If your Alberta business collects, stores, or processes personal information about customers, employees, or business partners, you have compliance obligations. Not optional recommendations — legal obligations. Ignore them, and you risk fines, loss of customer trust, legal liability, and reputational damage.
But compliance isn't as complicated as many businesses think. It starts with understanding which laws apply to you (PIPEDA, PIPA, or both), what IT controls are required (encryption, access controls, backup, breach notification), and how to prepare for audits. This guide covers the practical IT requirements, not the legal theory.
PIPEDA vs PIPA: Which Law Applies to Your Business?
PIPEDA: The Federal Law
PIPEDA (Personal Information Protection and Electronic Documents Act) is federal legislation that applies to most private-sector businesses in Canada, including those in Alberta. If your business collects personal information about customers, employees, or any individuals, PIPEDA likely applies.
PIPEDA defines personal information broadly: names, email addresses, phone numbers, addresses, financial information, health information, biometric data, online identifiers, and anything else that identifies an individual or relates to them.
PIPEDA's ten principles:
- Accountability: Your business is responsible for protecting personal information
- Identifying purposes: Be clear about why you're collecting information
- Consent: Get permission before collecting or using information
- Limiting collection: Only collect information you actually need
- Limiting use: Use information only for the stated purposes
- Accuracy: Keep information accurate and up-to-date
- Safeguarding: Protect information with appropriate security measures
- Openness: Be transparent about your data practices
- Individual access: People can request to see their personal information
- Challenging compliance: People can dispute whether you're following the rules
PIPA: The Alberta Provincial Law
PIPA (Personal Information Protection Act) is Alberta's provincial privacy law. It applies to Alberta organizations (businesses, nonprofits, government bodies) that collect personal information about Alberta residents. If you're headquartered in Alberta or you collect information from Alberta residents, PIPA applies.
PIPA is stricter than PIPEDA in some ways. It covers more organizations (nonprofits, some government bodies) and has broader rules on consent and data minimization. Many Alberta businesses need to comply with both PIPEDA (federal) and PIPA (provincial).
PIPA's key requirements:
- Privacy policies must be in plain language
- Explicit consent is required for most data collection (not just implied consent)
- Data minimization: Collect only what you need
- Shorter data retention periods (not "forever")
- Higher security standards for sensitive information
- Breach notification to regulators within 30 days
Bottom line: If you're an Alberta business collecting any personal information, you likely need to comply with both PIPEDA and PIPA. They overlap significantly, so implementing PIPA compliance usually satisfies PIPEDA as well (since PIPA is stricter).
Core IT Controls Required by Compliance
Both PIPEDA and PIPA require "appropriate security measures" to protect personal information. This is vague on purpose — the law doesn't prescribe specific controls, but you need to demonstrate that your IT practices are reasonable. Here are the standard controls regulators expect:
Encryption at Rest and In Transit
What this means: Personal information stored on computers, servers, or in the cloud must be encrypted so that if someone accesses the storage device, they can't read the data. Data being transmitted over networks (email, file transfers, API calls) must also be encrypted.
IT requirements:
- Full-disk encryption on all laptops and computers (Windows BitLocker, macOS FileVault)
- Encryption of external drives and USB devices
- HTTPS (SSL/TLS) for all websites handling personal information
- Email encryption for sensitive communications
- Database encryption for sensitive data fields
- VPN or encrypted connections for remote access
Checklist:
- Windows: BitLocker enabled, recovery key stored securely
- Mac: FileVault enabled
- Verify: Run security scans to confirm encryption status
- All pages serve HTTPS, not HTTP
- Certificate is from a trusted authority
- Test: Visit website in browser, check for padlock icon
Access Controls and Authentication
What this means: Only authorized people should be able to access personal information. This requires strong authentication (passwords or better), role-based access (accountant sees financial data, HR sees employee records, but not vice versa), and logging of who accessed what data and when.
