consider that there exists a real risk of significant harm to an
individual as a result of the incident. Typical privacy breaches
include loss or theft of electronic devices, human error (such
as misdirected communications), employee snooping, mali-cious
software and phishing attacks.
Where an organization is required under PIPA to provide
notice to the OPIC of a loss of or unauthorized access to or
disclosure of personal information, the OPIC may require the
organization to notify individuals to whom there is a real sign
of significant harm to. PIPA grants the OPIC broad powers to
require organizations to provide any additional information
that the OPIC considers necessary to determine whether to
require the organization to notify individuals.
It is important to note that PIPA does not restrict an orga-nization’s
ability to notify individuals on its own initiative.
While the OPIC has an expediated process for reviewing
breach reports, the OPIC encourages individuals to immedi-ately
notify affected individuals if the organization believes
that there exists a real risk of significant harm to the individ-ual
as a result of the breach. If the organization chooses to do
so, the OIPC recommends that the organization should notify
the individuals in the form prescribed by the Regulation.
The OIPC recommends that a breach should be reported
to the OPIC as soon as possible even if all the informa-tion
that is to be provided in the notice is not yet known.
Additional information can be provided to the OIPC as it
becomes available.
The notice provided to the OPIC must be in writ-ing,
and the organization must (to the extent that the
organization knows):
•• describe the circumstances of the loss or unauthorized
access or disclosure;
•• identify the time period during which it occurred;
•• describe the personal information involved;
•• assess the risk of harm to individuals as a result of the
loss or unauthorized access or disclosure;
•• estimate the number of individuals to whom there is a
real risk of significant harm to;
•• describe the steps the organization has taken to reduce
the risk of harm to individuals;
•• describe the steps undertaken to notify the affected
individuals; and,
•• identify the name of and contact information of the
person at the organization who will be able to answer
any questions from the OIPC.
Where an organization is required to notify an individual,
the organization must give the notification directly to the indi-vidual,
and must (to the extent that the organization knows):
•• describe the circumstances of the loss or unauthorized
access or disclosure;
•• identify the time period during
which it occurred;
•• describe the personal information
involved;
•• describe the steps the organiza-tion
has taken to reduce the risk of
harm; and,
•• identify the name of and contact
information of the person at the
organization who will be able to
answer any questions about the loss
or unauthorized access or disclosure.
The notification to the individual
may be given indirectly if the OIPC
determines that direct notification
would be unreasonable in the circum-stances.
The test for reporting a breach under
PIPA is whether a reasonable person
would consider that there exists a real
L E G A L
The test for reporting
a breach under PIPA is
whether a reasonable
person would consider
that there exists a
real risk of significant
harm to an individual.
403.328.8196 | www.tollestrup.com | Box 474, Lethbridge, AB T1J 3Z1
28 ALBERTA HEAVY 1 2019
/www.tollestrup.com
