BC's Personal Information Protection Act, PIPA, applies to every private-sector business operating in British Columbia that collects personal information about customers or employees. If you collect names, email addresses, phone numbers, or any information that identifies an individual, PIPA applies to you. This checklist covers the IT controls the Office of the Information and Privacy Commissioner for BC (OIPC) looks for, in the order you should address them.
What PIPA Requires at a Minimum
PIPA's core obligations are:
- Identify the purpose before or at the time of collection. You can't collect first and figure out why later.
- Obtain meaningful consent. Implied consent is acceptable for many routine business purposes, but it must be documented, you cannot assume it exists.
- Protect personal information with safeguards appropriate to its sensitivity. For most SMBs: encrypted storage, access controls, and a written security policy.
- Allow individuals to access their own data and request corrections. Your IT systems must be able to locate, export, and where required delete records tied to a specific person.
- Notify the OIPC and affected individuals of breaches that create a real risk of significant harm.
Step 1: Data Inventory
Before you can protect personal information, you need to know where it is. This is the step most SMBs skip, and it's the reason everything else is harder.
Run a discovery exercise across:
- File shares (Windows shared drives, NAS devices)
- Cloud storage (SharePoint, OneDrive, Google Drive, Dropbox)
- Email archives
- CRM and helpdesk platforms
- Any third-party SaaS tools your team uses
Build a spreadsheet with columns: Data category | Where stored | Who can access | Why collected | Retention period | Third-party sharing. This document is your foundation. It's also what you produce if the OIPC asks.
Step 2: Access Controls and Authentication
☐ Multi-factor authentication on all accounts that access personal information ☐ Role-based access control, staff can only access the personal data their job requires ☐ Shared accounts eliminated or documented with justification ☐ Offboarding procedure: accounts disabled within 24 hours of departure ☐ Annual access review: confirm that active accounts match active roles ☐ Admin access restricted to named individuals with documented business need
Step 3: Encryption and Secure Storage
☐ Laptops encrypted (BitLocker or equivalent), verify encryption status in device management ☐ File shares and cloud storage: verify encryption at rest is enabled ☐ Email: TLS enforced for transport; sensitive attachments not sent unencrypted ☐ Databases containing personal information: encryption at rest confirmed with vendor ☐ Backup storage: encrypted, with immutable retention (see 3-2-1-1-0 backup post)
Step 4: Written Security Policy
☐ Acceptable use policy: what employees may and may not do with company data ☐ Password policy: minimum length, MFA requirement, password manager recommended ☐ AI use policy: what AI tools may receive what categories of data (see our AI policy template) ☐ BYOD policy if personal devices access company data (see our BYOD template) ☐ Policies reviewed annually and signed by new staff at onboarding
Step 5: Breach Notification Under PIPA
PIPA requires notification to the OIPC if a breach poses a real risk of significant harm to individuals, and notification to affected individuals. You need a documented process before an incident occurs.
☐ Incident classification procedure: what triggers a "real risk of significant harm" assessment ☐ Named person responsible for breach notification decisions ☐ OIPC notification template prepared ☐ Individual notification template prepared ☐ Documentation log: every security incident recorded, even those that don't require notification
Step 6: Retention and Destruction
PIPA prohibits keeping personal information longer than necessary for the identified purpose.
☐ Retention schedule documented by data category (e.g., customer records: 7 years from last transaction for CRA purposes, then delete) ☐ Deletion procedure documented: how records are actually destroyed, not just moved to a "deleted" folder ☐ Third-party vendors: confirm their data retention and deletion practices in their service agreements
Step 7: Vendor and Third-Party Obligations
Under PIPA, you remain responsible for personal information transferred to a service provider.
☐ Data processing agreements (DPAs) in place with all vendors who process personal information ☐ Vendor list reviewed annually, dormant SaaS tools removed ☐ Cloud vendors confirmed to store Canadian data in Canada or in jurisdictions with adequate protection
Frequently Asked Questions
Does PIPA apply if I'm a sole proprietor with five clients? Yes. PIPA applies to any private-sector organisation that collects personal information in BC in the course of commercial activity, regardless of size. The OIPC has issued guidance that proportionality applies, a sole proprietor's obligations are simpler in practice, but the obligation exists.
Is PIPA the same as PIPEDA? No. PIPA is BC's provincial privacy law, which has been deemed "substantially similar" to PIPEDA (the federal law) by the federal government. BC-based businesses subject to PIPA generally satisfy their PIPEDA obligations through PIPA compliance. Federal organisations operating in BC remain subject to PIPEDA.
Talk to a Prince George-based IT team about PIPA-ready IT controls, call 672-983-1174 or book a free assessment at northstarit.ca.
Need a PIPA-ready IT setup?
North Star can run a data inventory, tighten access controls, and produce the documentation the OIPC expects to see. Book a free assessment to get started.
Book a Free Assessment Read more Insights