Amendments to the Personal Information Protection Act (PIPA) of the Canadian province of Alberta took effect on May 1, 2010. Two of the changes are particularly noteworthy. First, like several states in the United States, Alberta now requires notification of data breaches. Second, new notice requirements might impact use of service providers outside Canada.
(1) An organization that has personal information under its control must provide to the Alberta Information and Privacy Commissioner without unreasonable delay notice of any incident involving loss of, unauthorized access to, or disclosure of, personal information. Notice is required where “a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss of or unauthorized access or disclosure.” If the Commissioner determines that the data breach poses a real risk of significant harm to individuals, the organization may be required to notify those individuals.
(2) An organization that uses a service provider outside Canada to collect personal information about an individual, or that transfers to a service provider outside Canada personal information about an individual, must notify the individual of the way in which the individual can obtain access to written information about the organization’s policies and practices with respect to service providers outside Canada. Notification may be given in writing or orally, but it must be given before or at the time the personal information is collected, whenever consent for collection is required.
The changes make Alberta the first Canadian province to mandate notification of data breaches generally. Many Canadian legal commentators expect other Canadian jurisdictions to follow suit shortly.
Canada does have an omnibus information protection law, the Personal Information Protection and Electronic Documents Act (PIPEDA). Any organization that collects personal information in the course of commercial activity is covered by PIPEDA, except in provinces that have “substantially similar” information protection laws. Alberta’s PIPA has been declared to be substantially similar to PIPEDA.
Recently proposed amendments to PIPEDA would, if enacted, require an organization to report to the Canadian Privacy Commissioner any material breach of security safeguards involving personal information under its control. Similar to Alberta’s PIPA, the amendments would also require an organization to notify an individual of any breach of security safeguards involving such individual’s personal information if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.