ARTICLE
1 July 2025

What Alberta's Privacy Legislative Changes Mean For Municipalities

MA
MLT Aikins LLP

Contributor

MLT Aikins LLP logo
MLT Aikins LLP is a full-service law firm of more than 300 lawyers with a deep commitment to Western Canada and an understanding of this market’s unique legal and business landscapes.
Explore Firm Details
On June 11, 2025, Alberta's Freedom of Information and Protection of Privacy Act (FOIP) was repealed and replaced with two new pieces of legislation: the Access to Information Act (ATIA) and the Protection of Privacy Act (POPA).
Canada Alberta Privacy
Milad Alishahi,Bailey Woloshyn, and Sharon Au
Your Author LinkedIn Connections

These legislative changes are sure to have substantial impact on municipalities across Alberta, as they modernize and streamline Alberta's access to information and privacy laws, strengthen privacy protections and clarify access to electronic records.

What's Changed?

Access to Information Act

The ATIA allows individuals access to the records in the custody or under the control of a municipality and provides for independent review of decisions made by municipalities. Key changes and additions introduced in the ATIA include:

  • Recognition of electronic records
  • Extended response time for municipalities' requests during emergency situations
  • Timelines for responding are defined as "business days"
  • Municipalities have a duty to assist applicants by providing electronic records
  • Municipalities are empowered to proactively disclose information outside of the access to information process
  • Certain documents can be withheld from mandatory disclosure by the municipality
  • Clear timelines are set out for the Office of the Information and Privacy Commissioner of Alberta (OIPC) to complete reviews and respond to access requests
  • A municipality may be ordered to disclose information after OIPC completes its review of an access request

Protection of Privacy Act

The POPA exists to control the collection, use and disclosure of personal information by a municipality. Under POPA, individuals are able to request corrections to their personal information that is held by a municipality. Key changes and additions introduced in the POPA include:

  • Municipalities are required to establish a privacy management program to ensure compliance with requirements set out in the POPA
  • Mandatory privacy impact assessments when implementing a new, or making a substantial change to an existing, administrative practice, program, project or service if:
    • The administrative program, project or service involves the collection, use and disclosure of personal information where the loss of, unauthorized access to or unauthorized disclosure of the personal information that will be collected, used or disclosed could result in a real risk of significant harm
    • The practice, program, project or service:
      • Will collect, use or disclose personal information considered to be of high sensitivity
      • Will involve the personal information of a significant percentage of the population the municipality serves
      • Will involve data matching between two or more public bodies
      • Is part of a common or integrated program or service
      • Involves the development or use of innovative technology
  • Municipalities must give notification of privacy breaches where a real risk of significant harm occurs
  • Restrictions are placed on data derived from personal information
  • Non-personal data may only be disclosed for specific purposes and with safeguard conditions in place
  • The OIPC is not required to proceed with investigations under certain circumstances
  • Stronger penalties implemented for contravening the Act

Establishing and implementing a privacy management program

It is important that municipalities are aware of their responsibilities under the new privacy legislation. If not already in place, municipalities need to establish and implement a privacy management program to ensure compliance with their duties, as required by the POPA. A privacy management program requires having documented policies and procedures in place to promote the safe handling of personal information and non-personal data.

Section 6 of the Protection of Privacy (Ministerial) Regulation provides that privacy management programs must be compliant with section 25 of the POPA and include:

  • The designation or identification of a privacy officer within the municipality who is responsible for ensuring the municipality's compliance with the POPA
  • Internal policies and procedures set in place to address the municipality's duties under the POPA
  • The establishment of a security classification system for personal information, data derived from personal information and non-personal data in the custody or under the control of the municipality
  • Mandatory training for employees of municipalities to understand their obligations under POPA
  • Timelines for periodic review, assessment and updates of the privacy management program

Further requirements must also be in place for municipalities that manage a high volume of personal information or highly sensitive personal information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Milad Alishahi
Milad Alishahi
Photo of Bailey Woloshyn
Bailey Woloshyn
Photo of Sharon Au
Sharon Au
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More