STAY CONNECTED: Have the stories that matter most delivered every night to your email inbox. Subscribe to our daily local news wrap.
(OIPC website)
reducing timelines

Alberta’s Information and Privacy Commissioner implements process changes for efficiency

Apr 18, 2024 | 1:22 PM

The Office of the Information and Privacy Commissioner (OIPC) of Alberta has implemented two sets of process changes that they claim will improve timelines and support the office’s work under its three legislative mandates.

The Government of Alberta said this week that the changes were made at the start of April. One set of changes relates to investigative procedures under Alberta’s three privacy laws. The other changes regard the OPIC’s procedures for processing breach notifications received in the private sector under the Personal Information Protection Act (PIPA).

“Both these sets of changes align with the first goal found in the last two business plans we issued, in both 2023 and 2022,” said Information and Privacy Commissioner Diane McLeod. “This goal is to enhance internal processes to support our legislative mandate and to improve response timelines.”

The OIPC website has been updated to reflect the process changes and officials say they are contacted affected stakeholders to inform them of the changes and how they will impact their interactions with the OIPC.

AMENDMENTS TO INVESTIGATIVE PROCEDURES

Changes have been made to OIPC investigation procedures for access request reviews and privacy complaints under Alberta’s three access and privacy laws: the Freedom of Information and Protection of Privacy Act (FOIP Act), the Health Information Act (HIA), and the Personal Information Protection Act (PIPA).

“In our 2022-23 Annual Report, we reported a significant backlog in privacy complaints and in reviews of access request decisions,” said McLeod. “In 2023, we examined our procedures with the goal of reducing the time it takes to process a file, while still maintaining quality and value. A number of changes have now been made to provide additional clarity and efficiency to our processes, which should help reduce our timelines for settling matters.”

Updated information on the revised procedures can be found on the OIPC website.

PROCESSING OF PRIVACY BREACH NOTIFICATIONS UNDER PIPA

A privacy breach means a loss of, unauthorized access to, or unauthorized disclosure of personal information.

Officials say a key purpose of the breach notification provisions in PIPA is to ensure that organizations notify, in a timely fashion, affected individuals for whom there exists a real risk of significant harm (RROSH) due to the breach.

In July 2022, the OIPC released a report that analyzed nearly 2,000 breaches reported in Alberta between 2010 and 2021.

“One of the report’s significant findings was that since 2012-2013, at least 80 per cent of organizations had already notified affected individuals of a privacy breach involving their personal information by the time my office received notice of the breach,” said McLeod. “So in most cases, we learned that the key purpose of the OIPC breach notification process had been fulfilled by organizations before our process began. After the 2022 report was issued, we examined our procedures and found a number of opportunities to improve efficiency and sustainability of our process for dealing with PIPA breach notification files.”

The changes being made to this process aim to enable timely resolution of PIPA privacy breach files, to help to reduce backlogs in processing these files, and to allow the OIPC to allocate resources to cases that require increased attention.

New and updated documents on the revised breach notification procedures under PIPA can be found on the OIPC website under the heading “For Use by Private Sector Organizations.”

The OIPC says they are looking forward to working with all parties to increase the timeliness and efficiency of its work in regard to both sets of revised processes.

In addition, officials say amended procedures for public bodies to request time extensions under section 14 of the FOIP Act will be implemented soon and communicated to stakeholders within the next few weeks.

Through the OIPC, the Information and Privacy Commissioner performs the responsibilities set out in the FOIP Act, HIA and PIPA. The Commissioner operates independent of government.