Until amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) come into effect, Alberta remains the only Canadian jurisdiction that requires private sector organizations to report privacy breaches to the Commissioner and to affected individuals. Despite this, many organizations that experience breaches choose to report to Commissioners outside of Alberta on a voluntary basis. Both the federal and B.C. Commissioners have encouraged voluntary reporting for some time.
Particularly if a breach is expected to result in significant media coverage, there may seem to be little downside to self-reporting, as it is generally preferable that a Commissioner learn about a breach directly from the affected organization rather than complainants or the media. However, many privacy professionals are likely unaware that voluntary breach reports made to the Office of Privacy Commissioner of Canada (OPC) are accessible to the public under the Access to Information Act (ATIA).
This issue of PrivacyScan looks at dozens of voluntary breach reports disclosed under the ATIA, offering insight on if and how to report to the OPC following a breach.