Leaders in privacy, compliance & information governance solutions

Welcome. Log in or create an account for AccessPrivacy.com

New Data Breach Requirements

October 1, 2010

In light of a number of high-profile data breaches involving personal information of consumers, new mandatory data breach notification requirements have been passed in Alberta, requiring organizations to notify the Privacy Commissioner in the case of such a breach.  In addition, amendments have been introduced (not yet passed) at the federal level that include a data breach notification reporting regime.

Requirements under PIPA Alberta

Amendments to Alberta’s Personal Information Protection Act, which came into force in May 2010, make it an offence for an organization to fail to provide notice to the Office of the Information and Privacy Commissioner [OIPC] of a breach where there is a real risk of significant harm to an individual. 

Specifically, organizations are required to, without unreasonable delay, provide notice to the Commissioner of any incident involving the loss of or unauthorized access to or disclosure of the personal information where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure.”  

Notice to the Commissioner must be in writing and include the following: 

  • a description of the circumstances of the loss or unauthorized access or disclosure;
  • the date on which or time period during which the loss or unauthorized access or disclosure occurred;
  • a description of the personal information involved in the loss or unauthorized access or disclosure;
  • an assessment of the risk of harm to individuals as a result of the loss or unauthorized access or disclosure;
  • an estimate of the number of individuals to whom there is a real risk of significant harm as a result of the loss or unauthorized access or disclosure;
  • a description of any steps the organization has taken to reduce the risk of harm to individuals;
  • a description of any steps the organization has taken to notify individuals of the loss or unauthorized access or disclosure; and
  • the name of and contact information for a person who can answer, on behalf of the organization, the Commissioner’s questions about the loss or unauthorized access or disclosure.

The OIPC may subsequently require organizations to notify affected individuals of the breach.  The notice must be given directly, although it may be given to the individual indirectly if the Commissioner determines "that direct notification would be unreasonable in the circumstances."  

Notification to affected individuals must include: 

  • a description of the circumstances of the loss or unauthorized access or disclosure;
  • the date on which or time period during which the loss or unauthorized access or disclosure occurred;
  • a description of the personal information involved in the loss or unauthorized access or disclosure;
  • a description of any steps the organization has taken to reduce the risk of harm; and
  • contact information for a person who can answer, on behalf of the organization, questions about the loss or unauthorized access or disclosure.

Proposed Amendments to PIPEDA

Similar amendments have been proposed at the federal level.  Bill C-29, An Act to amend the Personal Information Protection and Electronic Documents Act [PIPEDA], includes a requirement to report “any material breach of security safeguards involving personal information under its control” but these amendments are not yet in force.

*   *   *

This article was orginially published in Heenan Blaikie's Canadian Marketing, Advertising and Regulatory Law Update, Issue 9, October 2010 available here





Breach Notification; Legislation; PIPA Alberta Share This