Alberta has become the first province to add a data breach notification requirement into its legislation. The new measures were added into its Personal Information Protection Act (PIPA) on May 1 and are now law.
The new measures flow from the Personal Information Protection Amendment Act 2009 (Bill 54), which received Royal assent late last year. The amendment requires organizations to notify individuals that are placed at risk by a security breach, outlining the circumstances of the breach, the time period during which it occured, and the personal information that was lost. The notification must give this information to the Alberta Privacy Commissioner, along with an assessment of the risk of harm to individuals, and quantify how many are likely to be affected. Companies must outline what they have done to reduce the risk of harm and notify the victims.
The Canadian government has done little to mandate data breach notification at a federal level. A set of guidelines on dealing with these breaches was published in late 2007 by the federal privacy commissioner. However, these were voluntary and are not legally enforceable. Should such rules become enforceable, they would likely be included as amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA), which came into effect in 2004.
However, PIPEDA is replaced by provincial law where it exists, and is substantially similar to the federal act. Currently, Alberta and British Columbia have personal information protection acts, while Québec has an older statute. Ontario also has a personal information protection act that pertains purely to health care information.
Erika Ringseis, an associate in the Calgary Labour and Employment Group at legal firm McCarthy Tétrault, said that the Alberta amendment is likely to have a significant impact on data breach notification practice across the country.
"This is now going to be the standard, the way things are done," she said, arguing that companies were already accepting data breach best practice guidelines in Alberta anyway. If a national business operates in Alberta at all, the amended legislation will effectively set the baseline for that organization's activities across the country. "What has been slowly happening in any regard is now going to be done on a larger scale."
Bill 54 also imposes requirements on companies transferring Alberta residents' personal information outside the country. They are now required to inform those residents before doing so, and to provide contact details for an individual that can answer questions about the privacy of their information. They are not required to obtain consent from the individuals concerned. Nevertheless, it will have ramifications for any companies using foreign contact centers for customer service purposes, for example.