Breach Notification Decisions


In 2010, under the Personal Information Protection Act, Alberta became the first jurisdiction in Canada to require breach notification from private sector organizations where there exists "a real risk of significant harm" to an individual as a result of the loss or unauthorized access to or disclosure of personal information.

The Commissioner publicly makes available the decisions where a real risk of significant harm was identified and notification to affected individuals was required. Decisions where there was no real risk of significant harm identified are not published.

Note: The search function for the table is limited to the content in the table, such as body name and summary. It does not scan all PDFs. However, the general search function in the top navigation of the website scans PDFs during a search.

Although the OIPC makes every effort to ensure that all information posted on the website is accurate and complete, the OIPC cannot guarantee its integrity. If there is any discrepancy between the information posted on our website and the original paper versions, the original paper document is authoritative.

  • Year:
  • Legislation:
  • Search:
Page: of 1
Decision Date Body
P2020-ND-003 Jan 31 2020 Employer's Resource Council
Summary: The organization determined that an unauthorized actor accessed two of its employees' email... [More]
P2020-ND-002 Jan 31 2020 Carl's Golfland
Summary: A webshell was inserted into the organization’s website through a vulnerability and brute force... [More]
P2020-ND-001 Jan 31 2020 Industrial Alliance Insurance and Financial Services Inc.
Summary: The email account of a representative of the organization was accessed as the result of a phishing... [More]
Page: of 1
Loading... Please Wait