Major privacy changes, new requirements for Alberta's public sector

Public bodies in Alberta will be required to implement a privacy management program by 11 June 2026, when a one-year grace period in the province's Protection of Privacy Act expires.

In addition to privacy management programs, Alberta's POPA requires privacy impact assessments, introduces new rules permitting data matching and the "creation of non-personal data," and establishes privacy breach notification requirements in the public sector — applying the "real risk of significant harm" threshold.

In 2024, the Government of Alberta passed legislation separating the province's access to information and privacy law. The former Freedom of Information and Protection of Privacy Act became the Access to Information Act and the POPA, which follows Canada's dual laws model. The regulatory oversight for both laws remains under a single information and privacy commissioner in Alberta.

These amendments follow several provincial government policy and program changes that align with the Alberta Technology and Innovation Strategy, which seeks in part to establish "an Alberta Data Strategy to fully leverage the value of the data government creates and collects to allow for better access and analysis, and enhance the secure and open exchange of data while continuing to protect the privacy of citizens." 

A recent mandate letter to Alberta's minister of technology and innovation reinforces this goal.

Data matching and de-identification 

To improve information sharing among public bodies, for example, the POPA sets rules for data matching, defines "data derived from personal information" and "non-personal data," and sets parameters meant to limit re-identification.