This article is written by Devagni Vatsaraj, pursuing Diploma in International Data Protection and Privacy Laws from Lawsikho. The article has been edited by Zigishu Singh (Associate, LawSikho) and Smriti Katiyar (Associate, LawSikho).
Introduction
PIPA is an acronym used for the Personal Information Protection Act. There are private sector focussed privacy statutes that govern the collection, use, disclosure and management of personal information in Canada such as the Personal Information Protection and Electronic Documents Act, PIPA Alberta, PIPA British Columbia, and Quebec Privacy Act. PIPA Alberta applies to such private sector organizations, businesses and non-profit organizations which are provincially regulated under the jurisdiction of Alberta, and is applicable for the protection of personal data of the data subjects. Further, the Act provides the data subjects with the right to access their personal information.
PIPA was originally introduced as a Bill in the Alberta legislature on 14th May, 2003 as Bill No. 44 and subsequently came into effect on 01st January, 2004. The Act has been time and again amended to incorporate changes that would be beneficial to the interests of the data subjects and crucial to protect their rights. Stating herein in chronological order, the Act has been amended by Personal Information Protection Amendment Act, 2005, Adult Guardianship and Trusteeship Act, 2008, Personal Information Protection Amendment Act, 2009 and Personal Information Protection Amendment Act, 2014.
Privacy breach under PIPA Alberta
Notifying the data breach
Privacy Breach refers to the unauthorized access to, or loss or disclosure of, personal information of the data subjects. When such a breach occurs, the organisation must notify the concerned authority of Alberta (more particularly mentioned herein below). The organisation should also be vigilant and contact their insurance agent for cyber coverage. Further, they must notify the affected parties of the data so breached. The law does not define how promptly an organisation must report the breach occurred but merely states that a notification to the authorities as well as data subjects must be given without unreasonable delay.
Section 34.1 of the Act states that “An organization having personal information under its control must, without unreasonable delay, provide notice to the Commissioner of any incident involving the loss of or unauthorized access to or disclosure of the personal information where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure.”
The authority concerned has resources that assist the organizations in determining if there is an actual breach or is it just a suspected or an alleged breach; what to do in such circumstances and in understanding how the risk should be assessed. These resources include the Privacy Breach Report Form that may be used while reporting the breach to the Privacy Commissioner and Practice Note to Report Breaches to the Commissioner, which assists the organisations in meeting the requirements of Section 19 of the Act while reporting the infringement with the Privacy Commissioner.
Data protection authority
The province of Alberta Privacy Commissioners, more particularly, Office of the Information and Privacy Commissioner of Alberta (OIPC), has the authority to review complaints and accordingly, formulate orders and dispose of the matters. The OPIC has the powers to direct an organization to give or refuse to give to the data subjects access to their personal data, as the case may be; overlook that the legislation is adhered to, requiring an organization to destroy personal data collected in contravention of the Act, etc.
Reporting data breaches to data subjects
With the permission of the OIPC, an organisation may indirectly notify the data subjects. If the OIPC has expressly ordered and the organisation fails to notify the data subject, the Privacy Commissioner may make such orders as it may consider appropriate. Further, when taken to court, the organisation may be directed to pay damages to the data subjects so affected, for the loss/harm incurred by them.
However, there are circumstances wherein the organisations are exempted from notifying the breach to the data subjects. As stated earlier, the Privacy Commissioner may or may not require the organisation to give notice to the data subjects and hence, under circumstances where the OPIC has not ordered to give notice, the organisation is not required to tender the same. When there is no significant risk/harm to individual data subjects as a result of the data breach of the personal data of such data subject, the organisation is not required to tender a notice.
What are the breaches that must be reported and how to file the report?
An organisation must keep itself in the place of a data subject and consider whether the breach that has occurred, would pose a significant threat to the data subject or should the breach not be reported, would cause loss/harm to the data subject; if the answer to such question is in affirmative, the organisation must notify the OIPC of the privacy breach. The OIPC comes down heavily on the organisations and lays down that reporting reasonable breaches is not a requisite only when a class of subjects are affected but is also necessary even when the rights of a single individual have been compromised.
Reporting a breach with the OIPC must be done expressly, i.e., the report must be clear, in a language generally understandable, without ambiguity and in writing. An organisation must generally include the following in its mandatory privacy breach reporting:
- Circumstances of the breach;
- Date or time period when the breach occurred;
- Personal data involved in the breach;
- Assessment of harm caused to the data subjects as a result of such breach;
- Estimated number of individuals’ impacted;
- Steps were taken to reduce the risk of harm;
- Steps were taken to notify impacted data subjects;
- Contact person of the organisation.
The OIPC may require the organization to notify data subjects so affected by the breach. While notifying them, the organizations are required to provide the following information to the data subjects:
- Circumstances of the breach;
- Date or time period when the breach occurred;
- Personal data involved in the breach;
- Steps were taken to reduce the risk of harm;
- Contact person.
Fines and penalties
Under PIPA Alberta, the penalty may arise when an individual/organization collects, uses or discloses personal data of the subjects in contravention of the law or when it attempts to gain and/or gains access to personal data; fails to comply with the order of the OIPC. Fine is also levied when an organisation takes adverse action against an employee who acted as a whistleblower and has exposed the undesirable working of the organisation.
An individual that commits such an offence as listed above is liable to pay a fine of up to $10,000 and such penalty for an organisation amounts up to $100,000. The same has been particularly described in Section 59 (2) of the Act.
Prevention of privacy breaches
Though the Act requires that an organisation follow reasonable policies and practices in order to meet its obligations, it does not specifically state or define such practices. Former FBI Director, Robert Mueller at the San Francisco cyber security conference remarked, “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.” This stresses the importance of the security system and the need to avoid even the most innocent of mistakes. The organisation needs to be diligent in how they handle and protect the personal data of the data subjects.
The organisations must undertake measures to implement reasonable practices to minimize the risk of a privacy breach. This includes disabling email address autofill; implementing office policies or industry-standard policies, as the case maybe, related to data retention and disposal; training the staff to ensure that they are aware of the policies; conducting regular cyber security tests to help identify risk scenarios and measures to mitigate the same and ensuring that appropriate security software safeguards are in place.
Conclusion
Entities are encouraged to report the privacy breach with the Commissioners, who may be able to guide them towards the most effective measures for mitigating the risk and ensuring compliance of the obligations of the Act. The entities need to keep the personal data of the subjects only for so long as may be required to fulfil the purpose for which it is collected, used or disclosed. They must retain the personal data only to comply with the business requirement and for legal purposes. When such purpose is fulfilled, and the data is no longer needed, it should either be destroyed or securely made anonymous.
References
- Section 34.1 of the Act – Personal Information Protection Act, Statutes of Alberta, 2003
- Privacy Breach Report Form – Office of the Information and Privacy Commissioner of Alberta
- Practice Note to Report Breaches to the Commissioner – Office of the Information and Privacy Commissioner of Alberta
- Section 19 of the Act – Personal Information Protection Act, Statutes of Alberta, 2003
- Office of the Information and Privacy Commissioner of Alberta – OPIC
- mandatory privacy breach reporting – Organisation responsibilities for protecting personal information
- Section 59 (2) of the Act – Personal Information Protection Act, Statutes of Alberta, 2003
- “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.” – The Federal Bureau of Investigation – Speeches
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:
https://t.me/joinchat/J_0YrBa4IBSHdpuTfQO_sA
Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.