Alberta PIPA: Ultimate Guide For Compliance
The Alberta Personal Information Protection Act (Alberta PIPA) is Alberta’s regional data privacy legislation. It has been around for some time and has seen many amendments.
If your business falls under the jurisdiction of PIPA, we highly recommend thoroughly researching its requirements to avoid consequences or fines that could affect your business.
To help you do that, this article will detail everything you need to know about the Alberta PIPA, including a comprehensive checklist for your business to follow to ensure compliance.
- The Alberta Personal Information Protection Act regulates Alberta organizations that process Alberta resident data exclusively.
- The data subject rights granted under Alberta PIPA include the right to know why, expect reasonable collection/use/disclosure, reasonable security, accurate data, request/correct data, and to complain.
- The potential fines for Alberta PIPA violations can be up to 100,000 CAD for businesses. In addition, your business could face legal action and reputational damage.
What is Alberta PIPA?
The Alberta Personal Information Protection Act is the compliance framework that regulates how businesses collect and use consumer data in the private sector of Alberta, Canada.
Alberta PIPA was introduced in May 2003 but was officially enacted on January 1, 2004. After being heavily amended in January 2010, Alberta PIPA was shaped into the more significant, stricter regulation it is today.
The Office of the Information and Privacy Commissioner of Alberta (Alberta OIPC) enforces Alberta PIPA. Its purpose is to protect data subjects and consumer information by enforcing its primary data privacy principles.
The major provisions of Alberta PIPA that represent these principles include consent, data subject rights, and transparency. The regulation holds businesses to its applicable standard to provide these rights and covers most businesses processing Alberta resident data, minus a few exceptions.
Scope of the Alberta PIPA
The scope of Alberta PIPA covers almost all of the businesses in Alberta's private sector. Alberta PIPA uses the term “organization” to describe the businesses its regulations affect.
Alberta PIPA defines an “organization” as a corporation, trade union, partnership, an individual “acting in a commercial capacity,” or a non-incorporated association such as a school council.
Given this broad scope of Alberta PIPA claims over the private sector of Alberta, it is all the more pressing for your business to be well-informed of its requirements and proactively ensure compliance. Staying on top of Alberta PIPA will save your business from potential fines in the future that can add up to devastating amounts.
However, a few exceptions to Alberta PIPA are not required to follow its regulations. These exceptions include the following:
- Public bodies are covered by the Freedom of Information and Protection of Privacy Act of Alberta.
- Federally regulated organizations are covered by the federal Personal Information Protection and Electronic Documents Act.
- Societies and organizations registered under Part 9 of the Companies Act unless collecting, using, or disclosing information as part of a commercial activity.
- Anybody collecting, using, or disclosing personal information for journalistic, artistic, or literary purposes.
- Anybody collecting, using, or disclosing personal information for personal purposes, for example, family or home activities.
- Collecting or disclosing somebody’s business contact information when it relates to their business responsibilities.
- Personal Health information is protected under the Health Information Act.
- Any personal information found in court files.
Rights Provided Under Alberta PIPA
Like many other data protection regulations, like PIPEDA, Alberta PIPA establishes several rights that businesses must provide to consumers, with few exceptions. These rights are meant to allow consumers to view and correct any of the information a business has collected. Below, we cover each in detail.
Right to Know Why
The first right is that you know why any business under the Alberta PIPA collects, uses, or discloses any of your personal information. This right promotes the transparency of data collection done by businesses under Alberta PIPA.
Right to Expect Reasonable Handling/Disclosure
Next is the right to expect that if a business collects, uses, or discloses your information, they do so reasonably and appropriately. Overall, this right sets a standard for businesses to properly handle consumers’ data once they have collected and processed it.
Right to Security
Consumers are also granted the right to expect that a business has proper security measures ensuring proper data protection for their personal information. Adequate security is vital, especially in the case of a breach. Unprotected information can result in harm to both individuals and businesses alike.
Right to Know Who
In addition to ensuring reasonable handling of their data and sufficient security measures, consumers are granted the right to know precisely who within a business is responsible for protecting their information.
Again, this highlights Alberta PIPA’s emphasis on full transparency between individuals and businesses that have their personal information.
Right to Accuracy
Next is the right for consumers to expect the information a business has about them to be accurate and complete. It is a requirement that businesses maintain accurate information under Alberta PIPA.
Right to Request/Correct
Consumers are also granted the right to access any personal information about them that a business holds. Furthermore, after viewing this information, if an individual finds anything incorrect, they are granted the right to ask for corrections to ensure accuracy.
Right to Complain
Finally, If a consumer feels that any of their above rights are being violated or that a business is not handling their information correctly, they have the right to complain. Complaints can be directed to the business or the Privacy Commissioner.
