Compliance Reference · Construction · BC

Construction Compliance in British Columbia: Safety, Liens, Payment, and IT Security Requirements

Q: Who enforces construction compliance in BC?

WorkSafeBC enforces the Workers Compensation Act and BC Occupational Health and Safety Regulation. The BC Building and Safety Standards Branch administers the BC Building Code. BC Housing administers the Homeowner Protection Act and residential builder licensing. Courts adjudicate Builders Lien Act claims. OIPC BC enforces BC PIPA.

Q: Does Hexafusion provide legal advice?

No. Hexafusion is an IT services provider, not a law firm or compliance advisory firm. We implement and document the technical controls that support your regulatory obligations. Consult qualified counsel and your safety officer for compliance advice.

Q: How do IT controls map to construction compliance rules?

Digital safety records, incident logs, project records, payroll data, lien records, and employee training documentation need reliable retention, access control, and backups to meet WorkSafeBC, Builders Lien Act, and prompt payment obligations.

Q: How does construction compliance overlap with cyber insurance?

Cyber insurance underwriters require multi-factor authentication, endpoint detection and response, tested backups, phishing training, an incident response plan, and documented patching. These controls also support payroll confidentiality, project data protection, and general privacy obligations.

Q: What records must my construction business retain?

WorkSafeBC sets retention expectations for safety records and incident investigations. The Builders Lien Act and Prompt Payment Act drive retention of project and invoice records. CRA requires six-year retention of books and records. Confirm specific durations with each regulator.

Q: Is the BC Prompt Payment Act in force?

The BC Prompt Payment Act has been moving through the legislative process. Status as of early 2026, verify current wording and whether it has been proclaimed in force with the BC government and qualified counsel.

This is a reference guide for BC construction businesses summarising the federal, provincial, and sector-specific regulatory frameworks that shape worker safety, project documentation, lien rights, and prompt payment. Hexafusion is an IT services partner, not a legal advisor or safety consultant. Confirm current obligations with WorkSafeBC, BC Housing, qualified counsel, and your safety officer.

Federal regulatory framework

Area	Statute or Regulator	IT relevance
Privacy (federal)	PIPEDA, OPC	Safeguards for cross-border and federally regulated project data.
Cybercrime	Criminal Code, ss. 342.1 and 430(1.1)	Unauthorised computer access and mischief to data, including estimating systems.
Tax records	Income Tax Act, s. 230, CRA	Six-year retention and T5018 contractor reporting.
Hazardous products	Hazardous Products Act, WHMIS 2015	Safety data sheet repositories and training records.
Dangerous goods	Transportation of Dangerous Goods Act	Shipping record retention for fuel, paints, and controlled materials.
Anti-spam	CASL	Consent for marketing to past clients and trade partners.

BC provincial framework

Area	Statute or Regulator	IT relevance
Privacy (provincial)	BC PIPA, OIPC BC	Employee and customer personal information.
Employment	BC Employment Standards Act	Payroll and hours records for trades and admin staff.
Workplace safety	Workers Compensation Act, BC OHS Regulation, WorkSafeBC	Incident investigation, safety programme, training records.
Human rights	BC Human Rights Code	Accommodation and harassment complaint records.
Corporate	BC Business Corporations Act	Registers and minute books.
Consumer protection	Business Practices and Consumer Protection Act	Contract disclosures for residential work.
Premises liability	Occupiers Liability Act	Site control, visitor logs, surveillance retention.
Environment	Environmental Management Act	Spill reporting and contaminated soil records.

Construction-specific regulators and statutes

BC construction businesses operate under a dense layer of sector-specific rules. The key reference points are summarised below.

WorkSafeBC. The WorkSafeBC regulator administers the Workers Compensation Act and the BC Occupational Health and Safety Regulation, which govern safety programmes, prime contractor obligations, incident investigation, toolbox meetings, fall protection, confined space, and many other construction-specific controls.
BC Building Code. Adopted under the Building Act (BC), the Code sets minimum standards for construction. Municipal building bylaws layer on top. Digital plan records and inspection correspondence need reliable retention.
Builders Lien Act (BC). Sets out lien rights, holdbacks, and filing timelines. Project accounting systems need to produce accurate holdback ledgers and lien-relevant documentation on demand.
BC Prompt Payment Act. Moving through the legislative process to introduce statutory timelines for invoice payment and dispute resolution. Status as of early 2026, verify current wording and whether it has been proclaimed in force.
Homeowner Protection Act and BC Housing. Residential builders must be licensed with BC Housing. Home warranty records are part of the compliance evidence set.
Industry Training Authority / SkilledTradesBC. Apprentice records and certification tracking.
Construction contracts. Commonly written on CCDC or CCA standard forms, which shape documentation expectations for change orders, notices, and dispute resolution.

Cross-cutting frameworks

PCI DSS for card-based deposits on residential work.
NIST Cybersecurity Framework and CIS Controls as benchmarks.
SOC 2 as due diligence for cloud construction management vendors.
Cyber insurance underwriter expectations. Multi-factor authentication, endpoint detection and response, tested backups, phishing training, incident response plans, and patching.
Surety and bonding providers increasingly ask cybersecurity questions as part of underwriting.

