COVID-19 Updates: Taking steps to return to normal.
- Public health restrictions: Alberta entered Step 2 on March 1.
- Book your vaccine: Albertans 5+ can get it now. Get third dose when eligible.
COVID-19 Updates: Taking steps to return to normal.
Under PIPA, organizations must take reasonable measures to protect the personal information they hold.
Holding personal information is a responsibility, and under the Personal Information Protection Act (PIPA) organizations must take reasonable measures to protect personal information and personal employee information.
PIPA requires organizations to take reasonable security measures against unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction of information.
Organizations must develop policies and practices including those that protect personal information. These policies should be available in writing for an organization to provide to individuals, if requested. They should include information about how the organization handles and protects information in its care. For example:
Limiting the amount of personal information your organization collects in the first place makes security arrangements easier. Security should be appropriate to the level of sensitivity of the information.
Anyone who believes an organization has violated PIPA may notify the organization and, if necessary, report it to the Office of the Information and Privacy Commissioner (OIPC).
Organizations cannot take action against employees who refuse to act in violation of PIPA or who report an alleged violation of PIPA.
If a person fails to comply with PIPA or deliberately contravenes it, there are offences and penalties:
The term ‘individual’ applies when the entity appears as a living, breathing human being. The term “person” is applicable when it appears as an entity that is a legal person. This includes individuals and corporations, and any other entities with personhood.
If an organization uses a service provider outside of Canada for the collection, use, or disclosure of personal information, your policies and practices must include:
When an organization uses a service provider outside Canada to collect personal information, or transfers personal information directly or indirectly to a service provider outside Canada, the organization must notify the individual in writing or orally:
The Office of the Information and Privacy Commissioner (OIPC) has many resources to assist an organization in determining what to do when there is an actual, suspected or alleged breach and also to understand how risk is assessed.
If an actual privacy breach occurs and a reasonable person would consider the breach to pose a real risk of significant harm to individual(s), the organization must notify the OIPC. Reporting a breach to the OIPC is necessary even if only one individual is at risk.
A breach report to the OIPC must be in writing and include the following:
The OIPC may require the organization to notify individuals. When notifying individuals, organizations need to provide the following directly to the individual:
Organizations need to keep personal information as accurate as is reasonable depending upon the purpose for which it is collected, used or disclosed. For example, if information is likely to be outdated, an organization should take steps to ensure it is still valid.
Organizations must keep personal information only for as long as it is reasonable to carry out business or legal purposes. After it is no longer needed for those purposes, personal information should either be securely destroyed or made anonymous.
Disclaimer
All persons reviewing Service Alberta’s Personal Information Protection Act site are reminded that it has no legislative sanction, and has been provided for guidance and convenience of reference only. The official Statutes and Regulations should be consulted for all purposes of interpreting and applying the law.
Connect with the FOIP-PIPA HelpDesk:
Hours: 8:15 am to 4:30 pm (open Monday to Friday, closed statutory holidays)
Phone: 780-427-5848
Toll free: 310-0000 before the phone number (in Alberta)
For issues related to trade unions other than PIPA, contact Alberta Labour Relations Board:
Toll-free: 1-800-463-2572
Was this page helpful?
You will not receive a reply. Do not enter any personal information such as telephone numbers, addresses, or emails.
Your submissions are monitored by our web team and are used to help improve the experience on Alberta.ca. If you require a response, please go to our Contact page.