - counts too. If you have paper HR files or signed contracts, those need a disposal policy. Document the method and log each destruction event.
Vendor and Third-Party Obligations
If a third party processes personal information on your behalf - a payroll provider, a cloud CRM, a marketing platform - you remain responsible for that data under PIPA. You need data processing agreements or equivalent contractual language with each vendor.
Review your vendor list annually. Many BC businesses are surprised to find they are sharing personal information with five to ten SaaS platforms without any written agreement. Each one is a PIPA exposure.