Alberta’s Privacy Laws, Rewritten: What You Need to Know About the Access to Information Act and the Protection of Privacy Act

• Justine
  Fay

  Justine
  Fay

  view bio

The Government of Alberta has undertaken efforts to modernize Alberta’s access to information and protection of privacy regime. These efforts took effect on June 11, 2025, when the Freedom of Information and Protection of Privacy Act (“FOIPPA”) was repealed and not one, but two, new pieces of legislation took its place: theAccess to Information Act (“AIA”) and the Protection of Privacy Act (“POPA”).

FOIPPA broadly governed access to records held by public bodies and protected personal information from unauthorized collection, use, and disclosure.

The new legislative framework splits these functions into two distinct statutes. As you can tell by their names, the Access to Information Act governs – you guessed it – access to information held by public bodies. The Protection of Privacy Act contains rules for the collection, use, and disclosure of personal information by public bodies.

An update was necessary. As pointed out during legislative debates, FOIPPA had been in place since 2000, predating smart phones, social media, and widespread use of the Internet.[1]

But what exactly has changed?

A comprehensive review of the legislation is well beyond the scope of this article, but there are a few key differences to keep in mind while adjusting to the new legislation.

AIA

• Updates to definitions. The AIA includes new definitions, such as “business day”, “electronic record”, and “information.” There have been revisions to the definitions of “personal information” and “record.”
• Power to disregard requests. In FOIPPA, the public body had to request authorization from the Commissioner to disregard an access to information request. In the AIA, the public body is permitted to disregard requests without seeking permission from the Commissioner.
• Duty to assist: There is greater clarity regarding the public body’s duty to assist applicants in accessing information, set out in the Regulation.
• New exception to disclosure: Public bodies may now refuse to disclose information that would prejudice a workplace investigation or cause harm to a witness or third party in that investigation.

POPA

• Updated definitions: In keeping with the attempt to modernize the legislation, the POPA contains new definitions, including: “common or integrated program or service,” “data derived from personal information,” “data matching,” “non-personal data,” and “synthetic data.” There are corresponding provisions throughout the legislation regarding public bodies use and collection of these specific types of data.
• Sale of personal information: Under FOIPPA, there was no express prohibition on the sale of personal information. Section 11 of POPA now prohibits it.
• Privacy Management Programs: The POPA now requires public bodies to maintain “privacy management programs,” as detailed in the Ministerial Regulation. Public bodies have 1 year from June 11, 2025, to implement such a program.
• Privacy Impact Assessments: The POPA imposes a new obligation on public bodies to conduct “privacy impact assessments” when there is a “a new, or a substantial change” to existing practices, programs, projects, or services that involve personal information. Further details regarding the requirement to conduct a privacy impact assessment is set out in the Ministerial Regulation.

The new legislation is not without criticism. While the bills were still being debated, the Commissioner wrote to the Government of Alberta setting out her comments and criticisms of the legislation: AIA and POPA.

While the changes to FOIPPA reflect a more contemporary understanding of data and its uses, they also introduce new responsibilities for public bodies. As with any legislative overhaul, the practical impact of AIA and POPA will depend on how these new laws are implemented and interpreted in the months and years ahead.

Please reach out to our office if you have any questions regarding the new legislation or other privacy and security matters.

[1] Hansard, November 20, 2024, p. 2060.

_{This post is meant to provide information only and is not intended to provide legal advice. Although every effort has been made to provide current and accurate information, changes to the law may cause the information in this post to be outdated.}