Decade of Privacy Breaches Analyzed in Commissioner’s Report

July 27, 2022

The Office of the Information and Privacy Commissioner (OIPC) released a report today that analyzes nearly 2,000 breaches reported in Alberta over 11 years.

In May 2010, requirements to report certain breaches to the OIPC and notify affected individuals came into force under Alberta’s Personal Information Protection Act (PIPA). The report analyzes PIPA breaches from 2010-11 to 2020-21.

Data show that organizations sent millions of notifications to people affected by breaches since the requirements came into force. The leading reason for notification to an affected individual has been unauthorized access to personal information, most often caused by a compromised electronic information system, such as the installation of malware or ransomware.

The report offers guidance to help organizations and law firms specializing in privacy law decide whether there is a real risk of significant harm (RROSH) to an affected individual as a result of a breach. RROSH is the legal threshold under PIPA for reporting breaches. In particular, the executive summary of the report lists criteria on when the Commissioner decided there was RROSH or No RROSH, and why there was a no jurisdiction finding in some cases.

Based on information submitted by organizations when reporting a breach, the report analyzes how long it takes organizations to discover breaches, notify individuals and report to the OIPC. It also looks at whether malicious intent or deliberate action was involved in a breach, types of harm, types of personal information, reporting industries, among other data.

Hypothetical scenarios in the report comparing “typical” RROSH and No RROSH breaches between breaches analyzed in 2010-11 and 2020-21 show how breaches have changed over time.

Alberta became one of the first North American jurisdictions to require organizations to notify individuals affected by breaches, and to report those incidents to the OIPC. The Commissioner was also given the power under PIPA to require organizations to notify an affected individual when the Commissioner determines there is a real risk of significant harm to the affected individual as a result of a breach.


“Organizations face constant challenges in preventing and responding to breaches, and this report shows how dynamic privacy and security management has become. The legal mechanisms have remained the same but the administrative and technical aspects require regular reviews and updates.

Digital realities underscore the need for regular privacy and security training for staff in all industries and for diligence in performing security updates to IT infrastructure. Beyond digital privacy and security management, it is also important for organizations to remind staff regularly about not leaving work products in vehicles and to triple check addresses when sending mail or email containing personal information.

As my term as Commissioner ends, I am proud of the work we did implementing processes to review and make decisions on breach reports submitted by organizations. We led the way in Canada, and helped to ensure that Albertans affected by privacy breaches could take the steps necessary to protect themselves from harm.”

– Jill Clayton, Information and Privacy Commissioner

Additional Information

Scott Sibbald
Office of the Information and Privacy Commissioner