Holding personal information is a responsibility, and under the Personal Information Protection Act (PIPA) organizations must take reasonable measures to protect personal information and personal employee information.

Reasonable security measures

PIPA requires organizations to take reasonable security measures against unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction of information.

Organizations must develop policies and practices including those that protect personal information. These policies should be available in writing for an organization to provide to individuals, if requested. They should include information about how the organization handles and protects information in its care. For example:

  • physical security, such as locked doors and alarms
  • technological security, such as password protection and encryption on computers and mobile devices
  • administrative security, such as confidentiality agreements and terms of use for information technology
  • how your organization will manage privacy breaches (see the privacy breach reporting section below)
  • how your organization will meet your breach notification requirements
  • how your organization processes access requests
  • how your organization responds to inquiries and complaints

Limiting the amount of personal information your organization collects in the first place makes security arrangements easier. Security should be appropriate to the level of sensitivity of the information.

PIPA violations

Anyone who believes an organization has violated PIPA may notify the organization and, if necessary, report it to the Office of the Information and Privacy Commissioner (OIPC).

Organizations cannot take action against employees who refuse to act in violation of PIPA or who report an alleged violation of PIPA.

If a person fails to comply with PIPA or deliberately contravenes it, there are offences and penalties:

  • in the case of an individual, to a fine of not more than $10,000
  • in the case of a person other than an individual, to a fine of not more than $100,000

The term ‘individual’ applies when the entity appears as a living, breathing human being. The term “person” is applicable when it appears as an entity that is a legal person. This includes individuals and corporations, and any other entities with personhood.

Using a service provider outside Canada

If an organization uses a service provider outside of Canada for the collection, use, or disclosure of personal information, your policies and practices must include:

  • the country where this is occurring or may occur
  • the purpose(s) for which the service provider is authorized to collect, use, or disclose the information

When an organization uses a service provider outside Canada to collect personal information, or transfers personal information directly or indirectly to a service provider outside Canada, the organization must notify the individual in writing or orally:

  • how they can obtain access to policies and practices with respect to the service provider
  • the name, position name or title of a person who is able to answer questions on behalf of the organization with respect to the service provider

Mandatory privacy breach reporting

The Office of the Information and Privacy Commissioner (OIPC) has many resources to assist an organization in determining what to do when there is an actual, suspected or alleged breach and also to understand how risk is assessed.

If an actual privacy breach occurs and a reasonable person would consider the breach to pose a real risk of significant harm to individual(s), the organization must notify the OIPC. Reporting a breach to the OIPC is necessary even if only one individual is at risk.

A breach report to the OIPC must be in writing and include the following:

  • circumstances of the breach
  • date or time period when incident occurred
  • personal information involved
  • risk assessment of harm to individuals as a result
  • estimated number of individuals’ impacted
  • steps taken to reduce risk of harm
  • steps taken to notify impacted individuals
  • a contact person

The OIPC may require the organization to notify individuals. When notifying individuals, organizations need to provide the following directly to the individual:

  • circumstances of the breach
  • date or time period when incident occurred
  • personal information involved
  • steps taken to reduce risk of harm
  • a contact person

Accuracy, retention and destruction

Organizations need to keep personal information as accurate as is reasonable depending upon the purpose for which it is collected, used or disclosed. For example, if information is likely to be outdated, an organization should take steps to ensure it is still valid.

Organizations must keep personal information only for as long as it is reasonable to carry out business or legal purposes. After it is no longer needed for those purposes, personal information should either be securely destroyed or made anonymous.


All persons reviewing Service Alberta’s Personal Information Protection Act site are reminded that it has no legislative sanction, and has been provided for guidance and convenience of reference only. The official Statutes and Regulations should be consulted for all purposes of interpreting and applying the law.


Connect with the​ FOIP/PIPA help desk to ask questions about the collection, use disclosure and privacy of information within Alberta.