Alberta revises reporting process for privacy breaches in the private sector

The Office of the Information and Privacy Commissioner of Alberta ("OIPC") has updated its procedure for processing privacy breach notifications under the Personal Information Protection Act (Alberta) ("PIPA") and associated Personal Information Protection Act Regulation ("PIPA Regulation"). The new process took effect on April 1, 2024 and applies to all open files relating to a PIPA breach.

Key changes to the OIPC's breach notification process include the following:

• The OIPC will follow an expedited process to prioritize processing of PIPA breach files involving a real risk of significant harm (RROSH), but where the organization has not notified affected individuals or when notice to affected individuals does not meet the requirements of the PIPA Regulation.
• The OIPC will now issue breach notification decisions only for PIPA breaches involving a RROSH, if the organization has not notified affected individuals or when the notice does not meet the requirements of the PIPA Regulation.
• Organizations who reported a PIPA breach to the OIPC and proactively notified individuals in accordance with the PIPA Regulation will receive a closing letter rather than a breach notification decision.
• The OIPC will no longer publish all breach notification decisions involving a RROSH. Breach notification decisions, in whole or in part, may be published at the Commissioner's discretion. Previously, the OIPC issued all PIPA breaches involving a RROSH, which will remain available on the OIPC website.
• The OIPC has released a new form for use in notifying the OIPC of PIPA breaches. The form assists organizations to notify the OIPC in accordance with the requirements under the PIPA Regulation. Breaches under Health Information Act and Freedom of Information and Protection of Privacy Act are reported under a separate form.

The revised process follows the OIPC's report issued July 2022 and intends to facilitate timely resolution of PIPA breach files, to reduce backlogs in processing PIPA breach files and to enable the OIPC to prioritize breach files requiring additional attention.

If you have additional questions regarding the revised breach notification process in Alberta, please contact a member of our Cyber Security and Data Protection Group.