alberta enacts breach notification requirement

Alberta’s Personal Information Protection Amendment Act, 2009 came into effect over the weekend (May 1, to be precise). The amendments included a variety of changes but perhaps most notably include a new notification requirement if an organization experiences a security breach.

The Alberta government has come out with a brochure (PDF) to help organizations understand their obligations under this new requirement. Here’s the Coles Notes version:

  • you must notify the Alberta Privacy Commissioner of any loss, unauthorized access or unauthorized disclosure of personal information without delay
  • notification is mandatory (i.e. it’s an offence if you don’t) if a reasonable person believes there is a real risk of significant harm to an individual as a result of the breach and optional if it isn’t
  • the Commissioner then decides whether individuals need to be notified. If they do, the Commissioner will tell you and you will need to comply accordingly

The brochure itself contains helpful explanations, examples and illustrations on some of these concepts, such as what is meant by “real risk of significant harm” and who is responsible for notification, which I won’t regurgitate here.

While this is old hat in the US, with many (most?) US states already having having such requirements in place, it is relatively new in Canada. Apart from the somewhat terse breach notification requirements under the Ontario Personal Health Information Protection Act, Alberta’s legislation appears to be the first in Canada. The concept however has been subject to discussion for some time now. Other provinces (I believe Newfoundland and New Brunswick) have legislation pending along the same lines, but Alberta’s is the first to address breaches relating to personal information generally, not just health information. The Uniform Law Commission of Canada has also studied the matter a fair bit and came out with a report and draft legislation (PDF) last year. John Gregory, the General Counsel of the Ontario Ministry of the Attorney General, has also given presentations (PPT) on the topic.

In short, all this points to the fact that it isn’t a question of whether there will be such requirements throughout Canada, but rather when. Organizations that hold a significant amount of personal information would be well-advised to consider the adequacy of their existing security measures and whether they need to be upgrade, given the potential cost of security breaches in light of these requirements.