How to Notify the OIPC of a Privacy Breach

How to Notify the OIPC of a Privacy Breach

privacy breach (or breach) means a loss, unauthorized access to, or unauthorized disclosure of personal information or individually identifying health information.

Alberta’s access and privacy laws require a breach to be reported to the Commissioner by public bodies, private organizations, and health custodians in certain circumstances described below.

The information on this page is not for individuals. If you have received a notice that your personal or health information was involved in a breach and want to make a privacy complaint under Alberta’s access and privacy laws, please follow this link to the Privacy/Correction Complaints page.

Requirement to Notify the Commissioner of a Privacy Breach

Alberta’s access and privacy laws require a breach to be reported to the Commissioner by public bodies, private organizations, and health custodians in certain circumstances described below.

Back to top of the page

For private sector organizations under the Personal Information Protection Act (PIPA)

It is mandatory for an organization with personal information under its control to notify the Commissioner of a privacy breach where "a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure" (section 34.1). "Real risk of significant harm" is also sometimes referred to as RROSH.

Organizations are required to notify the Commissioner of breaches without unreasonable delay where RROSH exists (section 34.1).

If you need assistance in determining if you should report a breach, you can use the 2022 PIPA Breach Report as a resource. The report summarizes 10 years of breach reporting decisions under PIPA and examines the types of personal information involved and the circumstances in the past that have led our office to determine a RROSH exists to affected individuals.

You can also refer to our previously published RROSH decisions (publishing ceased for every decision as of October 2024).

The Commissioner may issue a decision requiring an organization to notify affected individuals of a breach (section 37.1).

However, there is nothing to prevent an organization from notifying affected individuals on its own (section 37.1(7)). In fact, since 2012-2013 at least 80% of organizations had already notified affected individuals by the time the breach was reported to the Commissioner.

  • If organizations notify on their own accord, the notification contents should meet the minimum requirements under section 19.1 of the PIPA Regulation. See this resource for more information about notification contents Notifying Affected Individuals (PDF)

To report a breach under PIPA use this form: PIPA Breach Notification Form

See below for more resources

 

Back to top of the page

For health custodians under the Health Information Act (HIA)

It is mandatory for a custodian having individually identifying health information in its custody or control to notify the Commissioner of a privacy breach if the custodian determines "there is a risk of harm to an individual as a result of the loss or unauthorized access or disclosure" (section 60.1(2)).

Custodians are required to notify the Commissioner of such breaches as soon as practicable (section 60.1(2)).

In addition to notifying the Commissioner of the privacy breach, the custodian is also required by section 60.1(3) of HIA to notify the Minister and the affected individuals of the privacy breach.

 

If you need assistance in determining if you should report a breach, you can use the HIA Breach Notice Assessment Tool

To report a breach under HIA use this form: HIA Breach Notification Form

See below for more resources

 

Back to top of the page

For public bodies under the Protection of Privacy Act (POPA)

Public bodies are required to notify affected individuals, the Commissioner, and the Minister following the loss of, unauthorized access to or disclosure of personal information in their custody or under their control, where a reasonable person would consider that there exists a real risk of significant harm (RROSH) to an individual as a result of the loss, unauthorized access to or unauthorized disclosure of personal information (section 10(2) of POPA).

If you need assistance in determining if you should report a breach, you can use the POPA Breach Notice Assessment Tool

To report a breach under POPA use this form: POPA Breach Notification Form

NOTE: If you are unsure whether the Freedom of Information and Protection of Privacy Act (FOIP) [repealed June 11, 2025 and replaced by POPA] or POPA applies, please fill in the POPA form and note this concern in section 18 of the form.

See below for more resources

 

Back to top of the page

Resources on Privacy Breach Response and Notification

General:

For Use by Health Custodians:

For Use by Public Bodies:

For Use by Private Sector Organizations:

Back to top of the page

June 2025

Disclaimer

This document is not intended as, nor is it a substitute for, legal advice, and is not binding on the Information and Privacy Commissioner of Alberta. Responsibility for compliance with the law (and any applicable professional or trade standards or requirements) remains with each organization, custodian or public body. All examples used are provided as illustrations. The official versions of the laws the OIPC oversees and their associated regulations should be consulted for the exact wording and for all purposes of interpreting and applying the legislation. The Acts are available on the website of Alberta King's Printer.