Privacy legislation in Alberta1Personal Information Protection Act, SA 2003, c P-6.5 [PIPA]; Health Information Act, RSA 2000, c H-5 [HIA]. requires that certain privacy breaches of individuals’ personal or health information be reported to the Information and Privacy Commissioner of Alberta (the “Commissioner”). Breach reporting to the Commissioner can be done using the Privacy Breach Report Form on the Commissioner’s website.
In many cases, entities will have additional reporting obligations for a privacy breach, including a duty to notify individuals affected by a privacy breach and/or a duty to notify the Minister of Health. This article will focus on the reporting of privacy breaches to the Commissioner; other legal obligations respecting privacy breaches will be discussed in future articles.
WHEN IS BREACH REPORTING REQUIRED?
Legal reporting obligations in Alberta are set out in the Personal Information Protection Act(“PIPA”) and the Health Information Act (“HIA”).
Under PIPA, reporting is mandatory where there is a real risk of significant harm to individual(s) as a result of the loss or unauthorized access or disclosure of personal information.2PIPA s. 34.1
Under HIA, reporting is mandatory where there is a risk of harm to an individual as a result of the loss or unauthorized access or disclosure of individually identifying health information.3HIA s. 60.1(2).
Public sector bodies governed by the Freedom of Information and Protection of Privacy Act4RSA 2000, c F-25 [FOIP](“FOIP”) are not required by law to report a privacy breach to the Commissioner. However, the Commissioner recommends that they report so the Commissioner can provide guidance for responding to the breach.
WHAT IS PERSONAL INFORMATION?
“Personal information” is information about an identifiable individual5PIPA s. 1(k), and can include an individual’s name, date of birth, address, account information, and email address.
WHAT IS INDIVIDUALLY IDENTIFYING HEALTH INFORMATION?
“Health information” is information about an individual’s:
- diagnosis, treatment and care, and/or
- registration information, which includes demographic information (including the individual’s personal health care number), location information, telecommunications information, residency information, health service eligibility information, and billing information.6HIA s. 1(1)(p)
“Individually identifying”, when used to describe health information, means that the identity of the individual who is the subject of the information can be readily ascertained from the information.7HIA ss. 1(1)(k), (u)
WHO DO THE LEGAL REPORTING OBLIGATIONS APPLY TO?
The mandatory reporting requirements for a privacy breach in Alberta apply to entities with individual personal or health information in their custody or control.
Primarily, these reporting obligations apply to:
- Private sector entities governed by PIPA, such as:
- a corporation,
- an unincorporated association,
- a trade union,
- a partnership, and
- an individual acting in a commercial capacity (not a personal capacity); and
- “Custodians” of health information, such as (not a complete list):
- the board of an approved hospital,
- the operator of a nursing home,
- an ambulance operator,
- a provincial health board,
- a regional health authority,
- a community health council,
- a licensed pharmacy, and
- a health services provider who is designated as a custodian (including physicians, chiropractors, dentists, dental hygienists, podiatrists, optometrists, registered nurses).
WHAT IS THE “CUSTODY” AND “CONTROL” OF PERSONAL INFORMATION?
“Custody” of personal information refers to entities that have physical possession of the information.8Commissioner Order F2002-014 at para. 13.
“Control” of personal information means an entity has the authority to manage (even partially) what is done with information, including restricting, regulating and administering its use, retention and disposition, and demanding the return of the information. Even if an entity does not have physical custody of personal information, it can still be considered to have control of the information.9Commissioner Order F2009-023 at para. 33: “[T]he word “custody” implies that there is some right or obligation to hold the information in one’s possession”.
Privacy laws will apply if an entity has either custody or control over personal/health information; it is not necessary for an entity to have both.
WHAT IS A PRIVACY BREACH?
According to the Commissioner, a privacy breach is defined as “a loss of, unauthorized access to, or unauthorized disclosure of personal information or individually identifying health information”.
Examples of a privacy breach include:
- Losing a physical copy of a client or patient file,
- The loss or theft of mobile devices with personal or client information on them (e.g. laptops, USB sticks),
- Misdirected communications with personal or health information (via email, fax or mail),
- Employee “snooping” of patient or customer records (unauthorized access to or misuse of customer or patient information by an employee),
- Hacking of computers, servers and websites,
- Malicious software (“malware”) attacks, including ransomware,
- Phishing or social engineering attacks,
- A failure to wipe hard drives of computers and other devices prior to being resold,
- Paper records being stolen from an employee’s vehicle, home or office, and
- The improper disposal of records or devices.
WHO IS RESPONSIBLE FOR REPORTING THE PRIVACY BREACH?
Under PIPA, the organization with control over the personal information is required to notify the Commissioner of a reportable breach without delay.10HIA, s. 60.1(2)
Under HIA, the custodian with custody or control of the health information is required to notify the Commissioner of a reportable breach as soon as practicable.11HIA, s. 60.1(2). An affiliate of the custodian is required to notify the custodian as soon as practicable of a breach of health information.12PIPA, s. 34.1.
WHAT ARE THE CONSEQUENCES FOR NOT REPORTING A BREACH?
Failure to notify the Commissioner of a reportable breach under PIPA or HIA is an offence under those laws.13HIA, s. 107(7).
If an individual, organization, custodian or affiliate is found guilty of not reporting a breach, the consequences can include:
- Under PIPA: an individual being subject to a fine up to $10,000, and an entity other than an individual being subject to a fine up to $100,000 (PIPA).14PIPA, s. 59(2).
- Under HIA: an individual being subject to a fine from $2,000 to $10,000, and an entity other than an individual being subject to a fine from $200,000 to $500,000.15PIPA, s. 59(1)(e.1), HIA, ss. 107(1.1), (1.2)
Carscallen LLP’s Privacy Expertise
Carscallen LLP’s Privacy Law Group advises private businesses, public sector entities and healthcare clients on compliance with their obligations under applicable national and provincial privacy laws, including Canada’s Anti-Spam Legislation (CASL), the Personal Information Protection Act of Alberta (PIPA), the Freedom of Information Protection Act of Alberta (FOIP), the Healthcare Information Act of Alberta (HIA), and the CRTC’s Unsolicited Telecommunications Rules.
We offer a full range of legal services in the area of Privacy Law, including advising employers on all workplace privacy issues and ensuring employees’ compliance with privacy laws. In the event of a privacy breach, we can advise and assist with an investigation, and mandatory or optional breach reporting to the relevant privacy regulatory authorities. If you have any questions about your business or organization’s compliance with its privacy law obligations, or you need advice on a potential or actual privacy breach, please contact a member from our Privacy Law group for more information.
- 1Personal Information Protection Act, SA 2003, c P-6.5 [PIPA]; Health Information Act, RSA 2000, c H-5 [HIA].
- 2PIPA s. 34.1
- 3HIA s. 60.1(2).
- 4RSA 2000, c F-25 [FOIP]
- 5PIPA s. 1(k)
- 6HIA s. 1(1)(p)
- 7HIA ss. 1(1)(k), (u)
- 8Commissioner Order F2002-014 at para. 13.
- 9Commissioner Order F2009-023 at para. 33: “[T]he word “custody” implies that there is some right or obligation to hold the information in one’s possession”.
- 10HIA, s. 60.1(2)
- 11HIA, s. 60.1(2).
- 12PIPA, s. 34.1.
- 13HIA, s. 107(7).
- 14PIPA, s. 59(2).
- 15PIPA, s. 59(1)(e.1), HIA, ss. 107(1.1), (1.2)