This Bulletin serves as a reminder of the new Privacy breach
notification requirements under Alberta's private sector
privacy legislation, the Personal Information and Privacy
Recent amendments1 to PIPA require mandatory
reporting of the unauthorized disclosure of personal information if
"a reasonable person would consider that there exists a
real risk of significant harm" that may arise from that
loss of information. In those circumstances PIPA requires reporting
of the incident to the Alberta Privacy Commissioner, in accordance
with the Regulations. The Commissioner in turn decides whether
affected individuals must be given notice in accordance with the
Regulations, and may also impose additional requirements.
Of course, a business that suffers a loss of personal
information might realize right away that the privacy breach or
loss of personal information is serious, in which case it should
also consider notifying affected individuals directly.
Note that it is an offence to fail to report to the Alberta
Privacy Commissioner when a "real risk of significant
harm" does arise. Such failure may in turn expose an
organization to orders from the Commissioner, fines and liability
In addition to the mandatory notification, and in order to
assist organizations that have suffered a privacy breach, the
Alberta Privacy Commissioner also encourages reporting of
all breaches, so that the assessment of whether a
"real risk of significant harm" arises is made by
the Commissioner. The Commissioner has also now issued decisions
and other guidance on what constitutes a "real risk of
In the event a privacy breach is detected, and personal
information has been disclosed without authorization, step one is
always to contain the breach immediately (that is, to stop the
disclosure of information). However, at the same time, or shortly
thereafter, it is important to carefully evaluate the harm that
disclosure of such information may cause to affected individuals.
This assessment should take into account such factors as the number
of people affected, the sensitivity of the personal information
released, the foreseeable consequences of its disclosure and the
nature of the harm that individuals might suffer from the
disclosure of their personal information.
If the ultimate evaluation is that there is no "real
risk of significant harm", it might not be necessary to
provide the Alberta Privacy Commissioner with notice of the breach.
However, it is also important to evaluate the consequences and risk
of that approach, particularly if it is later determined that there
was a "real risk of significant harm", or if an
affected individual later complains to the Privacy Commissioner and
an investigation is commenced. Regardless, any analysis and
reasoning undertaken in this respect should be thoroughly
documented in the event that such a decision must later be defended
or explained to the Privacy Commissioner, affected individuals, or
even to the media.
As a result, in order to effectively deal with breach
notification requirements, organizations should set up procedures
to manage their risk in the event of a suspected privacy breach
before one occurs.
Further resources can be found on the Alberta Privacy
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).