BC OIPC Issues Updated Public Sector Surveillance Guidelines (2026)

In January 2026, the Office of the Information and Privacy Commissioner for British Columbia (“OIPC”) released updated Public Sector Surveillance Guidelines (“Surveillance Guidelines”), replacing the previous 2014 guidelines (“2014 Guidelines”). The Surveillance Guidelines apply to all public bodies subject to the Freedom of Information and Protection of Privacy Act (“FIPPA”), including but not limited to, ministries, local governments, schools, Crown corporations, hospitals, and municipal police forces.

The Surveillance Guidelines helpfully summarize the OIPC’s expectations regarding existing and proposed public-sector surveillance systems, as well as provide some important reminders such as the obligation for public bodies to complete a privacy impact assessment for new initiatives. We summarize the highlights below.

Why the Update?

The Surveillance Guidelines recognize the rapidly evolving technological landscape and accounts for modern forms of surveillance technologies and systems such as facial recognition and artificial intelligence tools. It is in this context that guidance is offered to assist public bodies in assessing whether surveillance systems are lawful and operating in a privacy-protective manner.

New Guidance on Personal Information and Identifiability

The Surveillance Guidelines also provide expanded guidance on what constitutes “personal information” in the surveillance context. The guidance confirms that video and audio recordings of an individual’s image or voice is personal information and distinguishes between “direct” and “indirect” identifiers.

Direct identifiers can identify an individual on their own, such as a facial image. Indirect identifiers may identify an individual when combined with other information, depending on context. The Surveillance Guidelines emphasize that information is personal information where it is reasonably capable of identifying an individual, either alone or in combination with other data. In Order F24-10, for example, the adjudicator found that an observer familiar with certain individuals on the street captured by a recording system on a bus would be able to use contextual information like their facial features, bodies, clothing, location in the city, gait, who (or what pets!) they are with, and/or the fact that they rode the bus to identify them.

Collection of Personal Information under Section 26 of FIPPA

The Surveillance Guidelines provide helpful summaries of the interpretation of various sections and words, including section 26, which is critical in any public body’s assessment of its legal authority to engage in surveillance activities.

Section 26 of FIPPA limits when a public body may collect personal information.

Section 26(b): Purposes of Law Enforcement

In particular, the Surveillance Guidelines reiterate that section 26(b) authorizes collection “for the purposes of law enforcement” only where the public body itself has a common law or statutory law-enforcement mandate. A public body’s interest in reducing crime or assisting police is not sufficient.

Section 26(c): Necessity

Section 26(c) is also featured in the Surveillance Guidelines. To rely on this section, a public body must be able to demonstrate that the personal information it is collecting is for a purpose that is related directly to a defined program or activity that is within the public body’s mandate, and that the personal information the public body collects is necessary (as opposed to helpful or convenient) to achieve that purpose. The OIPC recommends public bodies break down their assessment with respect to whether section 26(c) authorizes a public body to collect personal information into these four steps:

1. Define the relevant program or activity of the public body,
2. Establish that the program or activity falls within the public body’s mandate,
3. Determine whether the personal information the public body seeks to collect is directly related to that program or activity; and
4. Determine whether the collection of personal information is necessary.

The Surveillance Guidelines strongly encourage public bodies relying on section 26(c) to consult the OIPC in early project planning.

OIPC Reminders

In addition to the new and expanded guidance, the Surveillance Guidelines reiterate several key compliance considerations for public bodies using or considering surveillance:

• Privacy impact assessments (PIAs): All public bodies must complete a PIA under section 69(5.3) of FIPPA before implementing a new surveillance initative. The PIA should be completed during the design phase, well before any final decision to proceed, and must assess privacy impacts and describe measures to mitigate identified risks, including the case for surveillance as opposed to other measures. Public bodies are strongly encouraged to consult the OIPC and submit PIAs for review and comment. PIAs must be reviewed annually and updated where operational needs, legal authority, or scope of surveillance changes.  
• Function creep: Personal information collected through surveillance must not be used beyond the original purpose for which it was collected or any purpose that is demonstrably inconsistent with that purpose. Using surveillance footage for a new or unrelated purpose, such as installing cameras for security but later using recordings to audit employee attendance, may constitute “function creep” and contravene FIPPA.
• Freedom of information request capacity: Public bodies must have trained employees, sufficient human resources, technical capacity, and appropriate policies and procedures to search, review, sever or exempt information, and respond to access requests within FIPPA’s timelines before commencing surveillance.
• Oversight and enforcement: The OIPC may investigate or audit a public body’s surveillance systems under section 42(1)(a) to ensure compliance with FIPPA.

Surveillance Road Map

The new Surveillance Guidelines include a “Road Map” setting out key considerations for public bodies assessing whether to implement surveillance systems. While elements of this guidance appeared in the 2014 Guidelines, the Road Map consolidates and updates those considerations and expectations into a single framework. Public bodies with existing or proposed surveillance systems should review the Road Map to ensure alignment with the Privacy Commissioner’s current expectations.

For more information about this article, please contact your Harris lawyer.