IT requirements:
- Multi-factor authentication (MFA) for all cloud accounts and sensitive systems
- Strong password policies (12+ characters, complexity, regular changes)
- Role-based access controls (RBAC) so users only see data they need
- Audit logs tracking who accessed personal information and when
- Removal of access when employees leave the company
- Principle of least privilege: users get minimum permissions needed for their job
Checklist:
- Every employee uses MFA for email, cloud storage, VPN
- Test: Attempt to log in without MFA token, it should fail
- When someone is fired or leaves, their access to email, cloud storage, and databases is revoked within 24 hours
- Documentation: List of accounts per employee, removal dates
Backup and Disaster Recovery
What this means: If your computers, servers, or cloud systems fail, crash, or are infected with ransomware, you need backups to restore the data. Regulators expect documented backup procedures, regular testing, and encrypted backups.
IT requirements:
- Daily or continuous backups of all systems with personal information
- Backup encryption (backups are encrypted at rest and in transit)
- Multiple backup locations (don't keep all backups in one place)
- Regular restoration testing (actually restore from backup quarterly to verify it works)
- Documented backup procedures and recovery time objectives (RTO)
- Offline or air-gapped backup copy (for ransomware protection)
Checklist:
- Schedule: Every 3 months, actually restore a file from backup
- Document: Date, time, files tested, whether restoration succeeded
- Keep records: Auditors will ask to see backup test logs
Patch Management and Vulnerability Fixes
What this means: Software has bugs. Vendors release patches to fix those bugs. If you don't apply patches, attackers exploit the bugs to access your systems. Regulators expect you to apply security patches promptly (typically within 30 days of release for critical vulnerabilities).
IT requirements:
- Windows security updates applied within 30 days (critical/high priority within 14 days)
- Third-party software updates (Java, Adobe Reader, browsers) applied regularly
- Firmware updates for network equipment, servers, and other devices
- Regular vulnerability scanning to identify missing patches
- Documented patch policy and testing procedures
Endpoint Detection and Response (EDR)
What this means: Regulators expect you to detect and respond to malware, ransomware, and unauthorized access attempts. This typically means deploying endpoint detection and response (EDR) software on all computers that can detect suspicious behavior and alert your team.
IT requirements:
- Antivirus or EDR software on all workstations and servers
- Real-time threat detection enabled
- Alerts configured for suspicious activities
- Incident response procedures documented
- Regular malware scans and log reviews
Breach Notification: Legal Requirements
If personal information is accessed without authorization, you have legal obligations under both PIPEDA and PIPA:
PIPEDA Breach Notification
- You must notify the Privacy Commissioner of Canada if the breach is likely to cause harm
- You must notify affected individuals if the breach is likely to cause serious harm
- Notification must include: date of breach, what information was accessed, what you're doing about it, contact information
- There's no strict timeline in PIPEDA, but "reasonable promptness" is expected (which means quickly)
PIPA Breach Notification
- You must notify the Information and Privacy Commissioner (IPC) within 30 days of learning about a breach
- You must notify affected individuals within 30 days of learning about a breach
- Notification must include: what happened, what information was accessed, risks to the individual, what you're doing about it
- If 1,000+ people are affected, you must also notify major news media
Critical: You must be prepared to notify regulators and affected individuals within 30 days. This means you need: incident response procedures, contact lists, notification templates, and log data showing when you discovered the breach. This preparation needs to happen before a breach occurs.
