Changes to Personal Information Protection Act Take Effect May 1 and Include First in Canada Breach Notification Requirements

April 29, 2010

Changes to the Personal Information Protection Act will become law on May 1. The changes include breach reporting and notification requirements, the first such law in Canada.

PIPA governs the collection, use and disclosure of personal information by businesses, and was amended by the Alberta Legislature in 2009. One of those amendments is mandatory breach notification, which means that organizations will be required to report to the Commissioner a privacy breach where there exists “a real risk of significant harm” to an individual.

Information and Privacy Commissioner Frank Work says breach reporting and notification is an important step forward in protecting personal information. “Now an organization has to report significant losses to my Office. I can then require notification of affected individuals. Our experience has been that most businesses already notify people affected by losses and we encourage this. This is not necessarily a matter of making businesses liable for losses of information; it is about warning people so that they can take precautions. Hopefully it will make businesses more aware of the need for reasonable security measures.”

Information respecting the amendments and how they work is available at and

Other changes of note include provisions regarding personal employee information and the retention of personal information. Organizations will also be required to notify people when they will be transferring personal information to a service provider outside of Canada. Time periods and offence provisions were also changed.