AB PIPAAll sectors

Alberta PIPA Breach Notification for SMEs

Alberta PIPA requires reporting to OIPC Alberta and notifying individuals when RROSH is present. Both obligations are mandatory. See the full requirements.

What is Alberta PIPA?

Alberta's Personal Information Protection Act (PIPA, SA 2003, c P-6.5) governs how private-sector organizations collect, use, and disclose personal information in Alberta. The OIPC Alberta administers and enforces it. Organizations that also engage in interprovincial or international commercial activity are additionally subject to federal PIPEDA. When a breach triggers Alberta PIPA obligations, ClearBreach generates your OIPC Alberta breach report, OPC breach report, individual notification letter, and internal incident record in a single 15-minute assessment.

On this page:

What is Alberta PIPA?
Who is subject to Alberta PIPA?
When does a breach trigger Alberta PIPA reporting obligations?
What must I report to the OIPC Alberta?
When must I notify individuals of a breach under Alberta PIPA?
How does Alberta PIPA differ from PIPEDA and BC PIPA?
What do I do when both Alberta PIPA and PIPEDA apply?
What are the record-keeping requirements under Alberta PIPA?

What is Alberta PIPA?

Alberta PIPA was deemed substantially similar to PIPEDA by the federal government, meaning private-sector organizations that operate solely within Alberta for intraprovincial commercial activity are governed by PIPA rather than PIPEDA. However, organizations engaged in interprovincial or international commercial activity are also subject to PIPEDA, creating dual obligations.

Who is subject to Alberta PIPA?

Alberta PIPA applies to every private-sector organization — regardless of size — that collects, uses, or discloses personal information about individuals in Alberta in the course of commercial activity within the province. Government bodies are governed by FOIP instead. Federally regulated organizations remain subject to PIPEDA.

Alberta PIPA does not apply to:

Government bodies — governed by Alberta's Freedom of Information and Protection of Privacy Act (FOIP)
Federally regulated organizations (banks, telecommunications carriers, airlines) — governed by PIPEDA regardless of province

When does a breach trigger Alberta PIPA reporting obligations?

A breach triggers Alberta PIPA obligations when it poses a real risk of significant harm (RROSH) to affected individuals. RROSH is assessed across four factors: information sensitivity, probability of misuse, number of individuals affected, and whether the data was recovered.

What counts as significant harm under Alberta PIPA?

Significant harm under PIPA has the same meaning as under PIPEDA, including:

Bodily harm
Humiliation
Damage to reputation or relationships
Loss of employment, business, or professional opportunities
Financial loss
Identity theft
Negative effects on credit records
Damage to or loss of property

What factors determine RROSH under Alberta PIPA?

The RROSH assessment under Alberta PIPA examines the same four factors as PIPEDA:

Sensitivity of the personal information — health records, SINs, financial account numbers, and passwords carry high sensitivity. Basic contact information carries lower sensitivity.
Probability of misuse — confirmed access by a threat actor, malicious intent, or confirmed exfiltration all increase probability. Ransomware attacks represent the highest-probability scenario. Accidental internal disclosure with prompt recovery decreases probability.
Number of individuals affected — a broader breach affecting many individuals with sensitive data is more likely to meet RROSH. A narrow breach affecting one individual with low-sensitivity information may not.
Whether the information has been recovered — unrecovered stolen data weighs significantly toward RROSH.

For a detailed breakdown of all four factors, see What Is RROSH?

What must I report to the OIPC Alberta?

When RROSH is present, you must report to the OIPC Alberta without unreasonable delay. The practical expectation is days from your RROSH determination, not weeks. File on available information and supplement as your investigation continues — do not wait for a complete forensic review.

What the OIPC Alberta report must contain

Your notification to the OIPC Alberta must include:

A description of the breach and how it occurred
The date or approximate date of the breach
A description of the personal information involved
The number of individuals affected or an estimate
Steps your organization has taken to reduce the risk of harm
Steps your organization has taken or will take to notify affected individuals
Contact information for a person in your organization who can answer questions from the OIPC

Submit the report using the OIPC Alberta's breach notification form, available at oipc.ab.ca.

