The Office of the Information and Privacy Commissioner of Alberta (OIPC) has recently implemented pivotal changes to its processes in order to improve operational efficiencies and reduce an existing backlog of cases.1 Effective April 1, 2024, these changes aim to streamline the handling of both privacy complaints and access request reviews under Alberta's three main privacy laws: the Health Information Act,2 the Personal Information Protection Act (PIPA),3 and the Freedom of Information and Protection of Privacy Act4 (FOIP Act) (collectively, the "Alberta Acts"). The reforms will also impact the OIPC's processing of privacy breach notifications under PIPA.
This bulletin provides an overview of the new procedural reforms and highlights the potential impacts and necessary adjustments for organizations.
Impetus for Change
In recent years, the OIPC has identified several areas for potential improvement in its processes. For example, in its 2022-23 Annual Report, the OIPC noted that although it closed 4,013 cases during the period covered by the report, nearly as many as it opened within such period (4,289), there was still a backlog of 3,534 cases that had to be carried forward from previous years.
In addition, a July 2022 report from the OIPC revealed that since 2012-2013, at least 80% of organizations had already notified affected individuals of a privacy breach under PIPA by the time the breach was reported to the OIPC. This demonstrated that the primary goal of the OIPC's breach notification process was often being met independently by organizations, suggesting an opportunity to streamline the OIPC's own processes.
The reforms announced by the OIPC last month seek to address both of these issues.
Revised Investigative Procedures
Prior Process
Previously, any individual dissatisfied with a response to any request to access or correct their own personal information under one of the Alberta Acts could directly ask for a review from the OIPC. Similarly, decisions by a public body to disclose personal or business information in response to a third-party access request under the FOIP Act were directly reviewable by the OIPC upon request. The OIPC refers to each of these as a "request for review". This open-door policy, while inclusive, contributed to the accumulating backlog of cases awaiting resolution.
New Process
As of April 1, 2024, when an individual's sole concern in a request for review is that they believe the entity holds more responsive records than what were processed in the request (an "adequate search concern"), if the applicant has not yet submitted their concern directly to the relevant entity they will generally be directed to do so (along with supporting evidence). The entity will be allowed at least 30 working days to respond to their concerns. If this internal review fails to resolve the issue, the OIPC will then consider whether further investigation is warranted.
Implications for Organizations
This change will generally give organizations an opportunity to resolve adequate search concerns without the potential time and expense of an OIPC investigation. However, organizations should update their processes for responding to adequate search concerns, and ensure that appropriate resources are dedicated to responding to such concerns in a timely manner, to reduce the risk that an unresolved complaint or delayed response could still result in regulatory intervention.
Privacy Complaint Adjustments
Prior Process
Any allegations of improper collection, use, or disclosure of personal or health information under one of the Alberta Acts could be directly submitted to the OIPC as a privacy complaint without prior engagement with the entity that was accused of mishandling the information.
New Process
A complainant will generally be required to provide the entity that is alleged to have contravened the relevant legislation with a "reasonable opportunity" to address the privacy complaint before the OIPC will accept the complaint. This requires the complainant to contact the entity directly, in writing, detailing their concerns. The entity will be allowed at least 30 working days to respond. If the matter remains unresolved after this direct engagement with the relevant entity, the complainant can re-submit their complaint to the OIPC.
Implications for Organizations
Again, overall, this is a positive development that may allow organizations to resolve individuals' privacy concerns without the need for OIPC involvement. To benefit from this change, organizations in Alberta should develop efficient and effective privacy complaint-handling procedures to manage and resolve issues so that they are less likely to be escalated to the OIPC.
Streamlined Processing of PIPA Breach Notifications
Prior Process
Under PIPA, a loss of or unauthorized access to or disclosure of personal information (a "breach") that gives rise to a real risk of significant harm (a "RROSH") to an individual must be reported to the OIPC, which can then order the organization to notify impacted individual(s) of the breach. Under the OIPC's old system, all decisions whereby an organization was required to notify impacted individuals of a breach were publicly posted on the OIPC's website, providing a transparent but exhaustive database of cases where the RROSH threshold was met.
New Process
The OIPC will no longer issue a formal Breach Notification Decision (a "BND") for every breach that is reported under PIPA, which gives rise to a RROSH, or publish all such BNDs. Rather, the OIPC will now issue a closing letter instead of a formal BND, except in cases where affected individuals have not already been notified of the breach by the organization or where the notification does not meet all of the requirements of the Personal Information Protection Act Regulation (the "Regulation").5 Furthermore, publishing of BNDs will be done at the discretion of the Commissioner, instead of being done as a matter of course.
Implications for Organizations
This is also a positive development for businesses, as most organizations prefer not to be named in a publicly available breach decision. As a result of this change, organizations that proactively notify individuals of a breach that gives rise to a RROSH and take appropriate steps to ensure that such notices comply with PIPA and the Regulation can focus more on internal compliance and less on the potential public repercussions of a published BND.
The OIPC's past practice of publishing its breach decisions has been helpful to organizations in some respects. In particular, if an organization experiences a breach and is not sure whether it meets the RROSH test, reviewing past cases can provide valuable insights into the OIPC's approach to applying that test. However, certain types of breaches are relatively common, and so in recent years many of the published decisions have been duplicative or repetitive such that it can be difficult to identify new guidance or novel circumstances.
The OIPC's past BNDs will remain accessible, and so they will continue to provide a resource for organizations that are unsure as to whether a breach is reportable. Furthermore, the OIPC has indicated that it will publish summaries and statistical information on its website, which will include information on novel or impactful incidents and trends.
Specialized Privacy Breach Notification Forms
Prior Process
A single form was used for notifying the OIPC of a privacy breach under any of the Alberta Acts.
New Process
Specific forms have been introduced for different statutes, with a new form designed exclusively for PIPA breach notifications that requires information in line with the Regulation.
Implications for Organizations
Organizations should familiarize themselves with the new forms and ensure that breach notifications are complete and compliant with the revised requirements. This change is intended to streamline the process and improve the quality of the information provided to the OIPC, reducing the likelihood of follow-up requests from the OIPC and speeding up the resolution process.
Navigating Forward
The introduction of these process changes by the OIPC signifies a move towards greater efficiency and effectiveness in handling privacy and access issues in Alberta. Although these changes are likely to be welcomed by many organizations in Alberta, to fully benefit from them, it may be necessary to enhance internal processes to ensure compliance with the applicable legislation.
For more insights into how these changes build on past experiences and challenges, refer to our bulletin on "Lessons Learned from Alberta's Office of the Information and Privacy Commissioner (OIPC) 11-Year Report". This resource provides a retrospective view and practical advice stemming from over a decade of data privacy oversight in Alberta.
McMillan's Privacy & Data Protection Group can help your organization to understand and comply with the Alberta Acts, and to navigate the OIPC's processes and procedures. Contact us today to learn how we can help you stay ahead of legal and regulatory changes!
Footnotes
1 OIPC implements two sets of process changes to
improve efficiencies, reduce timelines and serve Albertans better
– Office of the Information and Privacy Commissioner of
Alberta
2 Health Information Act, RSA 2000, c H-5.
3 Personal Information Protection Act, SA 2003, c
P-6.5.
4 Freedom of Information and Protection of Privacy Act,
RSA 2000, c F-25.
5 Personal Information Protection Act Regulation, Alta
Reg 366/2003.
The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
© McMillan LLP 2024
