Photo 125228233 © Daniil Peshkov | Dreamstime.com

By rdnewsNOW Staff

11 Years Of Data

Decade of privacy breaches analyzed in Commissioner’s report

Jul 28, 2022 | 1:34 PM

The Alberta government says the Office of the Information and Privacy Commissioner (OIPC) released a report on July 27, 2022, that analyzes nearly 2,000 breaches reported in the province over 11 years.

In May 2010, officials note that requirements to report certain breaches to the OIPC and notify affected individuals came into force under Alberta’s Personal Information Protection Act (PIPA). The report analyzes PIPA breaches from 2010-11 to 2020-21.

Government officials say data show that organizations sent millions of notifications to people affected by breaches since the requirements came into force. The leading reason for notification to an affected individual has been unauthorized access to personal information, most often caused by a compromised electronic information system, such as the installation of malware or ransomware.

The report offers guidance to help organizations and law firms specializing in privacy law decide whether there is a real risk of significant harm (RROSH) to an affected individual as a result of a breach. RROSH is described as the legal threshold under PIPA for reporting breaches. In particular, the executive summary of the report lists criteria on when the Commissioner decided there was RROSH or No RROSH, and why there was a no jurisdiction finding in some cases.

Based on information submitted by organizations when reporting a breach, the report analyzes how long it takes organizations to discover breaches, notify individuals and report to the OIPC. It also looks at whether malicious intent or deliberate action was involved in a breach, types of harm, types of personal information, reporting industries, among other data.

Saturday and Sunday

AHS reports temporary closure to Sylvan Lake Advanced Ambulatory Care Service

Jan 05, 2025

LAST SEEN DECEMBER 30, 2024

Missing: Peyton Chilton, 15, of Red Deer

Jan 03, 2025

road safety

Red Deer Photo radar locations for January 2025

Jan 03, 2025

Hypothetical scenarios in the report comparing “typical” RROSH and No RROSH breaches between breaches analyzed in 2010-11 and 2020-21 show how breaches have changed over time.

Alberta became one of the first North American jurisdictions to require organizations to notify individuals affected by breaches, and to report those incidents to the OIPC. Provincial officials say the Commissioner was also given the power under PIPA to require organizations to notify an affected individual when the Commissioner determines there is a real risk of significant harm to the affected individual as a result of a breach.

“Organizations face constant challenges in preventing and responding to breaches, and this report shows how dynamic privacy and security management has become. The legal mechanisms have remained the same but the administrative and technical aspects require regular reviews and updates,” said Jill Clayton, Information and Privacy Commissioner.

“Digital realities underscore the need for regular privacy and security training for staff in all industries and for diligence in performing security updates to IT infrastructure. Beyond digital privacy and security management, it is also important for organizations to remind staff regularly, about not leaving work products in vehicles and to triple check addresses when sending mail or email containing personal information.

“As my term as Commissioner ends, I am proud of the work we did implementing processes to review and make decisions on breach reports submitted by organizations. We led the way in Canada, and helped to ensure that Albertans affected by privacy breaches could take the steps necessary to protect themselves from harm.”

Additional information

• PIPA Breach Report 2022
• Breach Notification Decisions