PIPA BC IT Controls for BC Law Firms: What LSBC and OIPC BC Actually Expect

A regulatory-grade walkthrough of the Personal Information Protection Act of British Columbia (PIPA BC), the Law Society of British Columbia’s 2024 technology-competence commentary, and the IT controls a BC law firm should be able to evidence in a peer review, an insurer questionnaire, or a sophisticated client’s due-diligence ask.

Fusion Computing’s law-firm engagements are tagged to the regulator the firm actually answers to. For a BC firm, that means LSBC and OIPC BC, not the Law Society of Ontario and the federal Privacy Commissioner.

PIPA BC aligned Provincial, not PIPEDA defaults
LSBC tech competence BC Code rule 3.1-2 (March 2024)
CISSP-certified Security leadership
OIPC BC ready Voluntary-reporting playbook in place
Book a Consultation
Vancouver Law Firm IT →

Written for BC law-firm leaders, managing partners, and operations leads with a regulatory diligence problem to solve.

MP
Authored by Mike Pearlstein, CISSP, Founder & CEO, Fusion Computing. CISSP-certified, MSc Computer Science (Guelph 2011).
Reviewed and last updated 2026-05-18 · Named in Canada’s 50 Best Managed IT Companies 2024 & 2025.

Why PIPA BC matters more than PIPEDA for a BC law firm

According to BC Laws (2003), the Personal Information Protection Act, SBC 2003, c. 63 was assented to October 23, 2003 and sets the binding private-sector privacy regime for organizations whose commercial activities happen inside BC, displacing PIPEDA for those activities. A BC law firm answering to OIPC BC under PIPA BC is operating against a different regulator and a different breach-notification regime than a Toronto firm under federal PIPEDA.

National privacy guides aimed at Canadian law firms usually default to PIPEDA, the federal Personal Information Protection and Electronic Documents Act administered by the Office of the Privacy Commissioner of Canada (OPC). For a BC-registered law firm advising BC clients on BC matters, that default is the wrong starting point. The relevant statute is the Personal Information Protection Act of British Columbia (PIPA BC), SBC 2003, c. 63, in force since 2004 and administered by the Office of the Information and Privacy Commissioner for British Columbia (OIPC BC).

PIPA BC is the substantially-similar provincial statute that displaces PIPEDA for private-sector organizations whose commercial activities happen inside BC. A BC law firm collecting, using, and disclosing personal information about BC clients for BC matters answers to OIPC BC under PIPA BC, not to the federal OPC under PIPEDA. PIPEDA still applies to two slices of a BC firm’s activity: personal information that crosses provincial or international boundaries during a commercial activity, and personal information held by federally regulated employers about their employees. For most BC law-firm matter-files, the operative regime is provincial.

The practical consequence: the breach-notification mechanics, the privacy commissioner you would actually liaise with, and the rules-of-professional-conduct hooks are all provincial. A BC firm running on a PIPEDA-shaped incident response runbook is documenting against the wrong regulator. Fusion Computing’s BC law-firm engagements are tagged to PIPA BC and OIPC BC by default.

LSBC technology competence: what the March 2024 commentary added

According to the Law Society of British Columbia (2024), in March 2024 the BC Code of Professional Conduct adopted new commentaries [4.1] and [4.2] under rule 3.1-2 (Competence), expressly directing every BC lawyer to develop an understanding of the technology relevant to their practice and to recognize the duty to protect confidential information. The amendment makes technological competence a named element of the BC competence standard.

In March 2024 the Law Society of British Columbia amended the BC Code of Professional Conduct to add new commentaries to rule 3.1-2 (Competence), specifically addressing the level of technological competence required of lawyers. The amendment was published in the LSBC’s March 2024 Member’s Manual update and brings the BC Code more closely in line with the Federation of Law Societies’ Model Code, which has carried a comparable technology-competence commentary for several years.

In substance, the LSBC amendment makes explicit what was already an implied competence obligation: a BC lawyer’s duty of competent representation now expressly extends to the technology used to deliver legal services. That includes understanding the benefits and risks of the technologies the lawyer relies on, the technologies the lawyer’s clients use to communicate, and the technologies the lawyer’s firm uses to store and transmit confidential information. It does not require every lawyer to become a technologist. It does require the lawyer to ask informed questions, exercise reasonable supervision over staff and vendors who handle electronic client information, and stay current with the changing risk landscape.

