Protecting personal information

What organizations must do

Holding personal information is a responsibility, and under PIPA organizations must take reasonable measures to protect personal information and personal employee information.

Reasonable security measures

PIPA requires organizations to take reasonable security measures against unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction of information.

Organizations must develop policies and practices including those that protect personal information. These policies should be available in writing for an organization to provide to individuals, if requested. They should include information about how the organization handles and protects information in its care. For example:

  • Physical security, such as locked doors and alarms
  • Technological security, such as password protection and encryption on computers and mobile devices
  • Administrative security, such as confidentiality agreements and terms of use for information technology
  • How your organization will manage privacy breaches (see 'privacy breach reporting' section below)
  • How your organization will meet your breach notification requirements
  • How your organization processes access requests
  • How your organization responds to inquiries and complaints

Limiting the amount of personal information your organization collects in the first place makes security arrangements easier. Security should be appropriate to the level of sensitivity of the information.

PIPA violations

Anyone who believes an organization has violated PIPA may notify the organization and, if necessary, report it to the Office of the Information and Privacy Commissioner (OIPC)

Organizations cannot take action against employees who refuse to act in violation of PIPA or who report an alleged violation of PIPA.

There are offences and penalties if a person fails to comply with PIPA or deliberately contravenes it:

    • In the case of an individual, to a fine of not more than $10,000, and
    • In the case of a person other than an individual, to a fine of not more than $100,000.

Note: The term “individual” applies when the entity appears as a living, breathing human being. The term “person” is applicable when it appears as an entity that is a legal person; this includes individuals and corporations, and any other entities with personhood.

Using a service provider outside Canada

If an organization uses a service provider outside of Canada for the collection, use, or disclosure of personal information, your policies and practices must include:

    • the country where this is occurring or may occur
    • the purpose(s) for which the service provider is authorized to collect, use, or disclose the information
  • When an organization uses a service provider outside Canada to collect personal information, or transfers personal information directly or indirectly to a service provider outside Canada, the organization must notify the individual in writing or orally:
    • how they can obtain access to policies and practices with respect to the service provider; and
    • the name, position name or title of a person who is able to answer questions on behalf of the organization with respect to the service provider

Mandatory privacy breach reporting

When personal information is inappropriately collected, used, disclosed, stored, accessed or disposed of, it is a privacy breach and the responsible organization has failed in its responsibilities under PIPA.

The cost of a privacy breach includes:

  • “soft” costs like damage to brand and reputation that are hard to measure,
  • “hard” costs like staff hours spent fixing any problem that contributed to the breach, and
  • the out of pocket cost of litigation including claims that may arise for damages

Privacy breach reporting

The Office of the Information and Privacy Commissioner (OIPC) has many resources to assist an organization in determining what to do when there is an actual, suspected or alleged breach and also to understand how risk is assessed.

If an actual privacy breach occurs and a reasonable person would consider the breach poses a real risk of significant harm to individual(s), the organization must notify the OIPC. Reporting a breach to the OIPC is necessary even if only one individual is at risk.

A breach report to the OIPC must be in writing and include the following:

  • circumstances of the breach
  • date or time period when incident occurred
  • personal information involved
  • risk assessment of harm to individuals as a result
  • estimated number of individuals’ impacted
  • steps taken to reduce risk of harm
  • steps taken to notify impacted individuals
  • a contact person

The OIPC may require the organization to notify individuals. When notifying individuals, organizations need to provide the following directly to the individual:

  • circumstances of the breach
  • date or time period when incident occurred
  • personal information involved
  • steps taken to reduce risk of harm
  • a contact person

Accuracy, retention and destruction

Organizations need to keep personal information as accurate as is reasonable depending upon the purpose for which it is collected, used or disclosed. For example, if information is likely be outdated, an organization should take steps to ensure it is still valid.

Organizations must keep personal information only for as long as it is reasonable to carry out business or legal purposes. After it is no longer needed for those purposes, personal information should either be securely destroyed or made anonymous.


All persons reviewing Service Alberta’s Personal Information Protection Act site are reminded that it has no legislative sanction, and has been provided for guidance and convenience of reference only. The official Statutes and Regulations should be consulted for all purposes of interpreting and applying the law.