September 29, 2024
Headlines

New Procedures Introduced At The Office Of The Information And Privacy Commissioner Of Alberta – Privacy Protection

Admin08 mins



To print this article, all you need is to be registered or login on Mondaq.com.

The Office of the Information and Privacy Commissioner
of Alberta has revised procedures for handling access to
information reviews and privacy complaints under FOIPPA, PIPA, and
HIA. These changes aim to expedite processing times by clarifying
issues early, simplifying the mediation process, and encouraging
direct resolution between parties.

Streamlined Processes

The Office of the Information and Privacy Commissioner (OIPC) of
Alberta has introduced modified procedures for access to
information reviews and privacy complaints. These modified
procedures apply to the Freedom of Information and Protection
of Privacy Act (FOIPPA), the Personal Information
Protection Act (PIPA) and the Health information Act
(HIA).

These changes are made with the goal of reducing OIPC file
processing times. Anticipated changes include the following:

  • Clarification of issues by the OIPC at the outset of a review
    or complaint.


  • A more streamlined mediation process with less formality and
    increased direct communications between the OIPC and the
    parties.


  • A “refer-back” process to encourage resolution of
    issues between a complainant and the public
    body/organization/custodian (the “entity”) in certain
    circumstances, including where there is an issue with the
    entity’s adequacy of search [in response to an access
    request].

What does this mean for public bodies, organizations, and
custodians?

The less formal approach to mediation may allow for quicker
resolution of issues and encourage compromise where possible. More
challenging and complex issues may still need to be directed
towards a formal inquiry, but these procedures may help clear a
backlog of files and shorten case resolution time. It will become
important for public bodies or organizations to determine who will
act as their “point person” for mediation. This
individual should have the ability to make timely decisions on
behalf of the entity to keep discussions on track during
mediation.

PIPA Breach Notification Procedures

Effective April 1, 2024, changes have been made to the PIPA
breach notification procedures. As required under s. 34.1 of PIPA,
organizations must without unreasonable delay provide notice to the
Privacy Commissioner of a privacy breach where there exists a real
risk of significant harm to individuals affected by the breach
(“affected individuals”). While organizations are not
required under PIPA to notify the affected individuals at the same
time, many organizations do so as part of their breach
response.

Changes to the OIPC’s handling of PIPA breach notifications
include the following:

  • Breach notification decisions from the Privacy Commissioner
    will not be issued for all breaches where a real risk of
    significant harm is present. Breach notification decisions will
    only be issued when an organization has not already notified
    affected individuals, or where their notification is deficient.
    Otherwise, organizations that have satisfied s. 34.1 will only
    receive a closing letter.


  • The OIPC will place priority on reported breaches that meet the
    criteria of s. 34.1 but where an organization has not already
    notified affected individuals, or where their notification is
    deficient.


  • The OIPC will no longer publish all breach notification
    decisions where a real risk of significant harm is present.
    Abridged decisions may be published at the discretion of the
    Privacy Commissioner.


  • New guidance documents and forms are available
    for organizations reporting a breach under PIPA.

What does this mean for organizations?

Self-reported breaches to the Privacy Commissioner have held
steady over the last few years, and have in fact slightly decreased (313 in 2021-2022, 333 in
2020-2021 and 377 in 2019-2020). Organizations may have become more
adept in assessing whether a breach meets the “real risk of
significant harm” threshold.

When the threshold is met, organizations should continue to
consider notifying affected individuals at the same time as the
Privacy Commissioner to mitigate risk. It is unlikely that an
organization would receive additional direction from the Privacy
Commissioner if proper notification is completed. However, the
Privacy Commissioner retains the right to investigate further if
she chooses to do so.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Privacy from Canada

Do You Collect IP Addresses? Here Are Three Things You Must Do

MLT Aikins LLP

In a landmark ruling, the Supreme Court of Canada in R. v. Bykovets, 2024 SCC 6, confirmed that Canadians’ IP addresses are private, mandating law enforcement to obtain a search warrant for access, as well as setting a precedent …

Privacy Pulse: A Series On Data Governance

Siskinds LLP

As a business owner or professional, you may be experiencing challenges navigating privacy laws throughout various jurisdictions, protecting personal and confidential information…

Privacy Update

Carters Professional Corporation

Universities are within their lawful rights to use software to monitor students during exams taken with computers, but they should take extra measures to protect student data, according to the provincial privacy commissioner.

#Procedures #Introduced #Office #Information #Privacy #Commissioner #Alberta #Privacy #Protection

Leave a Reply

Your email address will not be published. Required fields are marked *

Related News