New breach notification requirements in effect in Canada
From the Office of the Privacy Commissioner of Alberta:
Amendments to the Personal Information Protection Act (PIPA) were proclaimed in force on May 1, 2010, and added a new requirement for organizations to notify the Information and Privacy Commissioner of incidents “involving the loss of or unauthorized access to or disclosure of personal information where a reasonable person would consider that there exists a real risk of significant harm to an individual.” PIPA was also amended to give the Commissioner the power to require organizations to notify individuals to whom there is a real risk of significant harm as a result of such an incident.
Section 37.1(3) of PIPA requires the Commissioner to establish an expedited process for determining whether to require an organization to notify individuals in circumstances where the real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure is obvious and immediate. The Commissioner’s process is set out here.
The following resources are available on the OIPC website to assist organizations in complying with the new provisions, including:
- Reporting a Breach to the Commissioner, which sets out the minimum requirements for what must be included in a Report to the Commissioner,
- Breach Report Form, which can be used to submit a report to the Commissioner,
- Notifying Affected Individuals, which sets out the minimum requirements for what must be included in a notice to individuals of a breach, and
- Key Steps in Responding to Privacy Breaches, which provides guidance to organizations for dealing with a security breach.
Additional resources are also available on the Access and Privacy, Service Alberta website at www.pipa.alberta.ca, including Information Sheet 11: Notification of a Security Breach.
Thanks to the reader who sent in this link.