In practice this means: a BC managing partner cannot delegate technology decisions to an IT vendor and walk away from the file. The lawyer remains responsible for the reasonableness of the choices made in the firm’s name. Documented controls, named policies, and an evidence packet that a peer reviewer or sophisticated client can read on a Monday morning are the only sustainable way to demonstrate competence at scale. For the exact text of the 2024 commentaries, refer directly to the BC Code via the LSBC website at lawsociety.bc.ca.

Practical IT controls a BC firm must document for PIPA BC compliance

According to the Office of the Information and Privacy Commissioner for BC (2024), accountable privacy management in BC organizations requires documented policies for consent, retention, breach response, vendor due diligence, and the reasonable security arrangements PIPA BC names as the core safeguard obligation. The ten control tiles below operationalize that accountability framework for a BC law firm holding solicitor-client privileged material.

Documented consent managementWritten record of how the firm obtains, records, and respects client consent to collect, use, and disclose personal information, aligned to PIPA BC’s consent provisions. Engagement letter, intake form, and matter-management workflow all in scope.
Encrypted client communicationsTLS in transit on all firm email, Microsoft Purview Message Encryption available for partner-to-client sensitive transmissions, secure client portal as the default for document exchange instead of unencrypted attachments.
Retention and disposal policyWritten matter-retention schedule consistent with LSBC file-retention guidance and PIPA BC’s requirement to destroy or anonymize personal information when the original purpose is fulfilled. Disposal evidence retained.
Secure remote work postureConditional access blocking unmanaged devices, Entra ID-joined laptops, mandatory MFA on every account, no firm data on personal devices, written acceptable-use policy signed annually.
Vendor and cloud due diligenceWritten due-diligence file for every cloud vendor handling personal information: data residency, sub-processor list, breach-notification commitments, contractual right to audit. Microsoft 365 tenant region documented.
MFA on every privileged accountFIDO2 or authenticator-app MFA on all partner, associate, paralegal, and administrator accounts. No SMS fallback. Conditional access policy enforces MFA on legacy clients and external networks.
Incident response runbook tagged PIPA BCNamed runbook with OIPC BC contact, voluntary-reporting playbook, internal escalation tree, evidence-preservation steps, client-notification template, and timelines. Reviewed annually by the managing partner.
Audit logging and retentionMicrosoft 365 unified audit log retained for at least one year on E3 or longer on E5. SharePoint matter-site access tracked. Mailbox forwarding-rule changes alerted in real time.
Sensitivity labels on matter foldersMicrosoft Purview sensitivity labels applied to SharePoint matter sites, with auto-labelling for documents containing personal-information patterns. Label-aware Copilot retrieval where the firm is using M365 Copilot.
Written AI use policyFirm-approved list of AI tools, prohibition on pasting client information into consumer ChatGPT or similar, sensitivity-label-aware retrieval for tenant-scoped Copilot, partner sign-off required for any new AI vendor.

What PIPA BC actually says about security: The Act requires organizations to protect personal information in their custody or under their control by making “reasonable security arrangements” to prevent unauthorized access, collection, use, disclosure, copying, modification, or disposal. “Reasonable” is contextual: it scales with the sensitivity of the information, the foreseeable risks, and the practical measures available. For a BC law firm holding solicitor-client privileged material, the bar is high and the documentation expectation is real. Sources: bclaws.gov.bc.ca, oipc.bc.ca.

If your firm needs a BC-specific control map ready for an LSBC trust-account audit or an OIPC inquiry, talk to a BC-aware law-firm IT specialist.

Cross-border data residency under PIPA BC

PIPA BC requires organizations to obtain consent for the collection, use, and disclosure of personal information, and to make reasonable security arrangements wherever that information is stored. Unlike the public-sector statute (FIPPA, which until recent amendments restricted storage and access outside Canada), PIPA BC does not contain an outright prohibition on storing personal information outside Canada. What it does require is a documented, defensible answer to a client or regulator asking: who has access to this information, where is it stored, and why is that arrangement reasonable.

For a BC law firm using Microsoft 365, the practical answer set is well understood. Microsoft offers Canadian data residency for core M365 workloads (Exchange Online mailboxes, SharePoint Online, OneDrive for Business, Teams chat) at the tenant-region level. A BC firm whose engagement letters commit to Canadian-resident data should select Canada as the tenant data location at sign-up and confirm in writing. Some workloads (telemetry, certain Copilot processing paths, Defender investigation evidence) may still transit US infrastructure, and the firm’s due-diligence file should record what does and does not stay in Canada.

