First introduced in October 1995, the Freedom of Information and Protection of Privacy Act, RSA 2000, c F-25 (the “FOIP Act”) has since set the standard for privacy practices among public bodies in Alberta. Originally framed to provide the public with the right to access records and protect individual privacy within public institutions, the FOIP Act has seen minimal amendments over the years, with the last significant update approximately 20 years ago.
In November 2024, the Alberta government announced that it would repeal the FOIP Act and introduced two separate acts in its place, titled the Protection of Privacy Act (“POPA”) and the Access to Information Act (“ATIA”). These acts are currently awaiting Royal Assent before coming into force.
POPA and ATIA will still remain applicable to an array of public entities, including government departments, boards, agencies, municipalities, school boards, police services, as well as universities and colleges, and will introduce new changes to meet the privacy and information access demands of our digital era. The main highlights of the POPA and ATIA are set out below.
Bill 33: Protection of Privacy Act
Bill 33 is designed to address privacy protection with the intent to offer stronger privacy safeguards, maintain and bolster public trust, and augment the government’s ability to deliver services and programs.
- Privacy By Design: Public entities are now mandated to integrate privacy considerations intrinsically into their operational frameworks, adopting the principle of "privacy by design." The privacy by design approach necessitates that public bodies must consider the privacy implications of personal information management during business dealings and creation or changes to programs, systems and services.
- Privacy Management Programs: As part of the privacy by design principle, it will be mandatory for public bodies to adopt a privacy management program, which must document policies and procedures that promote the public body’s compliance under POPA.[1]
- Privacy Impact Assessments: Privacy impact assessments will also be required for public bodies in prescribed circumstances under the forthcoming regulations.[2]
- Increased Notification Requirements: Public bodies are now required to notify individuals if their information is being used in any automated system to generate content, or to make decisions, recommendations, or predictions.[3] Additionally, if there is a privacy breach posing a real risk of significant harm, individuals affected must be notified of the breach.[4]
- Enhanced Protections for Personal Information: The new act explicitly prohibits the sale of personal data by public bodies for any purpose.[5] Part 3 of POPA also introduces new rules concerning data matching, data derived from personal information and non-personal data, where uses of these data types can only be for prescribed purposes.[6]
- Streamlined Processes: POPA empowers public bodies to link personal information directly between sources under the control of different public bodies through data matching and to disclose derived data and non-personal data to other public bodies.[7] Under POPA, public bodies have clear rules for when and how to share information with each other to provide a common or integrated service, which streamlines the collection of personal information.
- Reduction of Administrative Burdens of the OIPC: In an effort to reduce the regulatory burdens of the OIPC, an individual must address the privacy complaint with the offending public body before they can submit a complaint to the OIPC.[8] The OIPC can also require a public body to provide a copy of their privacy impact assessments or privacy management programs.[9]
- Strict Penalties: Under POPA, an individual can face a fine of up to $125,000 and an organization can face a fine up to $750,000.[10] In addition, for penalties concerning derived data and non-personal information, an individual can face a fine of up to $200,000 and an organization up to $1,000,000.
Bill 34: Access to Information Act
Bill 34 was introduced with the intent of modernizing access to information. Bill 34 recognizes electronic records, allows public bodies to extend timelines during times of emergencies, clarifies definitions and processes and further empowers public bodies to proactively disclose information.
- Empowers Public Bodies to Proactively Disclose Information: ATIA empowers public bodies to proactively disclose information outside the access to information process. Under the ATIA, a public body is not required to make a request to another public body to obtain access to a record in the custody or control of another public body.[11]
- Public Body Can Disregard Requests: A public body has the power to disregard requests for access to a record under the prescribed conditions.[12]
- Extension in Emergency: The ATIA also specifically outlines the situations allowing a public body to extend the response time to a request for access.[13] Most noteworthy of the new extensions is the automatic extension in times of emergency, disaster or other unforeseen event that results in an unplanned operational closure or interruption, which allows public bodies to focus on the immediate crisis at hand.[14]
- Clearer Timelines: ATIA now sets out clearer timelines for the OIPC to complete reviews and respond to access requests.[15]
- Clarify Documents Withheld From Mandatory Disclosures: Under the ATIA, a record of communication between political staff or a member of the Executive Council and political staff that does not involve another public body employee is excluded as a record to which ATIA applies.[16]
- Increased Penalty: The penalties under ATIA have also increased to a maximum penalty of $50,000 for contraventions under the ATIA.[17]
Key Developments to Watch
With the introduction of Bills 33 and 34, there are several other changes to the privacy legislation to watch out for.
- In-Depth Regulations: The Alberta government is set to release comprehensive regulations is the spring of 2025 which will provide further clarity on the specifics of privacy management programs and privacy impact assessments under POPA.
- A Closer Examination of PIPA: The Personal Information Protection Act, SA 2003, c P-6.5 (“PIPA”) is currently under a rigorous review by the Standing Committee on Resource Stewardship. Initiated in January 2024, this deep dive into the Act has an 18-month timeline for completion. The final report of the Committee is expected in June of 2025, which is expected to further shape privacy legislation.
Stay informed on these pivotal updates, as the landscape of privacy and data protection modernizes with new legislation.
