New breach notification requirements in effect in Canada

From the Office of the Privacy Commissioner of Alberta:

Amendments to the Personal Information Protection Act (PIPA) were proclaimed in force on May 1, 2010, and added a new requirement for organizations to notify the Information and Privacy Commissioner of incidents “involving the loss of or unauthorized access to or disclosure of personal information where a reasonable person would consider that there exists a real risk of significant harm to an individual.” PIPA was also amended to give the Commissioner the power to require organizations to notify individuals to whom there is a real risk of significant harm as a result of such an incident.

Section 37.1(3) of PIPA requires the Commissioner to establish an expedited process for determining whether to require an organization to notify individuals in circumstances where the real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure is obvious and immediate. The Commissioner’s process is set out here.

The following resources are available on the OIPC website to assist organizations in complying with the new provisions, including:

Additional resources are also available on the Access and Privacy, Service Alberta website at, including Information Sheet 11: Notification of a Security Breach.

Thanks to the reader who sent in this link.

About the author: Dissent

Comments are closed.