To print this article, all you need is to be registered or login on Mondaq.com.
The Office of the Information and Privacy Commissioner
of Alberta has revised procedures for handling access to
information reviews and privacy complaints under FOIPPA, PIPA, and
HIA. These changes aim to expedite processing times by clarifying
issues early, simplifying the mediation process, and encouraging
direct resolution between parties.
Streamlined Processes
The Office of the Information and Privacy Commissioner (OIPC) of
Alberta has introduced modified procedures for access to
information reviews and privacy complaints. These modified
procedures apply to the Freedom of Information and Protection
of Privacy Act (FOIPPA), the Personal Information
Protection Act (PIPA) and the Health information Act
(HIA).
These changes are made with the goal of reducing OIPC file
processing times. Anticipated changes include the following:
- Clarification of issues by the OIPC at the outset of a review
or complaint. - A more streamlined mediation process with less formality and
increased direct communications between the OIPC and the
parties. - A “refer-back” process to encourage resolution of
issues between a complainant and the public
body/organization/custodian (the “entity”) in certain
circumstances, including where there is an issue with the
entity’s adequacy of search [in response to an access
request].
What does this mean for public bodies, organizations, and
custodians?
The less formal approach to mediation may allow for quicker
resolution of issues and encourage compromise where possible. More
challenging and complex issues may still need to be directed
towards a formal inquiry, but these procedures may help clear a
backlog of files and shorten case resolution time. It will become
important for public bodies or organizations to determine who will
act as their “point person” for mediation. This
individual should have the ability to make timely decisions on
behalf of the entity to keep discussions on track during
mediation.
PIPA Breach Notification Procedures
Effective April 1, 2024, changes have been made to the PIPA
breach notification procedures. As required under s. 34.1 of PIPA,
organizations must without unreasonable delay provide notice to the
Privacy Commissioner of a privacy breach where there exists a real
risk of significant harm to individuals affected by the breach
(“affected individuals”). While organizations are not
required under PIPA to notify the affected individuals at the same
time, many organizations do so as part of their breach
response.
Changes to the OIPC’s handling of PIPA breach notifications
include the following:
- Breach notification decisions from the Privacy Commissioner
will not be issued for all breaches where a real risk of
significant harm is present. Breach notification decisions will
only be issued when an organization has not already notified
affected individuals, or where their notification is deficient.
Otherwise, organizations that have satisfied s. 34.1 will only
receive a closing letter. - The OIPC will place priority on reported breaches that meet the
criteria of s. 34.1 but where an organization has not already
notified affected individuals, or where their notification is
deficient. - The OIPC will no longer publish all breach notification
decisions where a real risk of significant harm is present.
Abridged decisions may be published at the discretion of the
Privacy Commissioner. - New guidance documents and forms are available
for organizations reporting a breach under PIPA.
What does this mean for organizations?
Self-reported breaches to the Privacy Commissioner have held
steady over the last few years, and have in fact slightly decreased (313 in 2021-2022, 333 in
2020-2021 and 377 in 2019-2020). Organizations may have become more
adept in assessing whether a breach meets the “real risk of
significant harm” threshold.
When the threshold is met, organizations should continue to
consider notifying affected individuals at the same time as the
Privacy Commissioner to mitigate risk. It is unlikely that an
organization would receive additional direction from the Privacy
Commissioner if proper notification is completed. However, the
Privacy Commissioner retains the right to investigate further if
she chooses to do so.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from Canada
#Procedures #Introduced #Office #Information #Privacy #Commissioner #Alberta #Privacy #Protection