Report a privacy incident (public bodies)

Overview

Public bodies must manage and protect personal information in their custody or under their control.

A public body has 'custody' of a record or information when it is in the physical possession of the public body.

A record or information is under the 'control' of a public body when the public body has the authority to manage it, including restricting, regulating and administering its use, disclosure or disposition.

A privacy incident occurs when there is unauthorized access, collection, use, disclosure, destruction or loss of personal information held by a public body.

Report a privacy incident

Where there exists a real risk of significant harm to an individual because of the privacy incident, POPA requires a public body to give notice of the incident in writing to the:

• impacted individual(s)
• Information and Privacy Commissioner (report a privacy breach)
• minister responsible for this act (the Minister of Technology and Innovation)

Privacy incident notification to Alberta’s Minister of Technology and Innovation

Under section 10(2) of the Protection of Privacy Act (POPA), public bodies are required to notify the Minister of Technology and Innovation, without any unreasonable delay, of any loss of, unauthorized access to, or unauthorized disclosure of personal information in their custody or control, where there exists a real risk of significant harm to an individual as a result of a privacy incident. This reporting form is based off section 4(5) of the Protection of Privacy (Ministerial) Regulation that outlines the specific information that must be included in such a notification.

Note that public body remains responsible for all other POPA required notifications including to the Office of the Information and Privacy Commissioner, and all impacted individuals.