This Bulletin serves as a reminder of the new Privacy breach notification requirements under Alberta's private sector privacy legislation, the Personal Information and Privacy Act (PIPA).
Recent amendments1 to PIPA require mandatory reporting of the unauthorized disclosure of personal information if "a reasonable person would consider that there exists a real risk of significant harm" that may arise from that loss of information. In those circumstances PIPA requires reporting of the incident to the Alberta Privacy Commissioner, in accordance with the Regulations. The Commissioner in turn decides whether affected individuals must be given notice in accordance with the Regulations, and may also impose additional requirements.
Of course, a business that suffers a loss of personal information might realize right away that the privacy breach or loss of personal information is serious, in which case it should also consider notifying affected individuals directly.
Note that it is an offence to fail to report to the Alberta Privacy Commissioner when a "real risk of significant harm" does arise. Such failure may in turn expose an organization to orders from the Commissioner, fines and liability for damages.
In addition to the mandatory notification, and in order to assist organizations that have suffered a privacy breach, the Alberta Privacy Commissioner also encourages reporting of all breaches, so that the assessment of whether a "real risk of significant harm" arises is made by the Commissioner. The Commissioner has also now issued decisions and other guidance on what constitutes a "real risk of significant harm".
In the event a privacy breach is detected, and personal information has been disclosed without authorization, step one is always to contain the breach immediately (that is, to stop the disclosure of information). However, at the same time, or shortly thereafter, it is important to carefully evaluate the harm that disclosure of such information may cause to affected individuals. This assessment should take into account such factors as the number of people affected, the sensitivity of the personal information released, the foreseeable consequences of its disclosure and the nature of the harm that individuals might suffer from the disclosure of their personal information.
If the ultimate evaluation is that there is no "real risk of significant harm", it might not be necessary to provide the Alberta Privacy Commissioner with notice of the breach. However, it is also important to evaluate the consequences and risk of that approach, particularly if it is later determined that there was a "real risk of significant harm", or if an affected individual later complains to the Privacy Commissioner and an investigation is commenced. Regardless, any analysis and reasoning undertaken in this respect should be thoroughly documented in the event that such a decision must later be defended or explained to the Privacy Commissioner, affected individuals, or even to the media.
As a result, in order to effectively deal with breach notification requirements, organizations should set up procedures to manage their risk in the event of a suspected privacy breach before one occurs.
Further resources can be found on the Alberta Privacy Commissioner's website.
Footnote
1. Sec. 34.1, in force 01 May, 2010.
About BLGThe content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
