Introduced in 1995, Alberta’s Freedom of Information and Protection of Privacy Act (FOIP Act) has guided public sector privacy and access practices in the province for decades. It has seen few changes since, with the last major update nearly 20 years ago. On December 4, 2024, the Alberta Legislative Assembly passed Bill 33 and Bill 34, which on coming into force will replace the FOIP Act with the Protection of Privacy Act (PPA) and Access to Information Act (ATIA).

These Bills received royal assent on December 5, 2024. Further details on Alberta’s new public sector privacy and access to information regime are expected through regulations to be released in Spring 2025.

Around 1,200 public bodies previously governed by FOIP Act will shortly be subject to PPA and ATIA. This article highlights key changes to Alberta's public-sector privacy law, which transform how public-sector bodies will manage personal information and respond to access requests, and better align the province’s framework with other provinces like British Columbia, Ontario and Québec.

Bill 33: Protection of Privacy Act

PPA retains certain core principles and obligations of the FOIP Act while adding stronger privacy protections.

Mandatory breach reporting

Under the PPA, public bodies must promptly notify affected individuals, the Office of the Information and Privacy Commissioner of Alberta (OIPC) and the Minister of Technology and Innovation in the event of a privacy breach that is likely to cause “a real risk of significant harm.”

Specific breach reporting requirements and interpretations of the "real risk of significant harm" threshold have not yet been defined. However, we note the OIPC has generally interpreted the similarly drafted breach notification requirement in the province’s private sector Personal Information Protection Act as a low bar.

We expect these notification requirements to align with those in other jurisdictions, and best practice, requiring affected public bodies to outline the nature of the incident, the types of personal information involved, and the measures taken to reduce the risk of harm to affected individuals. Regulations to PPA are expected in Spring 2025.

Increased penalties

Fines for privacy breaches have increased to a maximum of $200,000 for individuals and $1 million for organizations, compared to the previous $10,000 cap under the FOIP Act. Alberta now ranks among the provinces with some of the highest public-sector privacy fines.

Privacy management programs and privacy impact assessments

To promote accountability and proactive governance, public bodies will be required to establish privacy management programs (PMPs) and conduct privacy impact assessments (PIAs) in circumstances that will later be prescribed, taking into account the sensitivity and volume of personal information in the public body’s custody or control.

Expanded privacy safeguards

PPA expands on existing obligations for public bodies to safeguard personal information during collection, use, and disclosure to reflect contemporary data governance challenges. These requirements include:

  • A prohibition on selling personal information: Public bodies are expressly prohibited from selling personal information under any circumstance or for any purpose, including for marketing or advertising purposes
  • Automated decision-making: Public bodies are required to notify individuals when the public body intends to input personal information into an automated system to generate content or make decisions, recommendations or predictions.
  • Regulation of “non-personal data,” “data derived,” and “data matching”:
    • PPA regulates “non-personal," anonymized data that does not identify any individual. Now, non-personal data may only be created for prescribed purposes, including research and analysis and planning, administering, delivering, monitoring or evaluating a program or service.
    • PPA introduces processes respecting “data derived from personal information” and “data matching,” which involves linking personal information between two or more databases or other electronic sources of information. It also establishes clear rules governing when and how public bodies can share information to deliver a common or integrated service. Public bodies participating in data matching will be subject to security arrangements, that may be prescribed by the Minister in the regulations.
  • Individual Complaints: An individual who believes their personal information was collected, used, or disclosed in breach of PPA, may submit a complaint to the applicable public body (which was not previously required under FOIP Act) before requesting a formal review by the OIPC.

Bill 34: Access to Information Act

The ATIA will provide public bodies in Alberta with additional authority and discretion regarding access to information requests. Key changes under ATIA include:

  • Discretion to disregard access to information requests: Public bodies can disregard unreasonably broad, repetitive, abusive, threatening, frivolous vexatious, or otherwise incomprehensible requests, granted that they notify the requester within 30 days. Following this, the requester may seek a review by the OIPC.
  • Narrowed duty to assist: Public bodies are no longer required to build new data sets solely to fulfill an access request. Under ATIA, a public body’s duty to assist requires the body to release data only if it can be generated using normal computer hardware, software, and technical expertise.
  • No requests for publicly available records: ATIA prohibits requests for records held by a public body that are already available to the public. A public body may specify categories of records in its custody or control that the public can obtain without submitting a formal request.
  • Workplace investigation records: ATIA exempts the disclosure of workplace investigation if the disclosure could reasonably interfere with, prejudice or otherwise harm a workplace investigation or cause harm to a witness or a third party, or prevent witnesses from coming forward.
  • Extended timeline to respond to access requests: Public bodies have 30 business days to respond to access requests, with the option to extend the timeline in certain circumstances without OIPC approval.
  • Expanded exemptions to disclosure: ATIA broadens the scope of Cabinet and Treasury Board confidences, which are exempt from disclosure. Previously, the FOIP Act set out certain exemptions to disclosure for such Cabinet records, which would reveal information about the substance of deliberations of certain governmental bodies. The ATIA expands the Cabinet records disclosure exception to cover background or factual information, as well as any advice, analysis, recommendations, policy considerations, or draft legislation submitted to or prepared for Cabinet. These provisions, and new exclusions for political staff, exempt most communications between political staff and Cabinet or Treasury Board from public disclosure.

Additional powers of the OIPC

Under both PPA and ATIA, the OIPC gains greater discretion to refuse or discontinue an inquiry and has increased time to complete those inquiries. Offences under the new legislation carry elevated fines, reflecting a broader trend toward stricter enforcement.

What’s coming next: Additional guidance for the PPA And ATIA in spring 2025

Regulations for both PPA and ATIA are expected in spring 2025. The regulations are anticipated to provide additional guidance in respect of key definitions, breach notification requirements and privacy management programs.

Both PPA and ATIA are anticipated to have direct and indirect ramifications for private businesses and organizations, especially those that carry on business relationships with government and public bodies or otherwise rely on them in their operations. This interim period offers a valuable opportunity for businesses to review their existing practices, policies and procedures in anticipation of additional guidance in the coming months and ultimately, the coming into force of the PPA and ATIA.

In addition, Alberta’s private sector privacy legislation, the Personal Information Protection Act, is currently under legislative review by the Standing Committee on Resource Stewardship. The Committee’s final report is expected to be tabled in June 2025. For more on this review, see our article on the legislative reforms to Alberta’s private sector privacy law.

Gowling WLG’s Cyber Security & Data Protection Group continues to monitor the status of these legislative updates. For information on how these changes may affect your organization, please reach out to a member of our team.