Articles
<< back to all ArticlesKey Changes to Alberta’s Privacy and Access Laws
Incoming Changes to Alberta’s Public Sector Privacy and Access to Information Legislation and an Overview of the Personal Information Protection Act
Recent Changes to Alberta’s Public Sector Privacy and Access to Information Legislation
In late 2024, the Alberta legislature passed two bills which will replace Alberta’s current public sector privacy legislation (the Freedom of Information and Protection of Privacy Act, or FOIPPA) with two new acts: the Protection of Privacy Act[1] and the Access to Information Act.[2] Once enacted, these new Acts will introduce important changes relating to how public bodies can collect, manage, and make use of personal information, and to the rules and processes governing access to information requests.
The government identifies public bodies as including:
- government departments, branches, and offices;
- agencies, boards, and commissions;
- educational bodies (including school boards and postsecondary institutions); and
- local government bodies, such as municipal governments, police services, and libraries.[3]
The Protection of Privacy Act aims to strengthen privacy protections and bring regulation of privacy issues in line with modern technologies and privacy issues. It also imposes stricter penalties for breaches of the legislation.[4]
The Access to Information Act provides an updated framework relating to access to information requests for records in the custody or under the control of a public body. Changes introduced by the Access to Information Act include recognizing and defining “electronic records”, changes to time limits for public bodies to respond to requests including extensions during times of emergency, further empowering public bodies to make proactive disclosures, and clarifying what kinds of documents can be withheld by public bodies from mandatory disclosure.[5]
Regulations are expected in Spring 2025 to provide further details on Alberta’s new public sector privacy and access to information regime.
Alberta’s Existing Private Sector Privacy Legislation and Access to Information Requests
Alberta’s Personal Information Protection Act(PIPA) is an existing private sector privacy law that applies to provincially regulated private sector organizations, businesses, and some non-profit organizations.
The government has not yet proposed changes to PIPA;however, the new public sector legislation also provides an occasion for recognizing the existing obligations applying to private sector organizations under PIPA.
PIPA provides a framework governing how organizations (including corporations, associations, trade unions, and individuals acting in a commercial capacity) can collect, use, and disclose personal information.[6]
PIPA defines “personal information” as “information about an identifiable individual”.[7] It can include a range of different kinds of information, including personal details, addresses, email addresses, financial information, and other sensitive information. However, that information must relate to an identifiable individual.
Subject to certain exceptions,[8] PIPA provides that organizations can only collect, use, and disclose individuals’ personal information for purposes that are reasonable.[9] Similarly, PIPA provides that organizations cannot collect, use, or disclose personal information about an individual without their consent.[10] These consent requirements are also subject to a number of exceptions.[11] PIPA further provides specific rules relating to the collection, use, and disclosure of employee information.[12]
Awareness of PIPA’s provisions relating to the collection, use, and disclosure of personal information is important for all private sector organizations because it is an offence contravene these sections.[13] The Act also provides several other offences, and offences can result in fines of up to $10,000 for individuals and up to $100,000 for organizations.[14]
Under PIPA, individuals may request that an organization provide them with access to records containing personal information about the individual or provide the individual with information about the use or disclosure of personal information about the individual.[15] Individuals can also request that an organization correct an error or omission in their personal information.[16]
Where an individual makes a request for access to personal information, PIPA requires that the organization respond within 45 days from the day the organization receives the individual’s written request – though the Act allows for extending the time limit in certain circumstances.[17]
PIPA provides that an organization responding to an access to personal information request may refuse access to certain records for an identified list of reasons, including that the information is protected by legal privilege, that disclosure could reveal confidential commercial information and it is not unreasonable to withhold that information, or that the information was collected for an investigation or legal proceeding.[18] Further, PIPA states there are certain circumstances where an organization cannot provide access to personal information, such as where disclosure could reasonably be expected to threaten the life or security of another person or the information would reveal personal information about another individual.[19]
For an organization, responding to a PIPA request can be a monumental task. It requires the organization to collect, review, and identify any documents within its possession that contain personal information about the individual. This can mean collection and review of thousands of documents. The organization also needs to identify and note the reason for refusing to provide any documents in accordance with the exceptions in the Act.
Additionally, given the Act’s prohibition on providing personal information about individuals other than the individual making the request, responding to a request can also involve a lengthy process of redacting the personal information of others.
It remains to be seen whether and in what ways the PIPA regime might be amended; however, Alberta’s new public sector privacy and access to information legislation suggests that future changes may be focused on strengthening privacy protections and responding to evolving technologies. For assistance with PIPA requests and other privacy issues, including those relating to Alberta’s new public sector privacy legislation and the Health Information Act, contact our Boards, Tribunals & Administrative Law Team
[1] Bill 33, Protection of Privacy Act, 1st Sess, 31st Leg, Alberta, 2024 (assented to 5 December 2024), SA 2024, c P-28.5, <docs.assembly.ab.ca/LADDAR_files/docs/bills/bill/legislature_31/session_1/20230530_bill-033.pdf> [Protection of Privacy Act].
[2] Bill 34, Access to Information Act, 1st Sess, 31st Leg, Alberta, 2024 (assented to 5 December 2024), SA 2024, c A-1.4, <docs.assembly.ab.ca/LADDAR_files/docs/bills/bill/legislature_31/session_1/20230530_bill-034.pdf> [Access to Information Act].
[3] Government of Alberta, “Bill 33 Protection of Privacy Act: Getting to know Alberta’s proposed public sector privacy law” (6 November 2024), online: <www.alberta.ca/system/files/bill-33-getting-to-know-protection-of-privacy-act.pdf>.
[4] Government of Alberta, “Bill 33 Protection of Privacy Act: Getting to know Alberta’s proposed public sector privacy law” (6 November 2024), online: <www.alberta.ca/system/files/bill-33-getting-to-know-protection-of-privacy-act.pdf>. The offences and penalties are set out in section 60 of the Protection of Privacy Act.
[5] Government of Alberta, “Modernizing access to information for Alberta’s digital age” (last visited 9 January 2025), online: <www.alberta.ca/modernizing-access-to-information-for-albertas-digital-age>; Access to Information Act, ss 1(f), 13, 16.
[6] Personal Information Protection Act, SA 2003, c P-6.5, s 1(1)(i).
[7] Personal Information Protection Act, SA 2003, c P-6.5, s 1(1)(k).
[8] Discussing the exceptions is outside the scope of this article.
[9] Personal Information Protection Act, SA 2003, c P-6.5, ss 11, 16, 19.
[10] Personal Information Protection Act, SA 2003, c P-6.5, s 7.
[11] Personal Information Protection Act, SA 2003, c P-6.5, ss 14, 17, 20.
[12] Personal Information Protection Act, SA 2003, c P-6.5, ss 15, 18, 21.
[13] Personal Information Protection Act, SA 2003, c P-6.5, s 59(1)(a).
[14] Personal Information Protection Act, SA 2003, c P-6.5, ss 59(1)–(2).
[15] Personal Information Protection Act, SA 2003, c P-6.5, s 24.
[16] Personal Information Protection Act, SA 2003, c P-6.5, s 25.
[17] Personal Information Protection Act, SA 2003, c P-6.5, ss 28, 31.
[18] Personal Information Protection Act, SA 2003, c P-6.5, s 24(2).
[19] Personal Information Protection Act, SA 2003, c P-6.5, s 24(3).
This post is meant to provide information only and is not intended to provide legal advice. Although every effort has been made to provide current and accurate information, changes to the law may cause the information in this post to be outdated.
