Commissioner Issues Report on Two Years of Mandatory Breach Reporting in Alberta

June 18, 2012

Amendments to Alberta’s Personal Information Protection Act (PIPA) requiring private sector organizations to report certain privacy breaches to the Information and Privacy Commissioner took effect in May of 2010.

Any personal information breach that presents a real risk of significant harm must be reported to the Commissioner. The Commissioner in turn can require an organization to notify affected individuals of the breach, which allows people to take the necessary steps to protect themselves against risks such as identity theft.

As of April 30 of this year, 151 breach reports have been received by the Office of the Information and Privacy Commissioner. Commissioner Jill Clayton says “Alberta is the only jurisdiction in Canada where there is a legal requirement to advise the Commissioner of certain breaches. The reports give us an idea of how and why breaches are occurring, and also tell us how the private sector is responding.”

Clayton adds that organizations are in a learning curve, and mandatory reporting has become an important educational tool. “We are finding that organizations are taking breaches seriously and are developing proper policies, procedures and security arrangements to protect personal information. But, the numbers show there is still a lot of work to be done in making sure the personal information of Albertans is protected.”

The majority of reported breaches involve human error such as misdirected email, faxes, stolen or lost unencrypted electronic devices and improper record and electronic media destruction. Many of these breaches are preventable with proper security systems and encryption.