Construction businesses have an unusually distributed IT footprint: head office accounting, site office trailers, tablets at the fence, subcontractor networks, and cloud project management platforms that stitch the whole picture together. That distribution is also the compliance challenge, because the same safety, lien, and payment records that regulators and courts care about sit across all of those places. The cyber insurance baseline (multi-factor authentication, endpoint detection and response, tested backups, phishing training, a written incident response plan, and documented patching) applies regardless of whether the endpoint is a head-office workstation or a site tablet. Field device management, lost device response, and data-at-rest encryption are especially important because site hardware is the most likely to walk.

How IT controls map to the regulatory stack

Retention schedules for safety records, project files, subcontract agreements, and payroll, aligned with WorkSafeBC, CRA, and Builders Lien Act expectations.
Access logs for project management and estimating systems, with role separation between estimators, PMs, and finance.
Encryption at rest and in transit on laptops, site tablets, and project management cloud accounts.
Written breach response plan aligned with PIPEDA and BC PIPA, including consideration of job-site data capture.
Tested backups and disaster recovery for accounting, project management, and BIM data.
MDR, EDR, MFA, and patching across head office and field endpoints.

Construction firms that handle these controls well tend to do a few things consistently. They treat the fleet of site tablets and laptops as a single managed estate rather than a collection of ad-hoc devices, which means every endpoint has disk encryption, an EDR agent, a known patching schedule, and a remote-wipe path if it goes missing. They consolidate project files into a single cloud document management platform rather than scattering them across personal email and whichever cloud storage the site super happens to prefer. They tie retention schedules to actual project milestones rather than to a general-purpose policy, so safety records, lien-relevant documentation, and subcontractor agreements are preserved as long as they matter. And they document the compliance-facing parts of their IT environment in a way that can be handed to a surety, a cyber insurer, or a WorkSafeBC officer without a week of scrambling.

When WorkSafeBC opens an incident investigation, the records request typically covers the safety programme, training records, supervisor reports, and the incident investigation file itself. When a lien claim lands, the project accounting records need to answer questions about holdbacks, progress draws, and payment timing. When a surety or cyber insurer asks questions at renewal, the answers depend on the same underlying IT controls. Treating site IT, head-office IT, and cloud project management as one compliance-aware programme reduces duplication and the risk that one gap becomes a finding across multiple review processes.

Where Hexafusion fits

Hexafusion operationalizes the IT controls that support BC construction businesses' regulatory and commercial obligations. That includes project management infrastructure, accounting platform hardening, field device management, backup and disaster recovery for estimating and BIM data, and the written documentation that supports WorkSafeBC audits, insurer underwriting, and surety requests. Our founder's PCI DSS Internal Security Assessor background informs how we structure evidence for third-party review.

We do not interpret the Workers Compensation Act, do not act as your safety officer, and do not advise on lien procedures. Those roles belong to qualified safety professionals, counsel, and your bonding broker.

Common questions from BC construction firms at the intake stage include how to manage site tablets against loss and theft, how to run a single cloud project management platform that the field actually uses, how to segregate financial records and holdback ledgers for lien defence, and how to respond to the cybersecurity questionnaires that sureties and general contractors now push down the supply chain. Each question has a technical answer that flows from a well-governed managed IT environment, which reduces the improvisation that tends to dominate compliance responses in busy construction seasons.

Related compliance resources

Frequently Asked Questions

Who enforces construction compliance in BC?
WorkSafeBC enforces the Workers Compensation Act and OHS Regulation. The BC Building and Safety Standards Branch administers the Building Code. BC Housing handles residential builder licensing. Courts adjudicate Builders Lien Act claims.

Does Hexafusion provide legal advice?
No. We are an IT services provider. Legal and safety advice belong to counsel and qualified safety professionals.

How do IT controls map to construction compliance rules?
Digital safety records, incident logs, project files, payroll, lien records, and training documentation need reliable retention, access control, and backups.

How does construction compliance overlap with cyber insurance?
Insurers require multi-factor authentication, endpoint detection and response, tested backups, phishing training, incident response plans, and patching. These also protect payroll and project data.

What records must my construction business retain?
WorkSafeBC sets safety record expectations. Builders Lien Act and prompt payment rules drive project and invoice retention. CRA requires six-year retention. Confirm durations with each regulator.

Is the BC Prompt Payment Act in force?
Status as of early 2026, the legislation has been moving through the legislative process. Verify current wording and in-force status with the BC government and qualified counsel.

Disclaimer

This reference guide provides general regulatory context for BC-based construction businesses. It is not legal or compliance advice. Confirm current requirements with WorkSafeBC, BC Housing, qualified counsel, and your safety officer. Hexafusion is an IT services provider and does not provide legal advice. Administrative monetary penalties apply up to statutory maximums; confirm current amounts with the regulator.

Other compliance reference pages

Reviewed by Alex Barari, Founder, former PCI DSS Internal Security Assessor (ISA).

Need help with the IT side of compliance?

Request a scoped assessment. We review your technical safeguards against the evidence an assessor, regulator, or insurer expects, and deliver a written report.

Request a scoped assessment