Alberta β municipal breach notification
FOIP applies to Alberta municipalities. Breach reporting to OIPC is required for significant incidents.
Without unreasonable delay if real risk of significant harm.
- OIPC publishes Investigation Reports β municipal incidents appear with names.
What this means for a Alberta municipality
Canadian municipalities sit under a provincial public-sector privacy framework β for Alberta, that means the Office of the Information and Privacy Commissioner of Alberta is your primary regulator. The trigger for notification is generally a real risk of significant harm to affected residents, evaluated on probability of misuse, sensitivity of the data, and the population reached.
Most small and mid-sized Alberta municipalities also have to weigh federal coordination through the Canadian Centre for Cyber Security, vendor obligations under PIPEDA, and β for any cross-border data β US state breach statutes that apply by residency of the affected individual, not by the location of the municipality. The HackFirstAid triage walks through those layers in plain language and produces a printable summary you can hand to your CAO and council.
If you're reading this during a live incident, open the free triage first; if you're reading it on a quiet Tuesday, run it as a tabletop with your clerk, IT lead, and one council member. Most Alberta municipalities run it once before they need it, then once for real, six months later.
Tax, permits, utility billing, and court scheduling encrypted on the same morning.
Fraudulent wire instructions on a vendor payment or payroll change.
Vital records, property assessments, or business licenses exposed or altered.