Skip to content

Alberta privacy law includes first breach-reporting requirement

|Written By Robert Todd
Alberta privacy law includes first breach-reporting requirement

Organizations that interact with personal information in Alberta may want to dust off their privacy policies after the recent enactment of key amendments to the province’s Personal Information Protection Act.

The changes, which came into law May 1, include Canada’s first breach-reporting and notification requirements. The law forces organizations to notify Alberta’s privacy commissioner should individuals’ personal information be lost or improperly accessed, and a reasonable person would view the incident as presenting “a real risk of significant harm” to an individual. The commissioner may then force the organization to notify those affected by the breach.

“Our experience has been that most businesses already notify people affected by losses and we encourage this,” said Alberta Information and Privacy Commissioner Frank Work. “This is not necessarily a matter of making businesses liable for losses of information; it is about warning people so that they can take precautions. Hopefully it will make businesses more aware of the need for reasonable security measures.”

Another key change is a requirement for organizations using a service provider outside Canada to include details of that relationship in policies and practices. The requirement applies to parents, subsidiaries, and other affiliates.

Specifically, organizations dealing with personal information within Alberta must now include in their policies and practices particulars of countries in which the collection, use, disclosure, or storage is taking place, or may take place in the future. They must also specify why that service provider has been allowed to manage personal information.

Stephen Burns, an information and privacy law practitioner and partner at Bennett Jones LLP’s Calgary office, says while those are the most glaring changes to the legislation, in-house counsel will want to take note of several other tweaks.

“There are significant changes in the act,” he says. “There’s lots of little rewrites here and there. . . . Definitions have been changed, and lots and lots of clarifications are in the legislation, which means you should have a closer look at it when you’re looking at what you do in your agreements.”

Brian Thiessen, who practises privacy law at Blake Cassels & Graydon LLP’s Calgary office, notes the Alberta update is the first comprehensive legislative review with followup amending legislation on Canadian privacy law since the bulk of regulations came online in 2004.

That means organizations that are not regulated by Alberta’s privacy legislation may still want to take note of these amendments.

“It’s a bit of a guide, especially given that Frank Work, the Alberta privacy commissioner, and the others are very closely in touch, and they work together,” says Thiessen. “It’s a bit of a telltale on what other provinces, other jurisdictions, might be thinking and gives a bit of a sign about what the privacy commissioners are concerned about.”

Meanwhile, Osler Hoskin & Harcourt LLP Toronto partner Michael Fekete says the new Alberta laws signal a growing awareness of the risks surrounding data breaches in the private sector. He believes most large institutions have invested adequately in guarding against the threat, but suggests smaller companies may still be vulnerable.

“There’s probably more room for improvement among smaller and mid-sized organizations, because they may not have the same resources to invest in improving their information security and data-handling practices,” says Fekete. “They don’t have the same sophistication on what best practices would be.”

The new Alberta legislation will force companies to tweak internal and external documents, so Burns believes this is an ideal time for in-house counsel to consider an overhaul of their organization’s privacy regime.

“In our view, it’s a great time to just look at your privacy documentation, what individuals you’re interacting with are seeing, what you’re publishing to the world, and ensure that you’re refreshing it for the amendments in Alberta, to the extent to which the amendments apply to you,” says Burns.

More information on the amendments is available at

  • not quite the first, but the first general

    John G
    Ontario's Personal Health Information Protection Act, 2006, has a breach notification rule in s. 12. It is not as subtle as Alberta's - it notably does not have a risk-based test for notification.

    I have not seen statistics on how many notifications have been sent out under that Act since it came into force.

    Alberta's is the first and to date only legislation passed with general application. New Brunswick and Newfoundand and Labrador have passed breach notification statutes applicable to health information. Neither province's statute is yet in force.

    The Uniform Law Conference is scheduled to adopt uniform legislation on breach notification in August. There is a good argument that if this kind of law is to spread (as it has in the US), then it should be consistent from one jurisdiction to the next (which it is not in the US).

    As the article points out, the privacy authorities in Canada have been working to harmonize their administrative requirements or suggestions in this area, which is a big help to everybody trying to figure out what to do in more than one jurisdiction.