PIPA British Columbia

What is PIPA (British Columbia)?


The Personal Information Protection Act (PIPA) is British Columbia’s provincial law governing the collection, use, and disclosure of personal information by private-sector organizations within the province.

PIPA, just like PIPEDA, relies on the same ten principles for handling personal information. These principles are:

  1. Accountability. Organizations are responsible for all personal information they collect, use, or disclose. They must designate a person accountable for overseeing compliance with PIPEDA.

  2. Identifying Purposes. Organizations must specify the purposes for which they collect personal information and obtain an individual’s consent before doing so. The purposes must be reasonable and explained clearly.

  3. Consent. Individual consent is required for organizations to collect, use, or disclose personal information. Consent must be informed, meaningful, and voluntarily given.

  4. Limiting collection. Organizations can only collect personal information that is necessary for the specified purposes. Excessive or irrelevant data collection is prohibited.

  5. Limiting use, disclosure, and retention. Personal information can only be used or disclosed for the purposes for which it was collected, with limited exceptions. Organizations must also promptly and securely dispose of outdated personal information.

  6. Accuracy. Organizations must ensure that personal information is accurate, complete, and up-to-date. Individuals have the right to request corrections to inaccurate information.

  7. Safeguards. Organizations must implement appropriate security measures to protect personal information from unauthorized access, use, disclosure, loss, or theft. These safeguards should be tailored to the sensitivity of the information.

  8. Openness. Organizations must be transparent about their personal information practices. Individuals have the right to access their personal information held by an organization and understand how it is being used.

  9. Individual access. Individuals have the right to request access to their personal information held by an organization and to request corrections to inaccurate information. Organizations must respond to these requests promptly and in a reasonable manner.

  10. Challenging compliance. Individuals have the right to challenge an organization’s compliance with PIPEDA principles. They can submit complaints to the Office of the Privacy Commissioner of Canada or the relevant provincial privacy regulator.

If you comply with PIPEDA, you comply with the PIPA, and vice versa, as the British Columbia provincial law is very similar to the federal one.


MergeBase and PIPA


MergeBase, a company operating from Vancouver, British Columbia, fully complies with PIPA, the Personal Information Protection Act. Although we process very little personal data ourselves, we take the responsibility of protecting any data we process very seriously.

In addition to our commitment to protecting the data we process, we implement the highest standards in protecting our customers’ data. After all, our products and services involve ensuring that our customers’ data is safe!

We achieve this by implementing top-tier cybersecurity standards, ensuring that every piece of data, whether ours or our customers, is protected from unauthorized access, disclosure, or breaches. With MergeBase, you can trust that data security and protection are at the forefront of everything we do.


How Can MergeBase Help You Comply with PIPA?


While our products and services cannot help with all the ten PIPA principles, we can ensure that you meet principles 4, 5, and 7, which emphasize minimizing data collection and retention and enforcing protective measures.

For Principles 4 and 5 (Purpose Limitations, and Limiting Collection and Retention), MergeBase offers support through:

  • Dependency Management. MergeBase aids in pinpointing and eliminating unnecessary or outdated dependencies in applications, diminishing the volume of personal data that could be exposed if vulnerabilities are present.

  • Vulnerability Disclosure. MergeBase’s policies for disclosing vulnerabilities encourage responsible reporting, reducing the exposure of time-sensitive personal data before a fix is implemented.

  • Reduced Data Footprint. MergeBase helps companies meet this principle by decreasing the personal data footprint within applications by targeting vulnerabilities in open-source components, which typically contain less personal information than other code sections.


In supporting Principle 7, which requires organizations to enforce proper safeguards for data security and protection, MergeBase contributes by:

  • Continuous Monitoring. MergeBase’s ongoing scanning for vulnerabilities in open-source components serves as a persistent security measure, actively identifying potential weaknesses before they become exploitable. This proactive stance assists organizations in promptly addressing security issues and safeguarding personal data against unauthorized access.

  • Vulnerability Prioritization. MergeBase assists organizations in sorting vulnerabilities by severity and exploitability, guiding them to concentrate remediation efforts on the most critical threats to personal data security.

  • Patch Management. MergeBase’s vulnerability reports can integrate with patch management tools, facilitating quicker patch application for identified vulnerabilities and shortening the exposure window for personal data.