Streamlined Processes

The Office of the Information and Privacy Commissioner (OIPC) of Alberta has introduced modified procedures for access to information reviews and privacy complaints. These modified procedures apply to the Freedom of Information and Protection of Privacy Act (FOIPPA), the Personal Information Protection Act (PIPA) and the Health information Act (HIA).

These changes are made with the goal of reducing OIPC file processing times. Anticipated changes include the following:

• Clarification of issues by the OIPC at the outset of a review or complaint.
• A more streamlined mediation process with less formality and increased direct communications between the OIPC and the parties.
• A “refer-back” process to encourage resolution of issues between a complainant and the public body/organization/custodian (the “entity”) in certain circumstances, including where there is an issue with the entity’s adequacy of search [in response to an access request].

What does this mean for public bodies, organizations, and custodians?

The less formal approach to mediation may allow for quicker resolution of issues and encourage compromise where possible. More challenging and complex issues may still need to be directed towards a formal inquiry, but these procedures may help clear a backlog of files and shorten case resolution time. It will become important for public bodies or organizations to determine who will act as their “point person” for mediation. This individual should have the ability to make timely decisions on behalf of the entity to keep discussions on track during mediation.

PIPA Breach Notification Procedures

Effective April 1, 2024, changes have been made to the PIPA breach notification procedures. As required under s. 34.1 of PIPA, organizations must without unreasonable delay provide notice to the Privacy Commissioner of a privacy breach where there exists a real risk of significant harm to individuals affected by the breach (“affected individuals”). While organizations are not required under PIPA to notify the affected individuals at the same time, many organizations do so as part of their breach response.

Changes to the OIPC’s handling of PIPA breach notifications include the following:

• Breach notification decisions from the Privacy Commissioner will not be issued for all breaches where a real risk of significant harm is present. Breach notification decisions will only be issued when an organization has not already notified affected individuals, or where their notification is deficient. Otherwise, organizations that have satisfied s. 34.1 will only receive a closing letter.
• The OIPC will place priority on reported breaches that meet the criteria of s. 34.1 but where an organization has not already notified affected individuals, or where their notification is deficient.
• The OIPC will no longer publish all breach notification decisions where a real risk of significant harm is present. Abridged decisions may be published at the discretion of the Privacy Commissioner.
• New guidance documents and forms are available for organizations reporting a breach under PIPA.

What does this mean for organizations?

Self-reported breaches to the Privacy Commissioner have held steady over the last few years, and have in fact slightly decreased (313 in 2021-2022, 333 in 2020-2021 and 377 in 2019-2020). Organizations may have become more adept in assessing whether a breach meets the “real risk of significant harm” threshold.

When the threshold is met, organizations should continue to consider notifying affected individuals at the same time as the Privacy Commissioner to mitigate risk. It is unlikely that an organization would receive additional direction from the Privacy Commissioner if proper notification is completed. However, the Privacy Commissioner retains the right to investigate further if she chooses to do so.

If you need assistance navigating the new procedures for access to information reviews, privacy complaints, or breach notifications, contact Marc Yu in Edmonton, Kelly Nicholson in Calgary, or any member of Field Law's Privacy + Data Management Group.