Reporting a Data Breach in the Province of Alberta

Reporting a Data Breach in the Province of Alberta

Data breaches continue to make waves across all industries while dominating headlines across the world. While more businesses and organizations are placing a greater emphasis on cybersecurity, cyberattacks and data breaches are still occurring.

One privacy breach can result in the collection and disclosure of sensitive information that belongs to individuals around the world. Whether it’s through human error, cybercriminals, malware, etc., sensitive information is being exposed every day.

There are legal and compliance requirements in Calgary and throughout Southern Alberta that require particular privacy breaches to be swiftly addressed, and a report should be made to the Office of Information and Privacy Commissioner of Alberta. Individuals and entities can report privacy breaches online.

There will be cases when an entity will have to fulfill more reporting obligations for a privacy breach. According to 60.1(3) of HIA, entities are obligated to alert the individual or individuals who have been impacted by the privacy breach. In some cases, the Minister of Health will also need to be alerted to the privacy breach.

The Definition of a Privacy Breach

According to the Office of the Information and Privacy Commissioner of Alberta, a privacy breach takes place when there is ”a loss of, unauthorized access to, or unauthorized disclosure of personal information or individually identifying health information.”

What can cause a privacy breach?

One of the most common sources of privacy breaches is the loss or theft of mobile devices that have personal information on them. Other sources of privacy breaches include, but are not limited to, the following:

• Paper records that are lost or stolen
• Failure to properly clear a hard drive before it is discarded or resold
• Ransomware attacks
• Hacking
• Unauthorized access to personal information or health information
• Failure to properly dispose of records

Reporting A Privacy Breach

In Calgary and throughout Southern Alberta, privacy breach reporting requirements are established in two separate acts, the Personal Information Protection Act(PIPA) and the Health Information Act(HIA).

Under the Personal Information Protection Act, privacy breach reporting is required whenever there is an occurrence of a “real risk of significant harm” to an individual or individuals as a result of the ”loss of unauthorized access or disclosure.”

Under the Health Information Act, the completion of a Privacy Breach report is required in the event there is a ”risk of harm to an individual as a result of the loss or unauthorized access or disclosure of individually identifying health information.”

Public bodies that operate under the Freedom of Information and Protection Privacy Act (FOIP) are not required by law to inform the Commissioner there has been a privacy breach.

However, given the serious nature of privacy breaches of any type, the Office of the Information and Privacy Commissioner of Alberta does advise public bodies to report privacy breaches so the Commissioner can be of assistance in response to the privacy breach.

Personal Information

The Personal Information Protection Act and the Health Information Act define personal information as ”recorded information about a specific individual” and include a list of examples of personal information, including:

• The individual’s name when combined with more identifying information
• Age
• Account information
• Gender

Information can be recorded in any format, such as electronic documents, paper documents, video, etc.

Individually Identifying Health Information

Individually identifying health information is a subset of health information. This means the identity of the individual to whom the information belongs can be easily discovered from the information that has been collected and accessed.

Under the Health Information Act, an individual’s health information in any form includes:

• Physical records, electronic records, and spoken information
• Registration information
• An individual’s diagnosis, treatment, care, etc.

Who Must Report A Privacy Breach?

In the Province of Alberta, organizations, health custodians, public bodies, and all entities that have individuals’ personal information and/or health information are all required to report privacy breaches.

The mandatory reporting obligations apply to entities governed by the Personal Information Protection Act (PIPA), including(but not limited to) the following:

•  inCorporations, Partnerships
• Professional regulatory associations, Unincorporated associations
• Trade unions
• Private schools or colleges

Examples of custodians of health information as defined in the Health Information Act include the following:

• Health services providers
• Boards, agencies, committees, etc.
• An ambulance operator
• An operator of a nursing home as defined in the Nursing Homes Act
• A licensed pharmacy as defined in the Pharmacy and Drug Act
• A Regional Health Authority established under the Regional Health Authorities Act

Who is responsible for submitting the privacy breach report?

According to the Personal Information Protection Act, the organization with control of the individual(s) personal information is required to notify the Commissioner of reportable breaches without delay.

According to the Health Information Action, custodians are required to notify the Commissioner of a reportable breach ”as soon as practicable.” In addition to notifying the Commissioner, the custodian is also required to notify impacted individuals and the Minister of Health.

What If A Privacy Breach Is Not Reported?

Individuals who have their personal or health information lost or improperly collected deserve to know. Failure of organizations, custodians, affiliates, to report any privacy breach is an offence and can result in fines.

Under the Personal Information Protection Act, any person who fails to comply with the reporting obligations can face the following consequences:

• An individual: a fine of not more than $10,000
• An entity other than an individual: a fine of not more than $100,000

Under the Health Information Act, any person who fails to comply with the reporting obligations can face the following consequences:

• An individual: a fine ranging from $2,000-$10,000
• An organization: a fine ranging from $200,000-$500,000

With a privacy breach, the consequences are more than just fines and penalties. Individuals’ sensitive information can be collected and exposed. Individuals trust businesses, individuals, and organizations with their data, and they never want to find out their information has been compromised. Regardless of your industry and the size of your operations, privacy breaches can occur to anyone at any time.

For businesses and organizations in Calgary and throughout Southern Alberta, the rise in cyber threats and attacks mean that each business or organization knows that a data breach could happen to them. For every business, it is no longer a question of ”if a privacy breach happens”, but ”when a privacy breach happens”. This should be an indicator of how serious privacy breaches can be and how impactful they can be.

Preparation is crucial. Everything does not always pan out the way we planned, but planning along with preparation will be important. It is essential to always be prepared and ready when a privacy breach occurs. People should be educated on key subjects, such as how to report a data breach in the Province of Alberta.

More businesses and organizations are finding themselves at a greater risk of becoming a victim of a breach because they are not fully aware of the consequences. Businesses and organizations that are unaware of the consequences will often lack the proper protocols and strategies because they feel they are unnecessary or that their risks can easily be mitigated. Data breaches can lead to loss of confidential data, financial loss, significant downtime, a damaged reputation, and legal action.

Today, every business and organization needs to be prepared for the occurrence of privacy breaches. There needs to be an effective cybersecurity and security strategy in place to protect individual’s personal information and health information.

At CTECH Consulting Group, we are here to educate and advise businesses and organizations on services that are needed to transform their operations. If a business or organization does experience a privacy breach, regardless of how small or major the breach may seem, immediate action needs to be taken. Our experts are available to guide your business or organization step-by-step.

Do you want to learn more about privacy breaches and the mandatory or optional reporting requirements for your industry? Are you a concerned business owner who wants to discuss your cybersecurity needs with CTECH? Please do not hesitate to contact us for your free consultation at (403) 457-1478.

Written by Carl Fransen

posted on June 27, 2021

Carl Fransen

My passion is to make my mark on the world in a positive and lasting way. I want to set an example for my son that his father can compete with integrity in today’s world, be very successful, and leave the world a better place for him.

Combining my technical/business-based education with a long career steadily progressing up the corporate ladder, I decided to build a company that held true to my values. So, I founded and designed the next generation of IT support firm: CTECH Consulting Group Inc. We are a completely automated, cloud-based IT company designed to compete against any other IT firm without the overhead. We promote a lifestyle to all our staff where they can work anywhere, at any time, access any information on any device that is relevant to their job, and collaborate with anyone they want to.