Amendments to the Personal Information Protection Act (PIPA) were proclaimed in force on May 1, 2010, and a new requirement for organizations to notify the Information and Privacy Commissioner of incidents “involving the loss of or unauthorized access to or disclosure of personal information where a reasonable person would consider that there exists a real risk of significant harm to an individual” was added. PIPA was also amended to give the Commissioner the power to require organizations to notify individuals to whom there is a real risk of significant harm as a result of such an incident. Note that this is the provincial PIPA legislation and not the federal PIPEDA.
Personal Information Protection and Electronic Documents Act:
PIPEDA is a federal Canadian law on the topic of data privacy. It governs how private-sector companies may collect, use and disclose personal information. The Act also contains provisions to facilitate the use of electronic documents. PIPEDA was passed in the late 90s to promote consumer trust in electronic commerce, and to assure other governments that Canadian privacy laws were strong enough to protect the personal information of citizens of other nations.
“Personal Information” is specified as information about an identifiable individual, not including the name, title, business address or telephone number of an employee of an organization.
Personal Information Protection Act (PIPA)
Enacted in Jan 1, 2004. PIPA requires all private sector organizations in British Columbia and Alberta to comply with rules respecting:
- What personal information can be collected from individuals (including customers, clients and employees).
- When consent is required to collect personal information and how consent is obtained.
- What notice must be provided before personal information is collected.
- How personal information may be used or disclosed.
- Other provinces are expected to enact similar laws.
Section 37.1(3) of PIPA requires the Commissioner to establish an expedited process for determining whether to require an organization to notify individuals in circumstances where the real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure is obvious and immediate. The Commissioner’s process is set out here.
The following resources are available on the OIPC website to assist organizations in complying with the new provisions, including:
- Reporting a Breach to the Commissioner, which sets out the minimum requirements for what must be included in a Report to the Commissioner,
- Breach Report Form, which can be used to submit a report to the Commissioner,
- Notifying Affected Individuals, which sets out the minimum requirements for what must be included in a notice to individuals of a breach, and
- Key Steps in Responding to Privacy Breaches, which provides guidance to organizations for dealing with a security breach.
Additional resources are also available on the Access and Privacy, Service Alberta website at www.pipa.alberta.ca, including Information Sheet 11: Notification of a Security Breach.