The Office of the Information and Privacy Commissioner (OIPC) of Alberta implemented two sets of process changes at the start of this month to improve timelines and support the office’s work under its three legislative mandates.
One set of changes relates to investigative procedures under Alberta’s three privacy laws and the other changes are to the processing of notifications to the OIPC of privacy breaches in the private sector under the Personal Information Protection Act.
“Both these sets of changes align with the first goal found in the last two business plans we issued, in both 2023 and 2022,” said Information and Privacy Commissioner Diane McLeod. “This goal is to enhance internal processes to support our legislative mandate and to improve response timelines.”
The OIPC website has been updated to reflect the process changes. As well, affected stakeholders are being contacted in a variety of ways to inform them of the changes and how this will affect their interactions with the OIPC.
Amendments to investigation procedures
Changes have been made to OIPC investigation procedures for access request reviews and privacy complaints under Alberta’s three access and privacy laws: the Freedom of Information and Protection of Privacy Act (FOIP Act), the Health Information Act (HIA), and the Personal Information Protection Act (PIPA).
“In our 2022-23 Annual Report, we reported a significant backlog in privacy complaints and in reviews of access request decisions,” said McLeod. “In 2023, we examined our procedures with the goal of reducing the time it takes to process a file, while still maintaining quality and value. A number of changes have now been made to provide additional clarity and efficiency to our processes, which should help reduce our timelines for settling matters.”
Updated information on the revised procedures can be found on the OIPC website here and here.
Changes to processing of privacy breach notifications under PIPA
A privacy breach means a loss of, unauthorized access to, or unauthorized disclosure of personal information. This month, the OIPC changed its procedures for processing breach notifications received under the Personal Information Protection Act (PIPA).
A key purpose of the breach notification provisions in PIPA is to ensure that organizations notify, in a timely fashion, affected individuals for whom there exists a real risk of significant harm (RROSH) due to the breach.
In July 2022, the OIPC released a report that analyzed nearly 2,000 breaches reported in Alberta between 2010 and 2021.
“One of the report’s significant findings was that since 2012-2013, at least 80% of organizations had already notified affected individuals of a privacy breach involving their personal information by the time my office received notice of the breach,” said McLeod. “So in most cases, we learned that the key purpose of the OIPC breach notification process had been fulfilled by organizations before our process began. After the 2022 report was issued, we examined our procedures and found a number of opportunities to improve efficiency and sustainability of our process for dealing with PIPA breach notification files.”
The changes being made to this process will enable timely resolution of PIPA privacy breach files, will help to reduce backlogs in processing these files, and will allow the OIPC to allocate resources to cases that require increased attention.
New and updated documents on the revised breach notification procedures under PIPA can be found on the OIPC website here under the heading “For Use by Private Sector Organizations.”
The OIPC looks forward to working with all parties to increase the timeliness and efficiency of its work in regard to both these sets of revised processes.
In addition, amended procedures for public bodies to request time extensions under section 14 of the FOIP Act will be implemented soon. That process improvement will be communicated to stakeholders within the next few weeks.
Through the OIPC, the Information and Privacy Commissioner performs the responsibilities set out in the FOIP Act, HIA and PIPA. The Commissioner operates independent of government.
For more information:
Elaine Schiman
eschiman@oipc.ab.ca
Communications Manager
Office of the Information and Privacy Commissioner of Alberta
Mobile: (587) 983-8766
Follow us on Twitter/X.