Alberta PIPA: Ultimate Guide For Compliance

Table of Contents

alberta pipa

The Alberta Personal Information Protection Act (Alberta PIPA) is Alberta’s regional data privacy legislation. It has been around for some time and has seen many amendments.

If your business falls under the jurisdiction of PIPA, we highly recommend thoroughly researching its requirements to avoid consequences or fines that could affect your business.

To help you do that, this article will detail everything you need to know about the Alberta PIPA, including a comprehensive checklist for your business to follow to ensure compliance.

Key Takeaways

  • The Alberta Personal Information Protection Act regulates Alberta organizations that process Alberta resident data exclusively.
  • The data subject rights granted under Alberta PIPA include the right to know why, expect reasonable collection/use/disclosure, reasonable security, accurate data, request/correct data, and to complain.
  • Your business can ensure its compliance with the PIPA by limiting the collection, use and disclosure of consumer information, obtaining valid consent from consumers before collection, creating a transparent privacy policy, responding to DSARs, and following proper data breach notification and data disposal protocols.
  • The potential fines for Alberta PIPA violations can be up to 100,000 CAD for businesses. In addition, your business could face legal action and reputational damage.

What is Alberta PIPA?

The Alberta Personal Information Protection Act is the compliance framework that regulates how businesses collect and use consumer data in the private sector of Alberta, Canada.

Alberta PIPA was introduced in May 2003 but was officially enacted on January 1, 2004. After being heavily amended in January 2010, Alberta PIPA was shaped into the more significant, stricter regulation it is today.

The Office of the Information and Privacy Commissioner of Alberta (Alberta OIPC) enforces Alberta PIPA. Its purpose is to protect data subjects and consumer information by enforcing its primary data privacy principles.

The major provisions of Alberta PIPA that represent these principles include consent, data subject rights, and transparency. The regulation holds businesses to its applicable standard to provide these rights and covers most businesses processing Alberta resident data, minus a few exceptions.

Scope of the Alberta PIPA

The scope of Alberta PIPA covers almost all of the businesses in Alberta’s private sector. Alberta PIPA uses the term “organization” to describe the businesses its regulations affect.

Alberta PIPA defines an “organization” as a corporation, trade union, partnership, an individual “acting in a commercial capacity,” or a non-incorporated association such as a school council.

Given this broad scope of Alberta PIPA claims over the private sector of Alberta, it is all the more pressing for your business to be well-informed of its requirements and proactively ensure compliance. Staying on top of Alberta PIPA will save your business from potential fines in the future that can add up to devastating amounts.

However, a few exceptions to Alberta PIPA are not required to follow its regulations. These exceptions include the following:

  • Public bodies are covered by the Freedom of Information and Protection of Privacy Act of Alberta.
  • Federally regulated organizations are covered by the federal Personal Information Protection and Electronic Documents Act.
  • Societies and organizations registered under Part 9 of the Companies Act unless collecting, using, or disclosing information as part of a commercial activity.
  • Anybody collecting, using, or disclosing personal information for journalistic, artistic, or literary purposes.
  • Anybody collecting, using, or disclosing personal information for personal purposes, for example, family or home activities.
  • Collecting or disclosing somebody’s business contact information when it relates to their business responsibilities.
  • Personal Health information is protected under the Health Information Act.
  • Any personal information found in court files.

Rights Provided Under Alberta PIPA

Like many other data protection regulations, like PIPEDA, Alberta PIPA establishes several rights that businesses must provide to consumers, with few exceptions. These rights are meant to allow consumers to view and correct any of the information a business has collected. Below, we cover each in detail.

Right to Know Why

The first right is that you know why any business under the Alberta PIPA collects, uses, or discloses any of your personal information. This right promotes the transparency of data collection done by businesses under Alberta PIPA.

Right to Expect Reasonable Handling/Disclosure

Next is the right to expect that if a business collects, uses, or discloses your information, they do so reasonably and appropriately. Overall, this right sets a standard for businesses to properly handle consumers’ data once they have collected and processed it.

Right to Security

Consumers are also granted the right to expect that a business has proper security measures ensuring proper data protection for their personal information. Adequate security is vital, especially in the case of a breach. Unprotected information can result in harm to both individuals and businesses alike.

