PIPA Privacy Breach Notification Form

This form is to be used by an organization that is notifying the Information and Privacy Commissioner (the Commissioner) of a privacy breach under section 34.1 of the Personal Information Protection Act (PIPA).

An organization having personal information under its control must, without unreasonable delay, provide notice to the Commissioner of any incident involving the loss of or unauthorized access to or disclosure of the personal information where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure (section 34.1).

Notice to the Commissioner must meet the requirements of section 19 of the PIPA Regulation. This form assists Organizations with notifying the Commissioner in accordance with section 19 of the PIPA Regulation.

Before completing this form, please read the Guidance for Notifying the Commissioner about a Privacy Breach under PIPA, and the OIPC PIPA Privacy Breach Process.

Please Note:  Individuals (members of the public) should not use this form.  Individuals who believe their personal information has been lost or improperly collected, used, disclosed, or accessed by an organization may file a complaint with the Office of the Information and Privacy Commissioner of Alberta (“OIPC”) using the Request for Review and Privacy Complaint Form.

Custodians as defined in the Health Information Act (HIA) notifying the Commissioner of a breach have different notification obligations, and must use the appropriate form available on the OIPC website here, under the heading Mandatory and Self-Reported Breach Forms.

For general information about responding to a privacy breach, please contact the OIPC by telephone at (780) 422-6860, toll free at 1-888-878-4044, or by email at generalinfo@oipc.ab.ca.

Contacting the OIPC does not mean that an organization has fulfilled its legal obligation to notify the Commissioner about a privacy breach.  Notification to the Commissioner about a privacy breach must meet the requirements of section 19 of the PIPA Regulation.  Information provided by the OIPC does not constitute legal advice and is not binding on the Commissioner.

Time

Completing this form will take between 30 minutes to an hour, depending on the circumstances of the privacy breach and whether the required information is immediately available.

Required Information

To complete this form, an understanding of the privacy breach is necessary, including:

• The circumstances and nature of the privacy breach
• Dates or time period during which the privacy breach occurred
• What personal information was involved
• The number of affected individuals
• An understanding of potential harms to affected individuals (e.g.: fraud, identity theft)
• An assessment that there exists a real risk of significant harm (RROSH) to affected individuals as a result of the incident
• An understanding of the steps the organization has taken to reduce risk of harm
• An understanding of what the Organization has done to notify individuals of the privacy breach, including a sample copy of any notices given to individuals, and
• Contact information for a person who can answer any questions the OIPC may have.

Describe the Organization’s assessment that a real risk of significant harm exists as a result of the privacy breach.

Whether real risk of significant harm exists must be more than mere speculation or conjecture. There must be a cause and effect relationship between the breach and the harm.

Assessment of the risk of harm to individuals: *

(e.g. The likelihood of harm resulting from this incident is increased because the personal information was compromised due to the malicious action of a threat actor).

Notice must be given directly to the individual(s) unless the Commissioner determines that direct notification would be unreasonable in the circumstances (PIPA Regulation, sections 19.1(1)(a) and 19.1(2)).