Alberta Personal Information Protection Act (AB PIPA)

    Overview

    The Alberta Personal Information Protection Act (PIPA), effective since January 1, 2004, regulates the way private sector organizations in Alberta collect, use, and disclose personal information. The Act aims to protect individual privacy while recognizing the needs of organizations to collect, use, or disclose personal information for legitimate business purposes. PIPA is applicable to all private organizations, including those involved in commercial activities within the province.

     

    Regulation Summary

    Timeline
    • May 2003: PIPA received Royal Assent.
    • January 1, 2004: PIPA became effective.
    What Businesses Are Affected
    • Private sector organizations operating in Alberta.
    • Non-profits engaging in commercial activities.
    • Organizations managing personal information within Alberta, regardless of their location.
    Exemptions
    • Public Bodies: Governed by Alberta’s Freedom of Information and Protection of Privacy Act (Freedom of Information and Protection of Privacy Act (FOIP)).
    • Personal Use: Personal data collected for personal or domestic purposes.
    • Employee Information: Exemptions for employee data directly related to employment.
    Responsibilities for Businesses
    • Accountability: Designate a privacy officer to ensure compliance.
    • Consent: Obtain informed consent before collecting, using, or disclosing personal data.
    • Purpose Limitation: Use data only for specified purposes.
    • Transparency: Provide clear privacy policies to individuals.
    • Data Security: Protect personal information against unauthorized access or misuse.
    Specific Responsibilities for Website Owners
    • Cookie Use: Notify users about cookies and obtain consent where required.
    • Privacy Policies: Display comprehensive privacy policies.
    • Access Requests: Respond to access and correction requests within 30 days.
    Additional Requirements
    • Retention and Disposal: Retain personal data only as long as necessary and dispose of it securely.
    • Cross-Border Transfers: Ensure adequate protection for data transferred outside Canada.
    • Breach Notification: Notify affected individuals and Alberta’s Office of the Information and Privacy Commissioner (OIPC) in case of significant breaches.
    Data Subject Rights
    • Access: Request access to personal information.
    • Correction: Request correction of inaccuracies.
    • Withdrawal of Consent: Revoke consent for future data use.
    • Complaints: File complaints with the OIPC regarding data mishandling.
    Enforcement
    • Overseen by the Office of the Information and Privacy Commissioner (OIPC).
    • Powers include investigations, audits, and enforcement orders.
    • Penalties: Fines of up to CAD $10,000 for individuals (approximately $7,400) and CAD $100,000 for organizations (approximately $74,000) for non-compliance."
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596