Alberta PIPA Checklist for Compliance
We have developed a comprehensive checklist to help you ensure your business is compliant with Alberta PIPA. You can be confident knowing you comply with all of Alberta PIPA’s regulations by meeting the requirements on this list.
Ensure Limited Use of Personal Information
Alberta PIPA states that your business can only collect, use, or disclose personal information:
- Only for reasonable purposes
- Only to the extent that is reasonable to fulfill your purpose for collecting, using, and disclosing
Ideally, your organization will only collect, use, or disclose the necessary information and nothing else. The purpose for which you do so must also fall into Alberta PIPA’s definition of reasonable.
The Personal Information Protection Act defines reasonable as “what a reasonable person would consider appropriate in the circumstances.” While vague, the definition covers a lot of varying scales of collection, use, and disclosure.
Your business must be able to justify your actions to meet an acceptable level of reasonability.
Ensure Valid Consent
Your business must obtain explicit, express consent from any individual before collecting, using, or disclosing their personal information. To obtain valid consent, your business must be transparent and provide all the necessary details for your processes when requesting.
These details include what data you collect and why and how it is used or disclosed. A consumer may also view and request corrections of their data upon request.
There are only a limited number of exceptions when a business does not require consent to collect personal information, including:
- They collect information from a public source
- It is required by law to collect the information
- The information is necessary for a criminal investigation or legal proceeding
- They collect information for debt collection purposes
Respond to DSARs
Data subject access requests (DSARs) are essential to transparency and building a trusting relationship with consumers. At any time, consumers are given the right to request full access to all of the information related to them that your business has.
Your business’s ability to respond to these requests wholly and promptly is crucial to maintaining consumers’ trust. Consumers' right to access is also required under Alberta PIPA, and your business should never risk a possible violation with improper DSAR management.
Notify Loss or Unauthorized Access
Your business is required by the Personal Information Protection Act to notify the Information and Privacy Commissioner of any loss or unauthorized access to a consumer’s personal information.
You must also notify the affected consumers of the breach if it may cause significant harm to the individual(s).
Dispose of Unnecessary Data
Lastly, the final requirement for your business is to destroy, erase, or anonymize any consumers’ personal information that you no longer need for your initial purpose, any legal purpose, or other business-related purposes.
Penalties for Non-Compliance
The potential penalties your business could face for non-compliance with Alberta PIPA fall into three major categories: financial, legal, and reputational. All three can harm your business and should be avoided at all costs.
Firstly, your business can be fined up to 100,000 CAD for every PIPA violation you commit. Not all violations elicit a fine, but the Privacy Commissioner has set a precedent for being particularly strict with businesses that violate PIPA.
The next potential penalty is a legal case against your business. The Privacy Commissioner works with the Attorney General to conduct audits and investigations into businesses they suspect do not follow PIPA’s regulations.
In addition to cases resulting from these audits, consumers could take legal action against your business directly if they feel their data privacy rights were violated.
The last penalty you could face for a PIPA violation is a blow to your business’s reputation. A breach, a bad situation with one or many consumers, or a fine reported to the public can leave a bad mark on your business.
With a damaged reputation, finding consumers willing to trust your business with their information can be difficult. You can prove your dedication to data privacy and security and ensure you comply with all PIPA’s requirements by enlisting our compliance services at Captain Compliance.
The Alberta PIPA is the data protection regulation that enforces proper data protection by almost all businesses in Alberta's private sector. If your business operates within Alberta, it is crucial to understand Albert PIPA to avoid harmful penalties damaging your business’s finances or reputation.
At Captain Compliance, our compliance experts bring decades of professional experience to offer your business a full suite of compliance services. We will ensure your business complies with all of Alberta PIPA’s requirements and fulfill your compliance needs.
Let us take care of everything compliance-related so you can focus your attention and energy on other parts of your business. Get in touch with us here to learn more about what we can do for your business.
What is the difference between the PIPA and the FOIP in Alberta?
The Freedom of Information and Protection of Privacy Act (FOIP) covers public businesses that operate within Alberta, while the PIPA focuses on only businesses in the private sector.
What qualifies as personal information under Alberta PIPA?
Under Alberta PIPA, personal information is any information that could identify an individual, including name, address, telephone number, e-mail address, age, date of birth, weight, height, gender, race, ethnic origin, medical history, biometric identifiers, employment or criminal history, income, financial history, unique identification numbers, or account numbers.
What is the maximum fine for an individual who violates PIPA?
While businesses can be charged up to 100,000 CAD for a PIPA violation, individuals can be charged only up to 10,000 CAD.
How soon should my business notify the Privacy Commissioner of a breach?
Under Alberta PIPA, your business must notify the Privacy Commissioner of a breach without “unreasonable delay.”