PIPA Primer: 3 Reminders for Private-Sector Employers

• Rielle
  Gagnon

  Rielle
  Gagnon

  view bio

While much of the discourse in Alberta’s privacy law in 2025 surrounded changes to public sector privacy legislation (including the creation of the Protection of Privacy Act (“POPA”) and the Access to Information Act (“ATIA”), which replaced the Freedom of Information and Protection of Privacy Act (“FOIP”) in Alberta), private sector organizations continue to be governed by the Personal Information Protection Act (“PIPA”),SA 2003, c P-6.5.

In an age of rapidly advancing technology and innovation, including a surge in artificial intelligence technologies, it is more important than ever for private sector organizations to be aware of their obligations pursuant to PIPA to ensure that information is appropriately safeguarded. The following tips and reminders highlight three key considerations for employers to uphold their obligations pursuant to PIPA.

1. Organizations are responsible for the personal information in their custody and control.[1]

If an organization has custody or control of personal information, it is responsible for that personal information. Organizations are required to designate at least one person to be responsible for ensuring that the organization is in compliance with PIPA.

Organizations are required to act reasonably when meeting the obligations set out under PIPA. To meet that standard of reasonableness, organizations are required to develop and abide by policies that assist the organization in following PIPA.

2. There are limitations on the collection, use, and disclosure of personal information.[2]

Following the requirement that organizations must act reasonably in abiding by PIPA, an organization may only collect, use, and disclose personal information for reasonable purposes, and may only rely on personal information collected to the extent that it is reasonable to meet those purposes.

Prior to collecting personal information, an organization must notify the individuals of the purpose of collection, and the name of the person who can provide answers to any questions the individual may have about the collection.

Generally speaking, consent is required to collect, use, and disclose personal information. However, there are some exceptions in PIPA which allow for collection and use without consent.

These exceptions include, but are not limited to:

• information that a reasonable person would consider to be clearly in the interests of the individual and consent of that individual cannot be obtained in a timely manner, and that individual would be expected to consent;
• where collection, use, or disclosure of the information is authorized or required by law, among others.

3. Private sector organizations have obligations to respond to access requests in a timely manner.

Under PIPA, individuals can request access to their personal information held by an organization, or information about the organization’s disclosure of their personal information. In response to such a request, the organization has an obligation to respond in a timely manner, or the organization can face penalties.

[1] PIPA, s. 5(1).

[2] PIPA, Part 2, Divisions 3, 4, 5.