Right to Know Who

In addition to ensuring reasonable handling of their data and sufficient security measures, consumers are granted the right to know precisely who within a business is responsible for protecting their information.

Again, this highlights Alberta PIPA’s emphasis on full transparency between individuals and businesses that have their personal information.

Right to Accuracy

Next is the right for consumers to expect the information a business has about them to be accurate and complete. It is a requirement that businesses maintain accurate information under Alberta PIPA.

Right to Request/Correct

Consumers are also granted the right to access any personal information about them that a business holds. Furthermore, after viewing this information, if an individual finds anything incorrect, they are granted the right to ask for corrections to ensure accuracy.

Right to Complain

Finally, If a consumer feels that any of their above rights are being violated or that a business is not handling their information correctly, they have the right to complain. Complaints can be directed to the business or the Privacy Commissioner.

Alberta PIPA Checklist for Compliance

We have developed a comprehensive checklist to help you ensure your business is compliant with Alberta PIPA. You can be confident knowing you comply with all of Alberta PIPA’s regulations by meeting the requirements on this list.

Ensure Limited Use of Personal Information

Alberta PIPA states that your business can only collect, use, or disclose personal information:

  • Only for reasonable purposes
  • Only to the extent that is reasonable to fulfill your purpose for collecting, using, and disclosing

Ideally, your organization will only collect, use, or disclose the necessary information and nothing else. The purpose for which you do so must also fall into Alberta PIPA’s definition of reasonable.

The Personal Information Protection Act defines reasonable as “what a reasonable person would consider appropriate in the circumstances.” While vague, the definition covers a lot of varying scales of collection, use, and disclosure.

Your business must be able to justify your actions to meet an acceptable level of reasonability.

Your business must obtain explicit, express consent from any individual before collecting, using, or disclosing their personal information. To obtain valid consent, your business must be transparent and provide all the necessary details for your processes when requesting.

These details include what data you collect and why and how it is used or disclosed. A consumer may also view and request corrections of their data upon request.

There are only a limited number of exceptions when a business does not require consent to collect personal information, including:

  • They collect information from a public source
  • It is required by law to collect the information
  • The information is necessary for a criminal investigation or legal proceeding
  • They collect information for debt collection purposes

Ensure a Transparent Privacy Policy

A crucial part of transparency is your privacy policy. When you collect a consumer’s personal information, you must be very clear in your policy about what information you collect, how you use it, to whom you disclose it, and why.

Your business is required under Alberta PIPA to provide all this information to a consumer to remain compliant while collecting data. A transparent privacy policy ensures that you can do so in a concise way that is easy for consumers to understand and is readily available.

Respond to DSARs

Data subject access requests (DSARs) are essential to transparency and building a trusting relationship with consumers. At any time, consumers are given the right to request full access to all of the information related to them that your business has.

Your business’s ability to respond to these requests wholly and promptly is crucial to maintaining consumers’ trust. Consumers’ right to access is also required under Alberta PIPA, and your business should never risk a possible violation with improper DSAR management.

Notify Loss or Unauthorized Access

Your business is required by the Personal Information Protection Act to notify the Information and Privacy Commissioner of any loss or unauthorized access to a consumer’s personal information.

You must also notify the affected consumers of the breach if it may cause significant harm to the individual(s).

Dispose of Unnecessary Data

Lastly, the final requirement for your business is to destroy, erase, or anonymize any consumers’ personal information that you no longer need for your initial purpose, any legal purpose, or other business-related purposes.

Penalties for Non-Compliance

The potential penalties your business could face for non-compliance with Alberta PIPA fall into three major categories: financial, legal, and reputational. All three can harm your business and should be avoided at all costs.

Firstly, your business can be fined up to 100,000 CAD for every PIPA violation you commit. Not all violations elicit a fine, but the Privacy Commissioner has set a precedent for being particularly strict with businesses that violate PIPA.

The next potential penalty is a legal case against your business. The Privacy Commissioner works with the Attorney General to conduct audits and investigations into businesses they suspect do not follow PIPA’s regulations.

