Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
Public bodies in Alberta will be required to implement a privacy management program by 11 June 2026, when a one-year grace period in the province's Protection of Privacy Act expires.
In addition to privacy management programs, Alberta's POPA requires privacy impact assessments, introduces new rules permitting data matching and the "creation of non-personal data," and establishes privacy breach notification requirements in the public sector — applying the "real risk of significant harm" threshold.
In 2024, the Government of Alberta passed legislation separating the province's access to information and privacy law. The former Freedom of Information and Protection of Privacy Act became the Access to Information Actand the POPA, which follows Canada's dual laws model. The regulatory oversight for both laws remains under a single information and privacy commissioner in Alberta.
These amendments follow several provincial government policy and program changes that align with the Alberta Technology and Innovation Strategy, which seeks in part to establish "an Alberta Data Strategy to fully leverage the value of the data government creates and collects to allow for better access and analysis, and enhance the secure and open exchange of data while continuing to protect the privacy of citizens."
A recent mandate letter to Alberta's minister of technology and innovation reinforces this goal.
Data matching and de-identification
To improve information sharing among public bodies, for example, the POPA sets rules for data matching, defines "data derived from personal information" and "non-personal data," and sets parameters meant to limit re-identification.
Once personal information is deemed to be "non-personal data," the legislation permits any use of the information for research and analysis or to conduct various aspects of program or service delivery — or for purposes prescribed in regulations.
While the FOIP Act left open the possibility of regulations to establish standards for data matching, sharing or linkage, POPA introduces explicit rules on data matching and the "creation of non-personal data," presenting new compliance challenges for Alberta's public bodies.
The POPA's Protection of Privacy (Ministerial) Regulation also requires the establishment of a "data quality assurance process" to create non-personal data. It also mandates an assessment of re-identification risks before using or disclosing non-personal data.
Privacy impact assessments
To encourage responsible data use among public bodies, the POPA introduces strong legislative controls, such as PIAs, privacy management programs and breach notification requirements.
With respect to the PIA requirement, POPA's Protection of Privacy (Ministerial) Regulation uses a "real risk of significant harm" threshold analysis to determine whether a PIA must be completed.
The regulations outline additional triggers that require submitting a PIA to the Office of the Information and Privacy Commissioner of Alberta. For example, a PIA must be completed and submitted to the OIPC when certain conditions apply, such as the use of an "innovative technology," the involvement of the personal information from a "significant percentage" of the population served by the public body, or the use of highly sensitive personal information — defined as financial or biometric information or information relating to minors, seniors or other vulnerable individuals.
Notably, PIA requirements are not new in Alberta. Since 2001, the Health Information Actof Albertahas required the completion and submission of a PIA to the OIPC. As a result, health care professionals and organizations have a wealth of experience, having completed more than 10,000 PIAs.
The need to complete PIAs has increased, as OIPC data shows. In the early 2010s, the OIPC received around 400 PIAs per year compared to the nearly 2,000 per year received during the early part of this decade — most submitted as required under the HIA with a few voluntarily submitted by public bodies and private sector organizations.
Wording in the HIA explicitly gave authority for the OIPC to "review and comment" on submitted PIAs. On the other hand, the POPA simply says a PIA "must be submitted" to the OIPC when a trigger is met or if a PIA is requested by the OIPC. The OIPC has said it will provide a template for public bodies submitting PIAs, which differs under the HIA where the OIPC only provides high-level guidance.
Privacy management programs
Altogether, for larger public bodies, these various components — from data matching and the "creation of non-personal data" to breach notifications to the completion of PIAs — will form part of the suite of policies and procedures in privacy management programs that must be ready by 11 June 2026. Meanwhile, smaller public bodies can scale their privacy management programs to the personal information activities each conducts.
The privacy program management requirements set out in the POPA's Protection of Privacy (Ministerial) Regulation include designating a privacy officer, establishing internal policies and procedures, setting a security classification system for personal information, mandating training for employees, and setting timelines for periodic review. The policies and procedures that all public bodies must develop relate to access requests, correction requests and complaints; the creation, use and disclosure of non-personal data, if applicable; and how automated systems will use and safeguard personal information, if applicable.
Further requirements are placed on public bodies that have a "high volume of personal information or highly sensitive personal information," such as establishing documented PIA processes; providing further clarity around the roles, responsibilities and accountabilities of employees; having documented oral, written and electronic consent mechanisms; and outlining administrative, technical and physical safeguards relating to personal information, data derived from personal information and non-personal data.
All public bodies in Alberta must establish a process for making the privacy management program publicly available. They also should be mindful about withholding information that could compromise safeguards.
Alberta's changes within the broader national legislative context
These are substantial changes for the province's public bodies — from big government departments, police services, universities and urban municipalities to small towns, villages, Métis settlements and irrigation districts — and follow similar requirements placed on British Columbia's public sector in 2023.
Additionally, when Quebec introduced modern privacy regulations for businesses in 2020, a less publicized aspect was the law's application to Quebec's public sector. Since then, reforms to Canada's Personal Information Protection and Electronic Documents Act ebbed, along with discussions to update private sector privacy laws in B.C. and Alberta.
Instead, Canada's provincial public sector privacy laws have taken the lead nationally — first with Quebec, followed by B.C., Ontario, and then Alberta.
Ontario amended its privacy law for provincial government institutions but did not update its law that applies to municipal institutions, police services and school boards. The province also did not include a privacy management program requirement for provincial government institutions.
While discussion of privacy management programs, PIAs and breach notifications is nothing new in global privacy regulation, they have only recently become mandatory in Canada. Given how private-sector privacy law modernization efforts outside of Quebec have languished, it is interesting that the provincial public sector is now setting the standard.
Scott Sibbald, CIPM, is founder of Range Road Communications.
