This form is to be used by an organization that is notifying the Information and Privacy Commissioner (the Commissioner) of a privacy breach under section 34.1 of the Personal Information Protection Act (PIPA).
An organization having personal information under its control must, without unreasonable delay, provide notice to the Commissioner of any incident involving the loss of or unauthorized access to or disclosure of the personal information where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure (section 34.1).
Notice to the Commissioner must meet the requirements of section 19 of the PIPA Regulation. This form assists Organizations with notifying the Commissioner in accordance with section 19 of the PIPA Regulation.
Before completing this form, please read the Guidance for Notifying the Commissioner about a Privacy Breach under PIPA, and the OIPC PIPA Privacy Breach Process.
Please Note: Individuals (members of the public) should not use this form. Individuals who believe their personal information has been lost or improperly collected, used, disclosed, or accessed by an organization may file a complaint with the Office of the Information and Privacy Commissioner of Alberta (“OIPC”) using the Request for Review and Privacy Complaint Form.
Custodians as defined in the Health Information Act (HIA) notifying the Commissioner of a breach have different notification obligations, and must use the appropriate form available on the OIPC website here, under the heading Mandatory and Self-Reported Breach Forms.
For general information about responding to a privacy breach, please contact the OIPC by telephone at (780) 422-6860, toll free at 1-888-878-4044, or by email at generalinfo@oipc.ab.ca.
Contacting the OIPC does not mean that an organization has fulfilled its legal obligation to notify the Commissioner about a privacy breach. Notification to the Commissioner about a privacy breach must meet the requirements of section 19 of the PIPA Regulation. Information provided by the OIPC does not constitute legal advice and is not binding on the Commissioner.
Completing this form will take between 30 minutes to an hour, depending on the circumstances of the privacy breach and whether the required information is immediately available.
To complete this form, an understanding of the privacy breach is necessary, including:
Identify the types of personal information and list the data elements involved.
Describe the Organization’s assessment that a real risk of significant harm exists as a result of the privacy breach.
Whether real risk of significant harm exists must be more than mere speculation or conjecture. There must be a cause and effect relationship between the breach and the harm.
(e.g. The likelihood of harm resulting from this incident is increased because the personal information was compromised due to the malicious action of a threat actor).
Upload a copy of the notice given directly to individuals
Submitting to the Commissioner It is recommended that you download and save a copy of this form prior to clicking submit. If you are unable to submit the form electronically contact generalinfo@oipc.ab.ca.