When lawyers reach for US-based AI services directly (consumer ChatGPT, Claude.ai, Gemini), the simpler answer is to prohibit pasting client information into them at all and instead route AI use through a tenant-scoped, sensitivity-label-aware Microsoft Copilot deployment whose retrieval is constrained to the firm’s own SharePoint. For deeper coverage of this pattern see our AI for Canadian law firms guide. For BC-resident backup and disaster recovery, AWS Canada Central (ca-central-1, Montreal) and Microsoft Azure Canada Central (Toronto) are the two regions most BC firms end up using; the firm’s due-diligence file should record which one and why.

OIPC BC breach notification: voluntary today, expected tomorrow

According to the Office of the Information and Privacy Commissioner for BC (2024), voluntary breach notification by private-sector organizations under PIPA BC follows a four-step response framework: containment, risk assessment, notification, and prevention, with reporting strongly encouraged where the breach could reasonably be expected to result in significant harm. The Commissioner has repeatedly called for mandatory private-sector notification to be legislated.

An important regulatory nuance BC firms get wrong: as of writing, PIPA BC does not currently impose mandatory breach notification on private-sector organizations. That is different from PIPEDA (federally), which has mandatory breach reporting under the “real risk of significant harm” threshold; different from Alberta’s PIPA, which also has mandatory reporting; and different from BC’s public-sector statute (FIPPA), which was amended to add mandatory public-sector breach notification. BC stands as the outlier in the Canadian private-sector privacy landscape on this one specific point.

However, the OIPC BC strongly encourages voluntary reporting as best practice and has published detailed guidance for organizations on when and how to notify. The Commissioner has repeatedly called on the BC government to amend PIPA BC to make notification mandatory, and a comparable amendment is widely expected to land at some point. The defensible posture for a BC law firm is to operate as if mandatory reporting already applies: assess every incident against a documented “real risk of significant harm” standard, notify affected individuals when that threshold is met, voluntarily notify OIPC BC, and retain a complete evidence file.

What to assemble if a breach happens: the date and time of detection, the personal information involved (categories and approximate volumes), the affected individuals (counts if not names), the cause where known, the containment and remediation steps taken, the harm assessment, and the notification decision with reasoning. A BC law firm that can produce this file inside seventy-two hours of detection is in a substantially better position with both the client and the LSBC than one improvising the documentation after the fact. Separately, the LSBC’s own confidentiality and competence rules (BC Code rules 3.3 and 3.1-2) may independently require client notification when privileged or confidential information has been exposed, regardless of the PIPA BC status.

What this costs for a BC law firm

BC law-firm pricing tracks the national Fusion law-firm pricing model. A solo BC practice with one to three staff typically lands at $500 to $900 per month. Mid-sized firms of 3 to 10 lawyers (including paralegals and clerks) typically land at $1,800 to $3,400 per month. Larger 10 to 25-lawyer Vancouver, Victoria, or Lower-Mainland commercial firms typically land at $4,200 to $7,500 per month. Per-lawyer pricing is uniform across BC; there is no Vancouver-downtown surcharge or Victoria-island uplift.

BC-specific cost notes: firms whose engagement letters commit to Canadian-resident data handling typically need Microsoft 365 E3 or E5 for the conditional-access and Purview tooling, and may incur slightly more setup time during onboarding to document the tenant-region selection and backup destination. Firms running heavy cross-border practice (US clients, immigration, securities) often use Microsoft 365 E5 for the conditional-access tier required to manage non-Canadian counsel collaboration safely. Software licensing for BC-tax, BC-conveyancing, or BC-litigation practice tools flows through without Fusion markup. For the full pricing model see our national law-firm IT hub. For a quote scoped to your BC firm size and engagement mix, request a costed scoping conversation.

PIPA BC resources for BC law firms

“Other vendors quoted us PIPEDA controls and called it done. Fusion was the only firm that knew BC Code rule 3.1-2 commentary [4.2] by heart and built our OIPC BC voluntary breach playbook to match. Our litigation team got back to billable work and our managing partner can now answer LSBC audit questions on the phone without calling a consultant.”

Managing Partner, 22-lawyer litigation boutique, Vancouver.

Talk to a BC-aware law-firm IT specialist

Thirty-minute walk-through of your BC firm’s current stack, the PIPA BC and LSBC 3.1-2 controls you should be able to evidence, and what tagging the engagement to BC instead of Ontario actually changes in practice.

Book a Consultation

Frequently asked questions about PIPA BC and law-firm IT

Is PIPA BC the same as PIPEDA?

