Proposed changes to Alberta’s Freedom of Information and Protection of Privacy Act: A new era for public-sector privacy legislation in Alberta

Alberta is set to significantly change the privacy landscape for the public sector for the first time in 20 years.

Overview

The Government of Alberta recently introduced the Protection of Privacy Act (PPA) (Bill 33) and the Access to Information Act (AIA) (Bill 34), set to replace the current Freedom of Information and Protection of Privacy Act (FOIP). Proposed supporting regulations, setting out prescribed details referenced in the bills, are expected to be published in spring 2025.

Following the release of Bills 33 and 34, Alberta’s Information and Privacy Commissioner (the Commissioner) published comments, strongly recommending numerous changes. These recommendations were not incorporated in the readings of the proposed bills.

The bills received royal assent on December 5 and will come into force upon proclamation.

The proposed introduction of the PPA and AIA through Bills 33 and 34 represents a significant shift in the privacy landscape in Alberta for both public bodies and organizations that interact with those public bodies. While the PPA seeks to introduce more stringent privacy and cybersecurity requirements as outlined above, this is counter-balanced against the proposed changes to access requests under AIA that contemplates a longer access request process that provides public bodies with increased opportunity to withhold records.

Summary of noteworthy proposed changes

The PPA and the AIA propose material changes from FOIP, including:

• Privacy Impact Assessments: The PPA would obligate public bodies to prepare privacy impact assessments in yet-to-be prescribed circumstances, to be submitted to the Commissioner. The PPA generally outlines that public bodies must identify and review risks associated with the public body’s collection, use and disclosure of personal information and must develop mitigation strategies and safeguards respecting those risks.¹
• Privacy Management Program: The PPA obliges public bodies to establish and implement a privacy management program consisting of documented policies and procedures to promote compliance with its duties under the legislation. While requirements of the program are to be detailed in the regulations, the PPA outlines that the program should be proportional to the volume and sensitivity of the personal information in the custody and control of the public body.²
• Mandatory Breach Notification: The PPA provides for mandatory notification to impacted individuals, the Commissioner, and the appropriate minister where an incident occurs involving the loss of, unauthorized access to or unauthorized disclosure of personal information where there exists a real risk of significant harm.³ The form of notification is not yet outlined.
• Standards for “non-personal data”: The PPA regulates “non-personal data” (otherwise known as anonymized data that has been generated, modified or anonymized so it does not identify any individual).⁴ “Non-personal data” must be created in accordance with generally accepted best practices, legislative requirements and the (yet to be) prescribed requirements.⁵
• Artificial Intelligence (AI) use Requirements: The PPA provides that where an individual’s personal information will be used by a public body to make a decision using an automated system, the public body must make every reasonable effort to ensure the information is accurate and complete and retain the information for at least one year.⁶
• Standards for “data derived from personal information” and “data matching”: Data matching is a practical method of aggregating and analyzing data sets. The PPA introduces processes respecting “data derived from personal information” (data created by data matching) and “data matching” (linking of personal information between two or more electronic sources of information).⁷ The PPA contemplates prescribed security arrangements for public bodies who participate in “data matching.”⁸
• Prohibition on Selling Personal Information: The PPA will prohibit the selling of personal information in any circumstance or for any purpose.⁹
• Individual Complaints to Public Body: The PPA requires individuals who believe their personal information has been collected, used or disclosed in contravention of the legislation to first complain to the public body prior to submitting a request for review from the Commissioner.¹⁰
• Political Exclusions: The PPA and the AIA would not apply to internal records created on behalf of a member of the Executive Council or a member of the Legislative Assembly, as well as records of communication solely between political staff.¹¹
• Changes to Access to Information Processes: The AIA contemplates a number of changes to the access to information process. These changes include:
  • Requiring individuals who are making an access to information request to respond to any clarification sought by the public body within 30 business days.¹²
  • Providing for additional exceptions for disclosure, including for workplace investigations and labour relations,¹³ and expanded powers of the public body to disregard access requests.¹⁴
  • Allowing the public body to extend the time to respond to an access request without the permission of the Commissioner.¹⁵
  • Prohibiting access requests for records held by a public body that are available to the public. Under the AIA, a public body may specify categories of records that are in its custody or control that are available to the public without a request for access.¹⁶
• Additional Powers of the Commissioner: The PPA provides for additional powers for the Commissioner to refuse to conduct or discontinue an inquiry,¹⁷ allows for increased time for completing inquiries,¹⁸ and for increased fines for offences of the legislation.¹⁹