Alberta Privacy Office Enhances Procedures for Investigations and Breach Notifications
Alberta's privacy watchdog has overhauled its internal processes in a bid to tackle backlogs and expedite response times. The Office of the Information and Privacy Commissioner of Alberta (the "Alberta OIPC") announced the changes on its website on April 15, 2024 (the "Announcement"), after they went into effect on April 1, 2024. According to the Announcement, some of the procedural changes target investigations into access requests and privacy grievances, while other changes target how the agency handles breach notifications from private organizations under the Personal Information Protection Act ("PIPA"). These procedural changes, according to the provincial Privacy Commissioner, are focused on aligning operations with the Alberta OIPC's legislative mandate. PIPA also applies to charities and not-for-profits in Alberta.
Alberta's OIPC has revamped its investigative protocols for examining access requests and privacy grievances under Alberta's three privacy statutes: the Freedom of Information and Protection of Privacy Act ("FOIP Act"), the Health Information Act ("HIA"), and PIPA. Alberta Privacy Commissioner Diane McLeod acknowledged a substantial backlog in privacy complaints and access decision reviews in Alberta OIPC's 2022–23 Annual Report. After scrutinizing its procedures, changes have now been made to enhance clarity and efficiency, according to the Announcement, potentially accelerating the resolution of pending cases. Details on these revised procedures are available on the updated Alberta OIPC website for Investigation Procedures for Reviews / Privacy Complaints; and the to Request a Review / File a Complaint.
The Alberta OIPC also revamped its approach to handling breach notifications under PIPA. A privacy breach entails the loss, unauthorized access, or unauthorized disclosure of personal information. PIPA's breach notification provisions aim to ensure organizations promptly inform affected individuals who face a Real Risk of Significant Harm (RROSH) due to the breach. In July 2022, the OIPC published a breach report analyzing nearly 2,000 breaches reported in Alberta between 2010 and 2021. The breach report found that since 2012–2013, at least 80% of organizations had already notified impacted individuals about breaches involving their personal information before the Alberta OIPC received notification.
Commissioner McLeod stated that in most cases, organizations had fulfilled the key purpose of the breach notification process before the OIPC's involvement. Following the breach report, the OIPC identified opportunities to enhance efficiency and sustainability in processing PIPA breach notification files. The procedural changes should enable timely resolution of PIPA privacy breach cases, reduce backlogs, and allow the OIPC to allocate resources more effectively to high-priority matters, according to the Announcement. Updated guidance on the revised PIPA breach notification procedures is available on the OIPC website Privacy Breach Response and Notification webpage under the "For Use by Private Sector Organizations" heading.
Read the May 2024 Charity & NFP Law Updatev
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.