Alberta’s Dual-Law Approach to Privacy and Access: Strategic Insights for Public and Private Sectors
June 2025 marked a significant change in Alberta’s privacy-related public sector governance. Two new privacy laws, namely, the Protection of Privacy Act (POPA) and the Access to Information Act (ATIA), emerged and replaced the decades-old Freedom of Information and Protection of Privacy Act (FOIP). POPA and ATIA apply to public bodies in Alberta or those who provide services to public bodies as a private vendor. This legislative overhaul reflects Alberta’s response to growing public concern over data security, digital surveillance, and the ethical use of personal information, pushing the province towards a more modernized and transparent data approach.
POPA Overview
POPA applies to all public bodies in the province, including ministries, municipalities, school boards, health authorities, and police services. POPA’s main objective is to safeguard personal information and privacy. One of its cornerstone requirements is the establishment and implementation of Privacy Management Programs (PMPs). PMPs must incorporate designated privacy officers, documented policies, staff training, breach protocols, and regular reviews. The implementation of PMPs helps establish a strong and comprehensive privacy program that emphasizes accountability and a proactive approach to privacy.
POPA also mandates breach notification when a privacy incident poses a real risk of significant harm (RROSH), requiring disclosure to affected individuals, the Office of the Information and Privacy Commissioner (OIPC) of Alberta and the Minister of Technology and Innovation. With this shift, public institutions should develop a robust breach management policy and plan to ensure they can meet this enhanced obligation. Following suit with Ontario’s Bill 194, which proposed changes to the Freedom of Information and Protection of Privacy Act (FIPPA), POPA has implemented the RROSH threshold for breach notification in the public sector, a standard also seen in private-sector legislation, such as Alberta’s Personal Information Protection Act (PIPA) and the federal Personal Information Protection and Electronic Documents Act (PIPEDA).
Another major shift is the requirement for Privacy Impact Assessments (PIAs) for any new or modified program involving personal data, especially when data is shared between public bodies. The requirement to conduct PIAs has become a trend in Canada’s privacy overhaul, with British Columbia’s FIPPA, Ontario’s FIPPA, and Quebec’s Act Respecting Access to Documents Held by Public Bodies also requiring PIAs in various contexts. Alberta’s POPA stands out for its prescriptive approach, mandating PIAs not only for new initiatives but also for any significant changes to existing programs, particularly those involving automated decision-making or inter-agency data sharing. Inter-agency data sharing refers to the practice of public bodies exchanging or accessing personal information across departments, ministries, or other government entities to deliver services, coordinate programs, or conduct analysis. For example, a health authority may share patient data with a municipal social services department to support integrated care.
POPA introduces transparency obligations for automated decision-making (i.e., AI systems that may generate content or make decisions, recommendations or predictions), compelling public bodies to inform individuals who may be affected by such decisions when such systems are used and explain their function and impact with proper notice. Public institutions must ensure transparency when deploying automated decision-making systems, particularly for citizen-facing services. For instance, if a municipal government uses AI to triage housing benefit applications, assessing eligibility, prioritizing cases, or flagging anomalies based on predefined criteria, it must clearly inform applicants that an automated system is in use. This includes explaining what the system does, the logic behind its decisions, and how it may affect the outcome of their application. There are also new rules around data matching, which refers to linking or comparing data from two or more datasets to identify individuals, patterns, or relationships. These new rules apply in instances where public bodies in Alberta may link personal data across systems, such as only when necessary for a lawful purpose, supported by a Privacy Impact Assessment and the appropriate transparency safeguards. Public entities are now also permitted to use properly de-identified data for secondary uses such as research, planning, and program evaluation, provided privacy risks are mitigated and documented.
POPA introduces stronger penalties for non-compliance, with fines reaching up to $1 million. These are just some of the changes introduced by POPA, which collectively aim to enhance accountability, safeguard personal data, and align Alberta’s public sector privacy practices with contemporary standards.
ATIA Overview
ATIA, the second piece of legislation in this overhaul, complements POPA by establishing a modernized framework for public access to records held by Alberta’s public bodies (the same as listed above). Compared to its FOIP predecessor, ATIA is more refined and deliberate, offering public bodies greater control and clearer boundaries, while also introducing new obligations that hold public bodies to a higher standard. ATIA introduces proactive disclosure obligations, requiring public bodies to publish categories of frequently requested information, such as contracts, policies, and performance metrics, thereby enhancing transparency to the public.
In terms of managing data requests, ATIA allows public bodies to disregard requests that are abusive, overly broad, previously fulfilled, or disruptive to operations. The response timeline has shifted from 30 calendar days to 30 business days, with provisions for further extensions under reasonable circumstances. This supports the need for a robust Data Subject Request Policy and Procedure to ensure that requests are filtered accordingly and responded to within the expected timeframes. ATIA also goes further to limit the need to disclose certain government discussions, giving them more room to withhold sensitive information.
ATIA empowers the OIPC with expanded oversight, including the ability to issue binding orders and conduct audits; before FOIP was replaced by ATIA, the Commissioner could only investigate complaints and make recommendations. Importantly, ATIA introduces a “duty to document,” obligating public bodies to maintain records of decisions, communications, and actions that impact public accountability. This provision not only promotes transparency in governance and prevents information loss but also reinforces the need for clear internal protocols for documenting incidents, complaints, and organizational risks.
Implications for Alberta’s Public Bodies
Together, POPA and ATIA signal a shift from reactive compliance to proactive governance. Public bodies must now invest in robust privacy and access infrastructures if they are to meet these new compliance standards, including:
Dedicated privacy and access personnel
Integrated training programs on updated policies and procedures
Technology upgrades or process updates to support record-keeping, breach management, data subject requests and automated decision disclosures
Procedures or tools to conduct Privacy Impact Assessments
Cross-departmental collaboration for PIAs and breach response
Ripple Effects on the Private Sector
Private-sector service providers working with Alberta’s public bodies will need to comply with these enhanced standards if they engage in services for public bodies, particularly around data sharing, breach notification, and transparency. Contracts may now include clauses requiring vendors to:
Support PIAs and PMPs
Notify public bodies of breaches within tight timelines
Avoid practices like data monetization
Provide transparency around any automated systems used in service delivery
Prove strong privacy/security compliance standards and measures within their organizations
These changes may also influence procurement decisions, favouring vendors with strong privacy credentials and demonstrable compliance capabilities over those who may not put privacy at the top of their priorities list.
Strategic Takeaways for our Clientele
For Bamboo’s public and private sector clients, the message is clear: privacy is no longer a back-office function; it is a strategic imperative. Our experienced team can support clients by:
Conducting gap assessments against POPA and ATIA requirements
Designing and implementing PMPs that are tailored to organizational needs and focused on a privacy-by-design approach
Facilitating PIAs and breach response planning
Advising on vendor management
Supporting change management and staff training
The effects of Alberta’s reforms offer a chance to future-proof operations. Aligning with POPA and ATIA principles, such as transparency, accountability, and responsible data use, can enhance trust and competitiveness across jurisdictions, especially as Canada seems to be moving towards a much more regimented approach to privacy across its provinces.