When must I notify individuals of a breach under Alberta PIPA?

You must notify affected individuals directly and without unreasonable delay once you determine RROSH is present. A general public notice does not satisfy this obligation unless direct notification is not reasonably possible. Notification to the OIPC may precede individual notice only in narrow law enforcement circumstances.

Who needs to be notified of a privacy breach under Alberta PIPA?

Every individual whose personal information was involved in a breach that poses RROSH must be notified directly and without unreasonable delay. A general public notice does not satisfy this obligation unless direct notification is not reasonably possible.

Requirements for individual notification under Alberta PIPA

The notification to individuals must include:

A description of the breach and the personal information involved
The date or approximate date of the breach
Steps your organization has taken or will take to reduce harm
Contact information for follow-up questions from the affected individual

When can OIPC notification precede individual notification?

Alberta PIPA allows organizations to notify the OIPC before notifying individuals in limited circumstances — specifically when notification to individuals could alert a suspect and impede a law enforcement investigation. This is a narrow exception requiring OIPC coordination. In most cases, notification to individuals and to the OIPC should happen concurrently.

Generate your OIPC Alberta breach report, OPC breach report, and individual notification letter automatically. ClearBreach runs your RROSH assessment under Alberta PIPA, PIPEDA, and BC PIPA simultaneously and produces all required documents in under 15 minutes — entirely in your browser.

How does Alberta PIPA differ from PIPEDA and BC PIPA?

Alberta PIPA and PIPEDA both require mandatory regulator reporting when RROSH is present. BC PIPA makes regulator reporting voluntary. All three require mandatory individual notification when RROSH is present. When both Alberta PIPA and PIPEDA apply, you must file separate reports with each regulator.

	Alberta PIPA	BC PIPA	PIPEDA
Governing body	OIPC Alberta (oipc.ab.ca)	OIPC BC (oipc.bc.ca)	OPC Canada (priv.gc.ca)
Applies to	Intraprovincial commercial activity in Alberta	Intraprovincial commercial activity in BC	Interprovincial/international commercial activity
Regulator reporting	Mandatory when RROSH present	Voluntary	Mandatory when RROSH present
Individual notification	Mandatory when RROSH present	Mandatory when RROSH present	Mandatory when RROSH present
Timing — regulator	Without unreasonable delay	Voluntary — no fixed deadline	As soon as feasible
Timing — individuals	Without unreasonable delay	Without unreasonable delay	As soon as feasible
Enforcement	OIPC investigation, compliance orders	OIPC investigation, compliance orders	OPC investigation, Federal Court referral
Record-keeping	Required	Required	24 months minimum

For BC PIPA-specific obligations, see BC PIPA Privacy Breach Reporting Requirements. For PIPEDA obligations, see PIPEDA Breach Reporting Requirements.

What do I do when both Alberta PIPA and PIPEDA apply?

When both frameworks apply, you must file a separate breach report with the OIPC Alberta and with the OPC. Individual notification once, using a notice that satisfies both frameworks. ClearBreach generates separate regulator submissions for each triggered framework automatically.

Many Alberta organizations are subject to both Alberta PIPA and PIPEDA because they engage in some combination of intraprovincial and interprovincial commercial activity. When both frameworks apply and a breach occurs:

You must assess RROSH under both frameworks (the assessment is substantially the same)
You must file a separate breach report with the OIPC Alberta and a separate report with the OPC
You must notify affected individuals once (a single notice can satisfy both frameworks if it meets the requirements of each)

What are the record-keeping requirements under Alberta PIPA?

Alberta PIPA requires organizations to maintain an internal record of every breach, regardless of whether it triggered RROSH. The OIPC Alberta may request access to this record. Following PIPEDA's 24-month retention standard is recommended best practice for organizations subject to both frameworks.

