Certified Information Privacy Professional – Canada (CIPP/C) — Question 6

According to the Alberta Personal Information Protection Act, which of the following data breach reporting notifications to the commissioner is NOT automatically triggered when real risk of significant harm (RROSH) has been determined?

Answer options

• A. Providing a description of the steps the organization will take to notify the affected individual(s).
• B. Providing a description of the steps the organization has taken to reduce or mitigate that harm.
• C. Providing an estimate of the number of individuals affected by the breach.
• D. Providing a description of the personal information involved in the breach.

Correct answer: C

Explanation

The correct answer is C because the requirement does not automatically include an estimate of the number of individuals affected by the breach under the RROSH criteria. Options A, B, and D are all part of the mandatory notifications that must be provided to the commissioner when RROSH is determined.