Our Privacy Policy And Information
Les Twarog & his team respects your privacy. We will never sell, loan, rent, trade or give away your name, email, address or phone number to anyone without your permission, ever. If you have received an e-mail request to update your contact information from Les Twarog, please CLICK HERE to view the privacy policy that "COREX — Card Scan Program" abides by to protect your privacy.

Click Here For RealtorLink Privacy Brochure
How to regain your privacy - doc.

As of January 1, 2004 every private sector organization in British Columbia will be subject to privacy legislation.

If your organization doesn’t have a plan in place for dealing with privacy legislation, you should consult with us soon – 2004 is just around the corner. We can assist your organization with:

  • compliance with legal requirements and the development of policies and practices;
  • reducing exposure to complaints, legal liability and negative publicity; and
  • ongoing practical advice regarding privacy practices, complaints, liability and enforcement issues.

Some practical steps that your organization can take now to be properly prepared on January 1, 2004 are:

  1. Designate responsible individuals. Appoint a Privacy Officer or individual who will bear the responsibility of dealing with privacy matters for the organization, and lead a team to ensure compliance throughout your organization.
  2. Take an Information Inventory. The designated privacy team should take an inventory of all personal information collected, used, and disclosed, as well as information handling, retention and security practices.
  3. Develop Policies and Procedures. Your organization should develop and implement readily available and transparent privacy policies and practices, dealing with:
    • principles of information practices;
    • obtaining consent for the collection, use and disclosure of personal information;
    • how, when and why personal information is collected, used and disclosed;
    • limiting use and disclosure;
    • dealing with appropriate retention and destruction;
    • dealing with requests for access to personal information;
    • accountability;
    • maintaining accuracy and correcting personal information; and
    • implementing safeguards.
  1. Get the Message Out. Develop appropriate documents for disseminating information on privacy policies and obtaining consent, such as customer brochures, a public customer policy, an employee policy, and forms for responding to enquiries and complaints.
  2. Develop a Training Strategy. Train your staff to manage and protect the privacy of personal information.
  3. Follow up. Regularly monitor and review the privacy compliance system to ensure that it is working effectively to secure privacy of personal information and reduce risks to the organization.

If your organization does not properly address concerns about the protection of personal information, it may suffer as a result of lack of consumer confidence, complaints to privacy commissioners, litigation and fines or damages for failing to comply with the legislation.

Privacy compliance does not end with the introduction of policies and procedures into your organization. We can assist you by providing ongoing practical advice regarding privacy issues such as best practices, complaints, liability and enforcement issues.

For more information on how your organization will be affected by privacy legislation, whether private-sector or public-sector, federal or provincial, please contact us.

3000 Royal Centre
1055 West Georgia Street
Vancouver BC
V6E 3R3 Canada

[email protected]


 Private Sector Privacy Briefing

BC’s Personal Information Protection Act (Bill 38)

— as of December 3, 2003 —

The Personal Information Protection Act (“PIPA” or the “Act”) has recently received Royal Assent and will come into force on January 1, 2004.

PIPA governs the collection, use and disclosure of personal information by nearly all private­sector organizations in British Columbia.


PIPA will require nearly all private-sector organizations in British Columbia to, among other things:

(a) designate an individual to be responsible for protecting personal information in the possession or control of the organization;

(b) define the purposes for which the organization collects, uses and discloses personal information;

(c) obtain consent to collect, use or disclose personal information for those defined purposes, except in certain specified circumstances;

(d) give individuals, including employees, access to their personal information; and

(e) create a policy that sets out the manner in which the organization intends to comply with the Act.

Damages and criminal sanctions are available as remedies against organizations that fail to comply with the obligations under the Act.

Relationship with other privacy legislation

PIPA is intended to supplant the application of the federal Personal Information Protection and Electronic Documents Act (the “Federal Act”) for provincial organizations, to the extent they are collecting, using or disclosing personal information within a province. The Federal Act will apply to all organizations across Canada on January 1, 2004 unless replaced by provincial legislation such as PIPA. The Federal Act already applies—and will continue to apply—to the collection, use and disclosure of personal information by federal works and undertakings, including banks, telecommunication companies, etc. Notably, after January 1, 2004, the Federal Act will also

apply to provincial organizations to the extent that they transfer information across provincial (or international) boundaries.

The provincial Freedom of Information and Protection of Privacy Act (“FOIPPA”) continues to govern the collection, use and disclosure of personal information by provincial public bodies.

The provincial Privacy Act maintains the tort of invasion of privacy, which remains independent from the obligations under PIPA.

General Rules

PIPA applies to nearly every collection, use or disclosure of “personal information” within the provincial private sector. Personal information is defined broadly and includes nearly any information about an identifiable individual.

