Alberta’s Mandatory Reporting for Breach of Information Security Now in Effect

The latest amendment to Alberta’s Personal Information Protection Act (PIPA), which came into force on May 1, 2010, may require organizations governed by the legislation to notify the Information and Privacy Commissioner (Commissioner) of a breach of the security of personal information they collected. This mandatory breach notification requirement is the first such law in Canada. Under the amended PIPA, organizations are required to report a breach to the Commissioner if a reasonable person would consider that a real risk of significant harm to an individual exists as a result of the breach. A “real” risk is a genuine risk and not merely a hypothetical one and “significant” harm is a material harm that has non-trivial consequences. In addition, the Commissioner will have the power to require an organization to notify affected individuals of a breach that meets this threshold of harm, even where the organization itself has not notified the Commissioner of the breach. Nevertheless, organizations may adopt the practice of notifying affected individuals when their privacy has been compromised, even if the incident does not give rise to a real risk of significant harm. Another notable change relates to the use of service providers outside Canada. Specifically, organizations that transfer collected personal information to a service provider outside Canada must notify individuals how to obtain information about the organizations’ practices and policies with respect to the service provider. Similar mandatory notification provisions are being considered for the federal private-sector legislation, the Personal Information Protection and Electronic Documents Act. For further information on the amendments to PIPA and its Regulation, see: PIPA Information Sheet 10, PIPA Information Sheet 11, and PIPA Information Sheet 12. Summary by: Janet Chong