1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar
RSS

Privacy Breach Notification in Alberta

Tim Banks @TM_Banks

Posted on Feb 1st, 2012 By

Categories: Privacy, Privacy Breach Notification

Share this post:

In preparing compliance manuals, some foreign e-commerce businesses entering into Canada may ask about their mandatory privacy breach notification responsibilities.

So, what’s the situation in Canada? Today’s post will describe the mandatory breach notification provisions in the Personal Information Protection Act (Alberta).  Tomorrow’s post will describe the test used by the Alberta Privacy Commissioner for determining whether individual notification is required.  Friday’s post will describe the offences for failing to make the required notification. Future posts will outline the proposed mandatory breach notification provisions for the Personal Information Protection and Electronic Documents Act (Canada), compare these provisions with those in selected U.S. and European jurisdictions, describe mandatory breach notification provisions relating to personal health information, and comment on the legal case voluntary breach notification for all types of personal information in Canada.

Caution: This series of posts provides general information about the mandatory breach notification provisions. If your organization has had a privacy breach, you should seek legal advice about your situation to ensure you meet your legal responsibilities.

In May 2010, the Province of Alberta was the first jurisdiction in Canada to enact mandatory breach notification provisions. As of February 1, 2012, Alberta remains the only jurisdiction in Canada that has enacted mandatory breach notification provisions governing personal information (leaving aside special legislation governing personal health information). 

The Personal Information Protection Act (Alberta) uses a harm-based threshold for determining whether privacy breach disclosure is required. Pursuant to subsection 34.1(1) of the Alberta Act, an organization must provide notice to the Alberta Privacy Commissioner of any incident involving (i) the loss of or (ii) the unauthorized access to or (iii) the disclosure of personal information if a “reasonable person” would consider that there exists a “real risk of significant harm” to an individual as a result of the privacy breach.

If the harm-based threshold is met, the Alberta Privacy Regulations provide that the organization must advise the Alberta Privacy Commissioner in writing of the following information:

  • a description of the circumstances of the loss or unauthorized access or disclosure;
  • the date on which or the time period during which the loss or unauthorized access or disclosure occurred;
  • a description of the personal information involved in the loss or unauthorized access or disclosure;
  • an assessment of the risk of harm to individuals as a result of the loss or unauthorized access or disclosure;
  • an estimate of the number of individuals to whom there is a real risk of significant harm as a result of the loss or unauthorized access or disclosure;
  • a description of any steps the organization has taken to reduce the risk of harm to individuals;
  • a description of any steps the organization has taken to notify individuals of the loss or unauthorized access or disclosure; and
  • the name of and contact information for a person who can answer the Alberta Privacy Commissioner’s questions about the loss or unauthorized access or disclosure.

Following notification, the Alberta Privacy Commissioner may require that the organization notify an individual who may be subject to a real risk of significant harm as a result of the privacy breach. If notification is required, the notification must generally be direct (as opposed to indirectly through news releases or other general communications).  However, the Alberta Privacy Commissioner may permit indirect notification if direct notification would be unreasonable.  

The Alberta Privacy Regulations provide that the notice to individuals must include the following information:

  • a description of the circumstances of the loss or unauthorized access or disclosure,
  • the date on which or the time period during which the loss or unauthorized access or disclosure occurred,
  • a description of the personal information involved in the loss or unauthorized access or disclosure,
  • a description of any steps the organization has taken to reduce the risk of harm, and
  • contact information for a person who can answer, on behalf of the organization, questions about the loss or unauthorized access or disclosure.

In my next post in this series, I’ll discuss the factors that the Alberta Privacy Commissioner considers in evaluating whether notification is required.

Leave a Comment