In addition to cases resulting from these audits, consumers could take legal action against your business directly if they feel their data privacy rights were violated.

The last penalty you could face for a PIPA violation is a blow to your business’s reputation. A breach, a bad situation with one or many consumers, or a fine reported to the public can leave a bad mark on your business.

Personal Information Protection Act (PIPA) regulates the collection, use, and disclosure of personal information by private sector organizations. While PIPA does not mandate administrative fines like the GDPR, organizations found in violation can face legal consequences and reputational damage. Here are some notable incidents and headlines related to PIPA violations:

  1. Accenture Settlement with the Alberta Privacy Commissioner (2018):
    • Incident: Accenture faced an investigation after an employee lost a USB drive containing personal information of about 30,000 Albertans who were involved in a provincial government’s employment program.
    • Outcome: The Alberta Privacy Commissioner found that Accenture did not implement adequate safeguards to protect the data. Accenture agreed to enhance its data security measures and conduct regular audits to prevent future breaches.
  2. Calgary Police Service (CPS) (2016):
    • Incident: The CPS faced scrutiny when a whistleblower revealed that a database containing sensitive personal information of more than 100,000 Calgarians was accessible without proper security measures.
    • Outcome: The Alberta Privacy Commissioner found that CPS had inadequate data protection practices and recommended significant improvements in their security protocols and data handling procedures.
  3. Medica Pharmacy (2013):
    • Incident: Medica Pharmacy improperly disposed of patient records containing sensitive personal health information by placing them in an easily accessible dumpster.
    • Outcome: The Alberta Privacy Commissioner investigated and determined that Medica Pharmacy violated PIPA by failing to adequately protect personal health information. The pharmacy was required to implement better disposal practices and ensure compliance with privacy laws.
  4. Rogers Communications (2012):
    • Incident: Rogers Communications faced an investigation after an employee accessed a customer’s personal information without authorization.
    • Outcome: The Alberta Privacy Commissioner concluded that Rogers failed to protect the customer’s information adequately. Rogers was required to review and improve its internal access controls and employee training programs.

These examples highlight the importance of strong data protection practices and compliance with PIPA to avoid potential violations and protect individuals’ privacy rights. Organizations must implement appropriate safeguards, regularly review their data handling procedures, and ensure employees are trained on privacy and security policies.

With a damaged reputation, finding consumers willing to trust your business with their information can be difficult. You can prove your dedication to data privacy and security and ensure you comply with all PIPA’s requirements by enlisting our compliance services at Captain Compliance.

Closing:

The Alberta PIPA is the data protection regulation that enforces proper data protection by almost all businesses in Alberta’s private sector. If your business operates within Alberta, it is crucial to understand Albert PIPA to avoid harmful penalties damaging your business’s finances or reputation.

At Captain Compliance, our compliance experts bring decades of professional experience to offer your business a full suite of compliance services. We will ensure your business complies with all of Alberta PIPA’s requirements and fulfill your compliance needs.

Let us take care of everything compliance-related so you can focus your attention and energy on other parts of your business. Get in touch with us here to learn more about what we can do for your business.

FAQs

What is the difference between the PIPA and the FOIP in Alberta?

The Freedom of Information and Protection of Privacy Act (FOIP) covers public businesses that operate within Alberta, while the PIPA focuses on only businesses in the private sector.

Learn more about Canada’s data protection laws here!

What qualifies as personal information under Alberta PIPA?

Under Alberta PIPA, personal information is any information that could identify an individual, including name, address, telephone number, e-mail address, age, date of birth, weight, height, gender, race, ethnic origin, medical history, biometric identifiers, employment or criminal history, income, financial history, unique identification numbers, or account numbers.

See all of the different kinds of personal information here!

What is the maximum fine for an individual who violates PIPA?

While businesses can be charged up to 100,000 CAD for a PIPA violation, individuals can be charged only up to 10,000 CAD.

Learn about the details of PIPEDA fines here!

How soon should my business notify the Privacy Commissioner of a breach?

Under Alberta PIPA, your business must notify the Privacy Commissioner of a breach without “unreasonable delay.”

See our full coverage of PIPEDA breach notifications here!

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo or start a trial now.