Industry-Specific Compliance
Healthcare Organizations
Healthcare in Alberta is regulated by healthcare professional bodies (College of Nurses, College of Physicians). Beyond PIPEDA and PIPA, you may have additional requirements for patient privacy (Health Information Act in Alberta). IT requirements include:
- Encryption of all patient data
- Access controls limiting staff to their patients' records
- Audit trails for all access to patient information
- Secure destruction of records at end of retention period
- Breach notification to patients and regulatory body
Legal Firms
Law Society of Alberta requires protection of client information, solicitor-client privilege, and compliance with privacy laws. IT requirements include:
- File-level encryption for client documents
- Secure client communication channels (encrypted email, secure portal)
- Access restricted to relevant staff only
- Documented retention and secure destruction procedures
- Cybersecurity insurance
Financial Services
Banks, credit unions, and financial institutions have additional requirements under PIPEDA and provincial banking regulations. IT requirements include:
- Encryption of all account and transaction data
- PCI-DSS compliance if you process credit cards (Payment Card Industry Data Security Standard)
- Multi-factor authentication for all staff access
- Incident response and breach notification procedures
- Regular penetration testing and vulnerability assessments
Preparing for a Compliance Audit
Whether conducting an internal audit or preparing for a regulatory inspection, have these documents ready:
Documentation You'll Need
- Written in plain language
- Explains what personal information you collect, how you use it, who you share it with
- Explains individuals' rights (access, correction, deletion)
- Your contact information for privacy questions
- What personal information you collect
- Where it's stored (database, cloud, on-premise server)
- Who has access to it
- How long you retain it
- List of encryption controls in place
- Access control matrix showing who can access what
- Backup policy and backup test logs
- Patch management procedures and recent patch logs
- Antivirus/EDR deployment and log samples
- Procedures for detecting breaches
- Who to notify (IT team, management, legal, regulators)
- Timeline for notification
- Template breach notification letter
- Forensic investigation procedures
- Documentation that all staff completed privacy/security training
- Training content and date completed
- Annual refresher training schedule
- Contracts with cloud providers, email hosts, backup vendors showing they comply with privacy requirements
- Data Processing Agreements (DPA) defining how vendors protect your data
Data Retention: How Long to Keep Personal Information
PIPEDA and PIPA don't specify retention periods (each law and business context is different), but they require you to document your retention policy and delete information when it's no longer needed. If you collect information for a purpose, you should delete it when that purpose is complete. Regulators view indefinite retention as suspicious.
Example retention policies:
- Customer contact information: Keep during customer relationship + 2 years after relationship ends
- Employee records: Keep for 7 years after employment ends (for legal/tax purposes)
- Transaction logs: Keep for 1 year (for audit trail purposes)
- Backup copies: Delete after retention period + 30 days to ensure no copies remain
Third-Party Risk Management
If you use cloud services (Microsoft 365, cloud storage, Salesforce, payroll systems), you're sharing personal information with third parties. PIPEDA and PIPA hold you responsible for their actions. You need:
- Data Processing Agreements (DPA): Written contracts specifying how the vendor protects your data
- Vendor security assessments: Verify that cloud providers have SOC 2 certifications or equivalent
- Subprocessor management: Know if your vendor shares data with other companies
- Data location: Specify where data is stored (data residency requirements)
- Incident notification: Vendors must notify you if there's a breach of your data
Practical Compliance Checklist for Alberta Businesses
- Audit current IT environment (encryption, access controls, backups)
- Document all personal information you collect and where it's stored
- Identify compliance gaps
- Create or update privacy policy
- Enable encryption on all devices
- Implement MFA on cloud accounts
- Set up encryption for email and sensitive communications
- Verify website uses HTTPS
- Document access controls and data inventory
- Deploy or verify EDR/antivirus on all devices
- Test backup restoration procedures
- Create incident response plan
- Review and upgrade third-party vendor agreements (add DPAs)
- Train all staff on privacy and security
- Monthly: Review access controls and remove terminated employees' access
- Quarterly: Verify backups via restoration testing
- Quarterly: Review logs for unauthorized access attempts
- Annually: Refresh staff training, review and update policies
Get a compliance assessment tailored to your Alberta business. Free consultation.
We review your current IT practices against PIPEDA and PIPA requirements, identify gaps, and provide a prioritized roadmap to achieve compliance. Includes recommendations on controls, documentation, and third-party vendor management.
Book a Free IT AssessmentCybersecurity Services · Managed IT in Calgary · IT Consulting · Download IT Security Checklist