No. PIPA BC is the British Columbia provincial private-sector privacy statute (SBC 2003, c. 63) administered by the Office of the Information and Privacy Commissioner for BC. PIPEDA is the federal Personal Information Protection and Electronic Documents Act administered by the Office of the Privacy Commissioner of Canada. PIPA BC has been designated “substantially similar” to PIPEDA, which means it displaces PIPEDA for most commercial activity inside BC. PIPEDA still applies to BC personal information that crosses provincial or international borders during a commercial activity, and to federally regulated employers. For a BC law firm advising BC clients on BC matters, PIPA BC is the operative regime; a national or Ontario-shaped privacy program is the wrong default.

When does a BC law firm have to report a breach to OIPC BC?

As of writing, PIPA BC does not impose mandatory breach notification on private-sector organizations. Reporting to OIPC BC is voluntary, though the Commissioner strongly recommends it as best practice and has called on the BC government to make it mandatory. The defensible posture is to operate as if mandatory reporting already applies: assess every incident against a “real risk of significant harm” standard (the threshold used federally under PIPEDA), notify affected individuals when that threshold is met, voluntarily report to OIPC BC, and retain a complete evidence file. Separately, the LSBC’s confidentiality and competence rules may require client notification even where PIPA BC does not.

What does the LSBC technology competence commentary actually require?

In March 2024 the Law Society of British Columbia added new commentaries to BC Code rule 3.1-2 (Competence) addressing the level of technological competence required of lawyers, bringing the BC Code closer to the Federation of Law Societies Model Code. In substance, the commentaries make explicit that a lawyer’s competence obligation extends to the technology used to deliver legal services, including understanding the benefits and risks of those technologies and exercising reasonable supervision over staff and vendors who handle electronic client information. The commentaries do not require every lawyer to become a technologist; they do require informed questions, named policies, and a documented evidence trail. For the exact wording, consult the BC Code directly on the LSBC website.

Can a BC law firm use Microsoft 365 if the data center is in the US?

PIPA BC does not prohibit storing personal information outside Canada (unlike BC’s public-sector statute FIPPA, which was historically much more restrictive). What PIPA BC requires is that the organization make reasonable security arrangements wherever the information sits and be able to answer who has access, where it lives, and why the arrangement is reasonable. Microsoft 365 offers Canadian data residency for core workloads (Exchange Online, SharePoint, OneDrive, Teams chat) at the tenant region level.

A BC firm whose engagement letters commit to Canadian-resident data should select Canada as the tenant data location and confirm in writing. Some workloads (telemetry, certain Copilot processing, Defender investigation) may still transit US infrastructure, and the due-diligence file should record what does and does not stay in Canada.

What are “reasonable security arrangements” under PIPA BC?

PIPA BC requires organizations to make reasonable security arrangements to protect personal information against loss and unauthorized access, collection, use, disclosure, copying, modification, or disposal. “Reasonable” is contextual: it scales with the sensitivity of the information, the foreseeable risks, and the practical measures available. For a BC law firm holding solicitor-client privileged material, OIPC BC guidance and industry practice converge on a baseline that includes MFA on every account, conditional access on unmanaged devices, encrypted backup with tested restore, endpoint detection and response (EDR), sensitivity labels on matter folders, documented vendor due diligence, a written incident response runbook, and an audit-logging retention policy.

None of these is novel; the discipline is having all of them documented, active, and reviewed at the same time.

How does this differ from CPABC’s requirements for BC accountants?

The privacy regime is shared: any BC private-sector organization, whether a law firm or a CPA practice, answers to PIPA BC under OIPC BC, not PIPEDA. What differs is the professional regulator and the rules-of-conduct hooks. BC law firms answer to the Law Society of British Columbia under the BC Code, including the 2024 technology-competence commentaries on rule 3.1-2. BC accounting firms answer to Chartered Professional Accountants of British Columbia (CPABC) under the CPABC Code of Professional Conduct, with the CPA Canada national cybersecurity guidance applying equally. For the BC accounting-firm angle see our Vancouver accounting-firm IT page, which covers the CPABC + PIPA BC stack in parallel detail.

What if a BC firm has offices in Alberta or Ontario too?

Multi-province firms face overlapping regimes. A BC office answers to PIPA BC and LSBC. An Alberta office answers to Alberta’s PIPA (substantially similar to BC’s but with mandatory breach notification) and the Law Society of Alberta. An Ontario office answers to PIPEDA (Ontario has no substantially-similar provincial statute for the private sector) and the Law Society of Ontario. In practice, a multi-province firm typically implements the highest common-denominator control set across all offices, then tags the breach-notification runbook, the rules-of-conduct evidence, and the regulator-contact tree by province.

The IT architecture (Microsoft 365 tenant, identity, conditional access, Purview labels) is usually unified; the compliance overlay is province-specific. Most multi-province firms find this less complex in practice than it sounds on paper.