Insights Header image
Insights Header image
Insights Header image

Stop Snooping: Alberta Privacy Commissioner Finds Employee Snooping Results in Real Risk of Harm

September 20, 2022 Privacy Bulletin 2 minute read

In a recent breach notification decision, the Alberta Privacy Commissioner found that a real risk of significant harm arose after four employees were found to have accessed account information of other employees and credit union members without an authorized purpose. This decision highlights the importance of clear privacy policies and practices for employees and that the risk of privacy breaches is not just from external bad actors – it can arise inside of an organization.


The organization discovered this breach through their internal audit system shortly after the unauthorized accesses occurred. It involved sensitive personal information of employees and credit union members, including their social insurance number, banking information, and other sensitive employment information.

Under the Alberta Personal Information Protection Act,[1] organizations are required to notify individuals if unauthorized access of their personal information raised a real risk of significant harm. This test was met due to the sensitive nature of the information accessed and the deliberate and personal nature of the breach, together with the non-trivial consequences or effects of the incident. The decision also noted how, because the perpetrators and affected individuals know each other, there was an increased likelihood that this incident would damage personal and professional relationships.

Organization’s Response

As a result of this breach, the organization provided the necessary access notification[2], offered the affected individuals 24 months of credit monitoring, and took several steps to prevent future breaches including:

  • Disciplining the employees who conducted the accesses;
  • Developing a “spot check” program to monitor employee accesses; and
  • Reminding all employees of the audit tool, the importance of maintaining privacy, and the consequences of a failure to do so.

These steps were aided by the fact that the organization had these processes and policies in place before the breach.

Takeaways for Businesses

This decision serves as a reminder for all businesses to have clear policies and practices in place – such as an employee privacy policy, an internal audit process, and proper safeguards on employee personal information. These not only reduce the risk of a breach, but also allow for a quick and effective response if a breach occurs, in order to reduce the risk of harm to individuals.

For more information on Alberta’s regulation of privacy breaches, please see our recent bulletin, Lessons learned from Alberta’s Office of the Information and Privacy Commissioner (OIPC) 11-Year Report.

If you would like advice on drafting or revising such policies or procedures, or employee privacy considerations more generally, a member of our Employment & Labour Relations Group would be happy to assist you.

by Gordana Ivanovic, Kristen Shaw and Julia Loney

[1] Personal Information Protection Act, SA 2003, c P-6.5, s 37.1.
[2] Required under section 19.1 of the Personal Information Protection Act Regulation.

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2022

Insights (5 Posts)View More

Featured Insight

Could it be True? Canada to Introduce Open Banking Legislation

On November 21, 2023, the Government of Canada released its 2023 Fall Economic Statement. The Economic Statement announced the federal government's intention.

Read More
Nov 29, 2023
Featured Insight

Net Zero Plans Deserve Closer Attention Than They Are Getting

This bulletin provides guidance for companies on practices around net zero plans

Read More
Nov 29, 2023
Featured Insight

Necessary Guidance: Ontario Capital Markets Tribunal Provides Key Insights on the ‘Necessary Course of Business’ Exception in Kraft (Re)

The first application of the "necessary course of business" defense to tipping, Kraft (Re) offers key insights when handling material non-public information.

Read More
Nov 29, 2023
Featured Insight

Corporate Counsel CPD Webinar | Inclusion By Design – Using Behavioral Insights to Build Inclusive Organizations

This engaging and informative session will introduce new behaviorally informed strategies, and explore the concept of “nudges”, gentle interventions that guide individuals toward a desired choice or action, and “sludge”, hidden frictions in systems that impede progress toward a desired goal. Participants will learn specific strategies for applying behavioral insights to increase DEIB across their organization.

Wednesday, December 6, 2023
Featured Insight

Attracting Venture Capital and Private Equity Investors: The Alberta Business Corporations Act Makes Alberta the Most Investor and Business Friendly Corporate Jurisdiction in Canada

Reforms to the corporate legal regime in Alberta make it the province of choice for businesses and investors alike.

Read More
Nov 24, 2023