Am I required to report a breach to the Commissioner?
Organizations subject to the Personal Information Protection Act (PIPA) are required to report a breach of personal information to the Commissioner as follows:
“34.1(1) An organization having personal information under its control must, without unreasonable delay, provide notice to the Commissioner of any incident involving the loss of or unauthorized access to or disclosure of the personal information where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure”.
The NEW Mandatory Breach Reporting Tool is designed to assist organizations determine if they are required to report a breach under section 34.1 of PIPA.
What information do I need to provide the Commissioner when I report a breach?
· Reporting a Breach to the Commissioner sets out the minimum requirements for what must be included in a breach report to the Commissioner.
· The NEW Breach Reporting Guide has been designed to assist organizations in providing the information needed to meet the breach reporting requirements.
· The Breach Report Form can be used to submit a breach report to the Commissioner.
What happens after I report a breach to the Commissioner?
The Office of the Information and Privacy Commissioner's Process for Determining Whether to Require Notification describes the process undertaken by the Commissioner upon receiving a breach report.
Additional Breach Reporting Resources:
The resources below are available on the OIPC website to assist organizations in complying with the new provisions:
Resources are also available on the Policy and Governance, Service Alberta website at www.pipa.alberta.ca, including Information Sheet 11: Notification of a Security Breach.