Lessons learned from the 11-year report of the Office of the Information and Privacy Commissioner (OIPC) in Alberta

Lessons learned from the 11-year report of the Office of the Information and Privacy Commissioner (OIPC) in Alberta

September 20 2022
Privacy Notice

5 the moment read

On May 1, 2010, Alberta became one of the first jurisdictions in North America to require organizations to notify affected individuals of privacy violations and to report those incidents to the OIPC in Alberta. This is legislated under section 34.1 of the Alberta Code Personal Information Protection Law[1] (“PIPA“), which requires organizations to notify the OIPC of any breach of privacy “involving loss of, unauthorized access to, or disclosure of personal information” when there is a “real risk of significant harm” (“you will live“) to an individual. After receiving a report of a breach, Section 37.1 of the Intellectual Property Protection Act (PIPA) gives the OIPC the authority to require the organization to notify individuals with a RROSH as a result of the breach. This notification requirement is set out in Section 19.1 of the Related Terms Regulations for the Protection of Personal Information Law[2] (The “PIPA . list“).

OIPC has reflected on its 11 year history by issuing the 2022 PIPA Breach Report[3] (The “a report‘), which summarizes the nearly 2,000 privacy breach reports reported to the OIPC between April 1, 2010 and March 31, 2021.

OIPC . Report

As indicated in the report, the OIPC received 1,977 breach reports over an 11-year period, and from these breach reports, the following decisions were made:

These violations have resulted in organizations sending millions of notices to affected individuals in the past 11 years, including 1,951,180 required notices under PIPA between April 1, 2020 and March 31, 2021 alone.

In determining the risk to an individual the breach poses, the OIPC considers the intent or cause of the breach, the type of personal information involved, whether the data is encrypted, and the length of time the data has been disclosed.

The OIPC report notes that nearly all of the reported RROSH violations included some basic contact information for affected individuals, such as phone numbers or postal addresses. However, most of the breaches involved identity, financial and employment information, resulting in the threat of identity theft, fraud, or financial loss. The report also notes a decrease in compromised medical information and an increase in compromised transaction information, such as purchase history, which could lead to increased exposure to identity theft and fraud.

The OIPC report notes that the industries most affected by violations of RROSH are the financial, retail and insurance industries, while the individuals most affected are the customers or clients of the organization, followed by its employees. For more information about employee violations, see our post Stop snooping: Alberta privacy commissioner finds results of employee snooping at real risk of harm.

the reasons

The most common cause of reported RROSH breaches was the penetration of electronic information systems by installing malware or ransomware, or by exploiting system vulnerabilities. Theft of physical documents, devices, or storage media was the second leading cause, and transmission errors through misdirected mail, emails, or faxes were the third most common.

While social engineering and phishing have been the fourth leading cause of RROSH breaches over the past decade, this vulnerability has recently become the second most common cause. As these attacks continue to spread, companies need to be vigilant about disclosing sensitive information to malicious actors posing as someone else, as well as ensuring that their employees do not collect this information from customers and co-workers (unless this information is required as part of their job or business operations) . For this reason, clear privacy policies and practices are essential.

The remaining causes of reported violations consist of faulty networks, unencrypted storage media, accidental release of personal information, and rogue personnel.

Detection and reporting

The report notes that organizations are taking an increasing number of days to detect and report violations of RROSH. The overall average timeline was 90 days for breach detection and 43 days for reporting it to the OIPC. The increased timeline may be due to the malicious nature of compromised electronic information systems, the growing popularity of retaining specialized third parties to help respond to breaches, and the growing number of other jurisdictions that require a breach report within a specific time frame. In comparison, PIPA does not stipulate any strict time frame for reporting.

Section 19 of the PIPA Regulations states that a report to the OIPC must be in writing and include the following information:

  • describe the circumstances of the breach;
  • The date or time period during which the breach occurred;
  • A description of the personal information included in the breach;
  • Assessment of the risk of harm to individuals due to the violation;
  • Estimate the number of individuals for whom there is an express repair center due to the violation;
  • A description of any steps the organization has taken to reduce the risk of harm to people;
  • A description of any steps the organization has taken to notify individuals of the violation; And the
  • The name and contact information of the person who can answer, on behalf of the organization, OIPC’s questions about the breach.

While PIPA does not provide any criteria for determining RROSH, the OIPC has provided many useful resources for organizations, including Key steps to take to respond to the breach And the Information on how to report a breach of privacy.


Overall, according to the OIPC, it took organizations an average of 43 days to notify affected individuals of a RROSH breach. In nearly all RROSH violations, organizations notified affected individuals directly through in-person meetings, telephone, mail, or email. The OIPC authorized indirect notification in 4% of these violations, often delivered using website posts, social media or traditional media when the organization does not have current contact information for some affected individuals.

Section 37.1 (7) of the Intellectual Property Protection Act (PIPA) states that an organization is not restricted to notifying individuals of its own initiative. Furthermore, Section 19.1 of the PIPA Regulation states that the notice must be sent directly to the individual and include:

  • describe the circumstances of the breach;
  • The date or time period during which the breach occurred;
  • A description of the personal information included in the breach;
  • A description of any steps the organization has taken to reduce the risk of harm; And the
  • The name and contact information of a person who can answer, on behalf of the organization, questions about the breach.

looking forward

With the rising number of data breaches constituting a rising RROSH rate each year, organizations should be aware of the requirements to report certain breaches to the OIPC and notify affected individuals immediately. Timely notifications are essential to mitigate the potentially devastating effects of compromised personal information.

It is important for companies to be prepared for a breach before it occurs so that they are prepared to take immediate action when they become aware of a breach. The OIPC echoes this warning by noting that proactive enforcement of safeguards is the most effective way to protect individuals from the potential harm of privacy breaches. The report recommends organizations to:

  • Implement regular and/or immediate security patches to networks, servers, and devices;
  • Subscribe to and review updates from cyber security agencies and other professionals to stay current on new threats and possible solutions to protect the organization’s IT infrastructure;
  • Regularly train employees to spot phishing or social engineering attempts; And the
  • Regularly train employees to protect personal information contained in notebook computers or paper documents.

If your organization has any questions about the report or how you can evaluate, develop and implement appropriate privacy and data protection policies and procedures to comply with applicable privacy laws and current PIPA requirements, a member of Privacy and data protection group Would be pleased to help.

by Julia LooneyAnd the Jordana IvanovicAnd the Kristen ShawStephen Johnson (summer law student)

[1] Personal Information Protection Law, c. P-6.5 2003.
[2] Regulation on the Protection of Personal Information Act, AB Reg 366/2003.
[3] Available online: PIPA-Breach-Report-2022.pdf (oipc.ab.ca).

cautionary note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned not to make any decisions based on this article alone. Instead, specific legal advice should be obtained.

© McMillan LLP 2022