Your breach record should document:

Date and description of the breach
Personal information involved and number of individuals affected
RROSH determination and reasoning
Containment and remediation steps
Whether reports were filed with the OIPC Alberta and/or OPC
Whether affected individuals were notified and when

Scenario-specific Alberta PIPA guidance

For detailed guidance on specific incident types under Alberta PIPA:

Ransomware Attack: What Canadian SMEs Must Do Under PIPEDA and Alberta PIPA — confirmed access, malicious intent, sanctions risk before paying ransom, and the April 2024 OIPC Alberta simultaneous notification process
Phishing and Business Email Compromise: PIPEDA, Alberta PIPA, and BC PIPA — compromised email accounts, forwarding rule persistence, audit log review, and simultaneous notification obligations under the OIPC Alberta streamlined process
Lost or Stolen Device: What Canadian SMEs Must Do Under PIPEDA, Alberta PIPA, and BC PIPA — encryption uncertainty, high watermark scoring, and how to handle devices that may contain data about BC individuals in addition to Alberta individuals

Using ClearBreach for Alberta PIPA assessments

Run your Alberta PIPA assessment and generate your compliance documents automatically. ClearBreach evaluates your breach under PIPEDA, Alberta PIPA, and BC PIPA simultaneously in a single 15-minute browser-based assessment. When Alberta PIPA obligations are triggered, ClearBreach generates:

An OIPC Alberta Breach Report draft — pre-populated and mirroring the April 2024 official OIPC Alberta form
A Verdict Card showing your RROSH determination under each applicable framework
An Individual Notification Letter covering each applicable framework's requirements
An Internal Incident Record for your compliance file

Frequently asked questions

Do Alberta businesses have to report a data breach?

Yes, if the breach poses a real risk of significant harm (RROSH) to affected individuals. Alberta private-sector organizations are governed by Alberta's Personal Information Protection Act (PIPA). When RROSH is present, they must report to the Office of the Information and Privacy Commissioner of Alberta and notify affected individuals directly, without unreasonable delay. Organizations that also engage in interprovincial or international commercial activity must additionally report to the federal Office of the Privacy Commissioner under PIPEDA.

What are my reporting obligations under Alberta PIPA after a breach?

Under Alberta PIPA, if a breach poses a real risk of significant harm to an individual, you must report to the OIPC Alberta without unreasonable delay and notify affected individuals directly. You must also maintain an internal record of every breach regardless of whether it reaches the RROSH threshold.

Does Alberta PIPA apply to small businesses?

Yes. Alberta PIPA applies to every private-sector organization that collects, uses, or discloses personal information in Alberta in the course of commercial activity, regardless of size. There is no small-business exemption. If your organization only operates within Alberta and does not engage in interprovincial or international commercial activity, Alberta PIPA applies instead of PIPEDA.

What is the difference between PIPEDA and Alberta PIPA breach reporting?

Both require reporting when RROSH is present and use similar RROSH factors. Key differences: Alberta PIPA applies to organizations operating within Alberta for intraprovincial commercial activity; PIPEDA applies to interprovincial and cross-border activity. Alberta PIPA reports go to the OIPC Alberta; PIPEDA reports go to the OPC in Ottawa. When both apply, you must file separate reports with each regulator.

When must I report a breach to the OIPC Alberta?

Alberta PIPA requires reporting 'without unreasonable delay' after you determine RROSH is present. Like PIPEDA, the practical expectation is days from determination, not weeks. Do not wait for a full forensic investigation — report on available information and supplement as the investigation continues.

Does a breach triggering Alberta PIPA also trigger PIPEDA?

It depends on whether your organization engages in interprovincial or cross-border commercial activity. If it does, both PIPEDA and Alberta PIPA apply and you must file separate reports with the OPC and OIPC Alberta. If your commercial activity is entirely within Alberta, only Alberta PIPA applies. ClearBreach evaluates both frameworks simultaneously and generates separate reports for each regulator triggered.

This guide is not legal advice. It provides practical guidance on Canadian privacy breach obligations. Consult a qualified privacy lawyer before submitting reports to regulators.

Run your formal assessment now

ClearBreach generates your verdict and all required documents automatically — in under 15 minutes.

Get early access

See a sample verdict →