On December 4, 2024, the Legislative Assembly of Alberta passed two bills that will repeal and replace the province’s Freedom of Information and Protection of Privacy Act (FOIP Act). The new legislation separates the substance of the FOIP Act into two distinct pieces of legislation: a Protection of Privacy Act (PPA) and an Access to Information Act (ATIA), which will together govern the Alberta public sector’s use of information, including personal information.
This is the province’s first major update to its privacy and access to information legislation in 30 years. The update brings Alberta’s public sector privacy law closer in line with its counterparts in British Columbia, Ontario and Quebec, and uniquely reforms the province’s access to information regime to reduce the burden of requests on government institutions. We anticipate the Alberta government will publish regulations to support the PPA and ATIA in Spring 2025, with proclamation of the new laws to follow shortly thereafter.
This bulletin focuses on the changes most likely to impact businesses that interface with public bodies in Alberta. To learn more about recent changes to public sector privacy and access laws in other provinces, check out our Blakes Bulletins on recent amendments to B.C.’s FIPPA, Ontario’s FIPPA and Quebec’s Public Sector Privacy Act.
Updated Privacy Obligations for the Alberta Public Sector
Protection of Privacy
The core obligations currently in the FOIP Act regarding public bodies’ obligations to protect personal information when it is collected, used and disclosed will remain, but will now be in the PPA. However, unlike in the FOIP Act, the PPA expressly prohibits public bodies from selling personal information in any circumstance, including for marketing or advertising. Public bodies must also take a “privacy by design” approach (i.e., embedding data protection measures directly into information technology) to program and service design.
Further, a public body must notify Albertans if it intends to use personal information in an automated system to generate content or make decisions, recommendations or predictions. While the PPA does not name or define “artificial intelligence,” this requirement is intended to ensure public bodies transparently address how algorithmic decision-making is implemented.
Mandatory Breach Reporting
Like other provinces with reformed public sector privacy laws, the PPA will introduce mandatory breach reporting obligations for public bodies in Alberta.
If an incident occurs involving the loss of, unauthorized access to or unauthorized disclosure of personal information in the custody or control of a public body where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result, the public body must notify, without unreasonable delay, the following: (1) the affected individual; (2) the Information and Privacy Commissioner of Alberta (OIPC); and (3) the Minister responsible for the PPA.
The notice must comply with prescribed requirements set out in regulations (which are to be finalized before the PPA comes into force). We anticipate that these requirements will be similar to obligations in other jurisdictions and will require affected public bodies to describe the incident, the personal information impacted and the steps taken to mitigate the risk of harm to affected individuals.
Unlike other jurisdictions, the PPA does not define the “real risk of significant harm” threshold for mandatory breach reporting. However, the Minister responsible for the PPA will have power to prescribe a definition of “real risk of significant harm” in regulations.
Privacy Management Programs and Impact Assessments
Public bodies will be required to establish and implement a privacy management program that consists of documented policies and procedures to promote compliance with the PPA. A public body’s program must be proportional to the volume and sensitivity of the personal information it has under its control and comply with requirements prescribed by the regulations.
Additionally, public bodies will be required to prepare privacy impact assessments (PIAs) in certain circumstances and, if required by regulations, submit those assessments to the OIPC. PIAs must identify, review and develop mitigation strategies for risks associated with the collection, use and disclosure of personal information.
New Penalties
The PPA introduces several new penalties, including penalties targeting public employee misuse of personal information. Further, the amounts of fines against an individual have increased to C$200,000 and in the case of any other person to C$1-million
Exceptions to Access to Information
The new ATIA expands the FOIP Act’s exceptions to disclosure of information in a public body’s custody or control and provides public bodies with significant new powers to manage access requests.
Disregarding Requests
The new ATIA will permit public bodies to disregard access to information requests which:
- Would unreasonably interfere with their operations
- Are repeated or systematically submitted
- Are abusive, threatening, frivolous or vexatious
- Relate to information previously provided or previously made public
- Are not sufficiently clear (despite receiving further information from an applicant)
- Are otherwise broad or incomprehensible
A public body must notify an applicant that their request has been disregarded within 30 days of receiving the request and that the applicant may request a review of the decision. This is a significant change from Alberta’s current FOIP Act, which contained a narrow ability for the OIPC to authorize a public body to disregard an access to information request.
Reduced Duty of Assist
The ATIA also limits the scope of information available to requesters by requiring public bodies to only provide access if it can be done using the public body’s normal computer hardware, software and technical expertise. Contrary to other jurisdictions, Alberta public bodies will no longer be obligated to create documents containing information responsive to an access to information request.
Extending Timelines
In a subtle change, the statutory timelines for responding to requests have been extended as compared to the FOIP Act. Public bodies will now need to respond to requests within 30 business days. Factoring in weekends and public holidays, this provides both public bodies and third parties consulted on access to information requests with more time to respond to requests.
Public bodies will also be able to extend the time to respond for “additional reasonable periods” in certain circumstances (e.g., if the applicant agrees, a large number of records are requested, or more time is needed to consult with a third party or public body to determine whether to grant access to the requested records). Further, the ATIA will expressly allow for automatic time extensions during emergencies or unforeseen events (which are to be declared to the OIPC and requester by the public body).
Expanded Exception for Cabinet and Treasury Board Records
The disclosure exception for Cabinet records is expanded under the ATIA to include background or factual information and any advice, analysis, recommendations, policy considerations or draft legislation submitted or prepared for submission to Cabinet. Further, Treasury Board information will now receive the same protection from disclosure as Cabinet confidences, meaning that nearly all communication between political staff and Cabinet or Treasury Board will be excepted from public disclosure.
For further information please contact the authors or any other member of our Privacy & Data Protection or Freedom of Information groups.
Related Insights
Blakes and Blakes Business Class communications are intended for informational purposes only and do not constitute legal advice or an opinion on any issue. We would be pleased to provide additional details or advice about specific situations if desired.
For permission to republish this content, please contact the Blakes Client Relations & Marketing Department at [email protected].
© 2024 Blake, Cassels & Graydon LLP
