Summary
Alberta businesses handling personal information must comply with either PIPEDA (federal) or PIPA (provincial), depending on scope. Both laws require you to collect only what you need, protect it with reasonable safeguards, and report breaches promptly. On the IT side, this means encryption, access controls, audit logs, tested backups, and a documented incident response plan. You don't need to be a privacy lawyer, but your IT infrastructure needs to support compliance.
Who Needs to Comply (and Who's Already Covered)
If your business collects, uses, or stores personal information about clients, employees, or contacts, privacy law applies to you. Personal information means anything that identifies an individual: names, email addresses, phone numbers, payment details, health records, or even IP addresses tied to a person.
This applies to most Alberta businesses — from accounting firms handling client financials to construction companies storing employee records. The question isn't whether you need to comply, but which law applies.
Important: Lumen IT helps with the IT infrastructure side of compliance: encryption, access controls, backups, and monitoring. For the legal and policy side (drafting privacy policies, responding to access requests, handling complaints), you should work with a privacy lawyer.
PIPEDA vs PIPA: Which One Applies
Alberta is one of three Canadian provinces (along with British Columbia and Quebec) with its own private-sector privacy law that the federal government recognizes as "substantially similar" to PIPEDA. Here's how to figure out which law governs your business:
| Scenario | Law |
|---|---|
| Alberta business, clients only in Alberta | PIPA (Alberta) |
| Alberta business, clients in other provinces | PIPEDA (federal) |
| Alberta business, data crosses national borders | PIPEDA (federal) |
| Federally regulated (banking, telecom, airlines) | PIPEDA (federal), always |
| Health information in Alberta | HIA (Health Information Act), separate law |
In practice, many Alberta businesses fall under PIPA for most activities. But if you serve clients outside Alberta or store data with a provider outside the province, PIPEDA likely applies to at least some of your operations. When in doubt, following PIPEDA's requirements covers you for both. The two laws are closely aligned.
The 10 PIPEDA Principles (Plain Language)
PIPEDA is built on 10 fair information principles (Office of the Privacy Commissioner). Here's what each one actually means for your business:
Accountability
Designate someone responsible for privacy compliance. This doesn't need to be a full-time role. It can be an owner, manager, or office administrator.
Identifying Purposes
Tell people why you're collecting their information before or at the time you collect it.
Consent
Get meaningful consent. For most business services, this means clear language in your intake forms and privacy policy, not buried legalese.
Limiting Collection
Only collect what you actually need. If you don't need a date of birth for your service, don't ask for it.
Limiting Use, Disclosure, and Retention
Use information only for the purpose you stated. Don't keep it longer than necessary. Have a data retention schedule.
Accuracy
Keep personal information accurate and up to date. Let people correct their records.
Safeguards
Protect information with security measures appropriate to its sensitivity. This is where your IT matters most.
Openness
Make your privacy practices publicly available. A clear privacy policy on your website covers this.
Individual Access
People can ask to see what information you hold about them. You must respond within 30 days.
Challenging Compliance
People can challenge your practices and file complaints. Have a process for handling these.
What PIPEDA Requires from Your IT
Principle 7 (Safeguards) is where IT meets compliance. The law doesn't prescribe specific technologies. It requires "security safeguards appropriate to the sensitivity of the information." In practice, the Privacy Commissioner's guidance and breach investigation findings point to these expectations:
Encryption
Data at rest (stored files, databases, backups) and in transit (email, web traffic, remote access). TLS 1.2+ for connections, AES-256 or equivalent for storage.
Access Controls
Only people who need access to personal information should have it. Role-based access, unique user accounts (no shared logins), and regular access reviews.
Multi-Factor Authentication
On any system that holds personal information and is accessible remotely: email, CRM, cloud storage, VPN.
Audit Logging
Track who accessed personal information, when, and what they did. Logs should be retained for at least 12 months and protected from tampering.
Tested Backups
Regular backups with documented recovery testing. If you can't recover data after an incident, you've failed the safeguard requirement.
Incident Response Plan
A documented plan for detecting, containing, and reporting breaches. The plan should include who to contact (including the Privacy Commissioner) and how to notify affected individuals.
Our cybersecurity services and managed IT cover these technical requirements. We handle the IT infrastructure. You work with your lawyer on the policy and consent framework.
Not sure if your IT meets these requirements? Our free assessment checks your security posture in 5 minutes.
Take the Free Security AssessmentBreach Notification: What to Do and When
Since November 2018, PIPEDA's breach notification rules are mandatory, not optional. If your business experiences a breach of personal information that creates a "real risk of significant harm," you must:
- Report to the Privacy Commissioner: as soon as feasible after determining the breach meets the threshold
- Notify affected individuals: directly, with enough information for them to protect themselves
- Notify other organizations: if they can reduce the risk of harm (e.g., a bank if payment card data was exposed)
- Keep records: of every breach (whether reported or not) for at least two years
Under PIPA, the process is similar: report to the OIPC Alberta, and the Commissioner may order you to notify affected individuals.
"Significant harm" includes financial loss, identity theft, damage to reputation, and loss of employment or business opportunities. When in doubt, report it — under-reporting carries higher penalties than over-reporting.
Penalties: Under PIPEDA, failing to report a breach, notify individuals, or maintain breach records can result in fines of up to $100,000 per violation (PIPEDA Section 28).
Common Compliance Gaps We See
After working with Calgary businesses across multiple industries, these are the IT-related compliance gaps that come up most often:
Shared login accounts
Multiple employees using the same login to a system that holds personal data. This makes audit logging meaningless. You can't tell who accessed what.
No MFA on email
Email often contains the most personal information in an organization. A compromised email account is a reportable breach.
Unencrypted laptops
A lost or stolen laptop without disk encryption is a reportable breach if it contained personal information. BitLocker (Windows) and FileVault (Mac) solve this at zero cost.
No backup testing
Having backups isn't enough. You need documented proof that you've tested recovery. Many businesses discover their backups don't work when they need them most.
No data retention schedule
Keeping personal information indefinitely violates Principle 5. Set clear timelines for how long you keep client records, employee files, and application data.
No incident response plan
When a breach happens, you need to know who does what. Without a plan, the 72-hour window for notification passes while you're still figuring out what happened.
How to Get Started
You don't need to do everything at once. Here's a practical order of operations:
Step 1: Know what you have
Map out where personal information lives in your business: email, CRM, file shares, cloud apps, paper files. You can't protect what you don't know about.
Step 2: Fix the quick wins
Enable MFA everywhere, turn on disk encryption, and eliminate shared login accounts. These cost nothing and close the most common gaps.
Step 3: Get your IT assessed
Have your IT infrastructure reviewed against the safeguard requirements. Our free security assessment is a good starting point.
Step 4: Write it down
Document your privacy policy, data retention schedule, and incident response plan. Work with a privacy lawyer for the legal documents.
Step 5: Train your team
Make sure employees know how to handle personal information, recognize phishing attempts, and report security incidents.
Start with our free IT security assessment to see where your business stands today, or contact us to discuss your specific compliance needs.