Alberta PIPA Breach Notification: Reporting Requirements for Alberta Organizations

What is Alberta PIPA?

Alberta's Personal Information Protection Act (PIPA, SA 2003, c P-6.5) is the provincial privacy legislation governing private-sector organizations that collect, use, or disclose personal information in Alberta. The Office of the Information and Privacy Commissioner of Alberta (OIPC Alberta) administers and enforces PIPA.

Alberta PIPA was deemed substantially similar to PIPEDA by the federal government, meaning private-sector organizations that operate solely within Alberta for intraprovincial commercial activity are governed by PIPA rather than PIPEDA. However, organizations engaged in interprovincial or international commercial activity are also subject to PIPEDA, creating dual obligations.

---

Who is subject to Alberta PIPA?

Alberta PIPA applies to every private-sector organization — regardless of size — that:

• Collects, uses, or discloses personal information about individuals in Alberta
• Does so in the course of commercial activity within the province

This includes businesses, non-profit organizations engaged in commercial activity, and professional practices. It does not apply to government bodies, which are governed by the Freedom of Information and Protection of Privacy Act (FOIP).

---

When does a breach trigger Alberta PIPA reporting obligations?

Alberta PIPA uses the same Real Risk of Significant Harm (RROSH) threshold as PIPEDA. A breach triggers mandatory reporting and notification only if it poses a real risk of significant harm to one or more affected individuals.

Significant harm under Alberta PIPA

Significant harm under PIPA has the same meaning as under PIPEDA, including:

• Bodily harm
• Humiliation
• Damage to reputation or relationships
• Loss of employment, business, or professional opportunities
• Financial loss
• Identity theft
• Negative effects on credit records
• Damage to or loss of property

RROSH factors under Alberta PIPA

The RROSH assessment under Alberta PIPA examines the same four factors as PIPEDA:

1. Sensitivity of the personal information — health records, SINs, financial account numbers, and passwords carry high sensitivity. Basic contact information carries lower sensitivity.
2. Probability of misuse — confirmed access by a threat actor, malicious intent, or confirmed exfiltration all increase probability. Accidental internal disclosure with prompt recovery decreases probability.
3. Number of individuals affected — a broader breach affecting many individuals with sensitive data is more likely to meet RROSH. A narrow breach affecting one individual with low-sensitivity information may not.
4. Whether the information has been recovered — unrecovered stolen data weighs significantly toward RROSH.

---

Reporting to the OIPC Alberta

If your RROSH assessment determines that a real risk of significant harm exists, you must report the breach to the OIPC Alberta without unreasonable delay after making that determination.

What the OIPC Alberta report must contain

Your notification to the OIPC Alberta must include:

• A description of the breach and how it occurred
• The date or approximate date of the breach
• A description of the personal information involved
• The number of individuals affected or an estimate
• Steps your organization has taken to reduce the risk of harm
• Steps your organization has taken or will take to notify affected individuals
• Contact information for a person in your organization who can answer questions from the OIPC

Submit the report using the OIPC Alberta's breach notification form, available at oipc.ab.ca.

Timing: what "without unreasonable delay" means

The practical expectation is the same as under PIPEDA — report within days of your RROSH determination, not weeks. File on available information and provide supplements as your investigation continues. The OIPC Alberta has signalled increasing scrutiny of delayed reporting.

---

Notifying affected individuals under Alberta PIPA

When RROSH is present, you must also notify every affected individual directly, without unreasonable delay.

Requirements for individual notification under PIPA

The notification to individuals must include:

• A description of the breach and the personal information involved
• The date or approximate date of the breach
• Steps your organization has taken or will take to reduce harm
• Contact information for follow-up questions from the affected individual

OIPC Alberta notification before individuals in some cases

PIPA allows organizations to notify the OIPC before notifying individuals in limited circumstances — specifically when there is a risk that notification to individuals could alert a suspect and impede a law enforcement investigation. This is a narrow exception and requires OIPC approval. In most cases, notification to individuals and to the OIPC should happen concurrently.

---

How Alberta PIPA differs from PIPEDA

Despite having the same RROSH threshold and similar notification requirements, there are important practical differences:

| | Alberta PIPA | PIPEDA | |---|---|---| | Governing body | OIPC Alberta (oipc.ab.ca) | OPC Canada (priv.gc.ca) | | Applies to | Intraprovincial commercial activity in Alberta | Interprovincial/international commercial activity | | Reporting deadline language | "Without unreasonable delay" | "As soon as feasible" | | Enforcement | OIPC investigation, compliance orders | OPC investigation, Federal Court referral | | Individual notification | Required when RROSH present | Required when RROSH present | | Record-keeping | Required | 24 months minimum |

The practical difference in timing language ("without unreasonable delay" vs "as soon as feasible") is minimal — both regulators expect rapid reporting, measured in days.

---

Dual obligations: when both Alberta PIPA and PIPEDA apply

Many Alberta organizations are subject to both Alberta PIPA and PIPEDA because they engage in some combination of intraprovincial and interprovincial commercial activity. When both frameworks apply and a breach occurs:

• You must assess RROSH under both frameworks (the assessment is substantially the same)
• You must file a separate breach report with the OIPC Alberta and a separate report with the OPC
• You must notify affected individuals once (a single notice can satisfy both frameworks if it meets the requirements of each)

ClearBreach performs simultaneous evaluation under both frameworks and generates separate regulator reports — an OIPC Alberta report and an OPC PIPEDA report — when both are triggered.

---

Record-keeping under Alberta PIPA

Like PIPEDA, Alberta PIPA requires organizations to maintain an internal record of every breach of security safeguards, regardless of whether it triggered RROSH. The OIPC Alberta may request access to this record.

Your breach record should document:

• Date and description of the breach
• Personal information involved and number of individuals affected
• RROSH determination and reasoning
• Containment and remediation steps
• Whether reports were filed with the OIPC Alberta and/or OPC
• Whether affected individuals were notified and when

---

Using ClearBreach for Alberta PIPA assessments

ClearBreach simultaneously evaluates your breach under PIPEDA, Alberta PIPA, and BC PIPA in a single 15-minute assessment. When Alberta PIPA obligations are triggered, ClearBreach generates:

• An OIPC Alberta Breach Report draft — pre-populated and mirroring the April 2024 official OIPC Alberta form
• A Verdict Card showing your RROSH determination under each applicable framework
• An Individual Notification Letter covering each applicable framework's requirements
• An Internal Incident Record for your compliance file