Keeping a Privacy Breach Private? OIPC Provides Incentive for Organizations to Notify Individuals Affected by a Privacy Breach
On April 1, 2024, the Office of the Information and Privacy Commissioner of Alberta (OIPC) implemented new procedures for processing privacy breach notifications received by the OIPC pursuant to Alberta’s Personal Information Protection Act (“PIPA”).[1]
The new process provides added incentive for employers to provide prompt and proper notice of privacy breaches to affected individuals before being required to do so by the OIPC.
Privacy Breach Notification Provisions Under PIPA
PIPA governs the collection, use and disclosure of personal information by private sector organizations in Alberta. Under the Act, organizations are required to notify the OIPC, without unreasonable delay, when a privacy breach occurs where a reasonable person would consider that there is a real risk of significant harm (RROSH) to the affected individuals, such as identity theft, financial fraud, humiliation, or reputational harm.[2]
After a privacy breach has been reported to the OIPC, the Commissioner determines whether or not an organization is required to notify affected individuals of the breach. Prior to the process changes implemented on April 1, the OIPC published a Breach Notification Decision to the Commissioner’s website for every privacy breach reported to the Commissioner where there was a RROSH – regardless of whether or not the organization had taken the initiative to notify affected individuals before being directed to do so by the Commissioner.
The process of issuing a decision for every privacy breach where there was a RROSH caused a backlog in processing privacy breach files and delay in addressing the cases that required intervention by the OIPC.
New Procedure for Breach Notifications
Under the new process implemented last month, organizations are still required to report privacy breaches involving a RROSH without reasonable delay. However, where the organization does not provide sufficient detail about the privacy breach or fails to comply with the notice requirements as set out in the regulations, then the OIPC will not be considered to have received notice. A failure to provide notice of a privacy breach to the OIPC is an offence.[3]
Notice provided to the Commission must be in writing and it must include the following information:
- a description of the circumstances of the privacy breach;
- the date on which or time period during which the privacy breach occurred;
- a description of the personal information involved in the privacy breach;
- an assessment of the risk of harm to individuals as a result of the privacy breach;
- an estimate of the number of individuals to whom there is a RROSH as a result of the privacy breach;
- a description of any steps the organization has taken to reduce the risk of harm to individuals;
- a description of any steps the organization has taken to notify individuals of the privacy breach; and
- the name of and contact information for a person who can answer, on behalf of the organization, the Commissioner’s questions about the privacy breach.[4]
To assist organizations in reporting a privacy breach to the Commissioner, the OIPC has published the PIPA Privacy Breach Notification Form, which can be found here.
Although all privacy breaches must still be reported to the OIPC, Breach Notification Decisions will only be issued when an organization has not notified affected individuals of a privacy breach posing a RROSH or when notice to affected individuals does not meet the requirements as set out in the regulations.[5]
While the OIPC may still publish Breach Notification Decisions, either in full or abridged form, the practice of publishing all Breach Notification Decisions has ceased. Instead, the OIPC intends to publish summaries and statistical information to inform Albertans of new incidents and trends. All Breach Notification Decisions published historically will remain on the OIPC website.
Key Takeaways for Employers
Under the new breach notification procedures, employers are still required to report privacy breaches to the OIPC without unreasonable delay where there is a RROSH to affected individuals. The OIPC has emphasized that this notice must comply with the regulations in order to avoid requests for additional information from the Commissioner or else liability under PIPA for failing to provide notice.
The new process provides employers with an added incentive to provide prompt and proper notice to individuals affected by a privacy breach where there is a RROSH. Rather than waiting to be directed to do so by the Commission, an organization can avoid a written and published Breach Notification Decision by pre-emptively providing notice to affected individuals. Again, however, this notice provided to affected individuals must comply with the requirements of the regulations in order to reap this benefit. As such, if an organization experiences a privacy breach, employers should consider whether it is to their benefit to report the breach to affected individuals immediately, rather than wait for direction from the OIPC.
If you are an employer and require any additional guidance on how these process changes or PIPA generally applies your organization, do not hesitate to contact a member of our Labour & Employment Group at the Calgary office.
[1] SA 2003, c P-6.5 [PIPA].
[2] PIPA, s 34.1. A privacy breach occurs when there is the loss of, unauthorized access to, or disclosure of personal information. In the employment context, privacy breaches may include the inadvertent disclosure of confidential employee records or the unauthorized access of employee personnel files, for example.
[3] PIPA, s 59(1)(e.1).
[4] See Personal Information Protection Act Regulation, s 19 [PIPA Regulation].
[5] See PIPA Regulation, 19.1. Notice of a privacy breach to an affected individual, requires the same information as required in providing notice to the OIPC, except for an estimate of the number of individuals affected and steps taken to notify the affected individuals.