An organization is responsible for personal information under its control. It must designate an individual to be responsible for compliance with the Act, and it must make that individual’s contact information available to the public. An organization must develop and follow a privacy policy that includes a complaint process, among other procedures.

An organization must have a reasonable purpose for the collection, use or disclosure of personal information. That purpose must be defined and explained up front. The organization must obtain consent to collect, use or disclose information for each purpose, except in limited circumstances set out in the Act.

An organization may not collect, use or disclose personal information unless: (a) the individual expressly consents;

(b) the Act deems that consent has been given implicitly; or (c) the Act authorizes the collection without consent.

In every case, an organization may only collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.

Collection, Use and Disclosure with Consent Express Consent

Ordinarily, an organization must obtain express consent. To do so, an organization must state the purposes for which it is collecting, using or disclosing the information, and obtain the

individual’s consent beforehand. The collection, use or disclosure must be for the stated purposes.

When collecting information, it is critical for an organization to carefully consider the purposes for which it may need to use or disclose the information, and to state those purposes up front. An organization will need to obtain the individual’s consent to use or disclose the information for a new purpose.

Implied Consent

An individual is deemed to consent to the collection, use or disclosure of personal information for a purpose if that purpose is obvious and the individual voluntarily provides the personal information to the organization.

Where the purpose is not obvious, an organization may still collect, use or disclose personal information for specified purposes if:

(a) the organization provides notice of its intention to collect, use or disclose for those purposes;

(b) the individual has a reasonable opportunity to decline or opt out;

(c) the individual does not decline or opt out within the reasonable time provided; and

(d) the collection, use or disclosure is reasonable having regard to the sensitivity of the personal information in the circumstances.

Withdrawal of Consent

An individual may withdraw consent at any time unless it would frustrate a legal obligation. If an individual withdraws consent, an organization must inform the individual of the likely consequences.

Collection, Use and Disclosure without Consent

In certain limited circumstances, personal information may be collected, used or disclosed without consent. Further details on this point can be provided on request.


Work product information is defined to mean information prepared or collected by an individual or group of individuals as part of the individual’s or group’s responsibilities or activities related to their employment or business. It does not include personal information about an individual who


did not prepare or collect the personal information. Work product information is completely exempted from the Act.

Information about employees, including volunteers, is treated differently. An organization may collect, use or disclose employee personal information without consent, provided:

(a) the collection, use or disclosure is reasonably required to establish, manage or terminate an employment relationship; and

(b) the organization notifies the individual beforehand.

In every other case, the employee’s personal information is subject to the ordinary provisions of the Act.

Miscellaneous Access and Correction

An organization must provide an individual, including employees, with the individual’s personal information in its control, as well as the ways it has been used and to whom it has been disclosed. An organization must also provide an individual with the ability to reasonably correct their personal information.

Some exceptions to the general rule of access include:

(a) the information is protected by solicitor-client privilege;

(b) disclosure would reveal confidential information that would reasonably harm the organization’s competitive position;

(c) the personal information was collected without consent for an investigation and the investigation and associated proceedings have not been completed;

(d) circumstances that would result in harm to another individual or reveal personal information about another individual without consent (including the identity of an individual who provided personal information about the individual seeking access);

If one of the exceptions applies, the personal information must still be disclosed if the excepted information can be redacted.

A request for access must be in writing. An organization must respond within 30 days in most circumstances. An organization may require payment of a minimal processing fee for all requests except requests for employee personal information, which are free.


Care and Retention

An organization must take reasonable care to ensure that information it collects is accurate and complete if the information is likely to be used to make a decision that affects the individual, or is likely to be disclosed. An organization must protect personal information in its custody or control by making reasonable security arrangements.

An organization must keep information that it has used to make a decision that directly affects the individual for at least one year after using it. Otherwise, an organization must destroy the personal information or make it anonymous as soon as retention is no longer necessary for legal or business purposes or the purpose for which it was collected.


The Privacy and Information Commissioner of British Columbia has the power to order an organization to give an individual access to his or her personal information, disclose the ways in which the information has been used and to whom it has been disclosed, and require an organization to change its practices and destroy information collected unlawfully. The Commissioner’s orders are subject to judicial review by the Supreme Court of British Columbia if either party wishes to seek a review.

If the Commissioner makes an order resulting from a breach of the Act, an individual is entitled to damages for actual harm suffered as a result of the breach.

Criminal sanctions, including fines of up to $100,000, are available for organizations that retaliate against whistle-blowers, use deception or coercion to collect personal information, dispose of personal information with intent to evade a request for access, or obstruct the commissioner in an investigation.

Click Here For RealtorLink Privacy Brochure