June 2025 marked a major turning point for public sector privacy laws in Alberta. The province’s long-standing Freedom of Information and Protection of Privacy Act (“FOIP Act”) has officially been repealed and replaced by two new standalone laws: the Access to Information Act (“ATIA”) and the Protection of Privacy Act (“POPA”). With both statutes now in force as of June 11, 2025, public bodies in Alberta face a new – and significantly more detailed – regulatory landscape.

This article outlines key legislative changes and offers practical takeaways for Alberta public bodies adapting to the new regime.

Two new laws, one sweeping reform

The split of Alberta’s FOIP Act into ATIA and POPA introduces greater clarity by distinguishing access to information rights from privacy obligations. Both statutes are supported by detailed regulations, with new definitions, expanded powers, and prescriptive compliance obligations.

Transitional provisions in both statutes ensure continuity for requests and reviews submitted before June 11, 2025. New enforcement mechanisms apply only to events and requests occurring after this date.

Key changes under ATIA

  • New Power to Disregard Requests: Public bodies now have greater discretion and control to refuse access requests without prior Commissioner approval if the request is duplicative, overly broad, or incomprehensible. However, reasons must be provided to the applicant, who retains a right of review, and applicants are to be informed of this right.
  • Expanded Duty to Assist: Public bodies must actively support applicants in narrowing or clarifying requests. Critically, this duty is now backed by regulation placing clear expectations on how public bodies interact with applicants and factors to be considered in assessing whether “every reasonable effort to assist” has been made. Accurate records documenting the public body’s decisions and actions respecting each access request, including communications with applicants, must be maintained.
  • Workplace Investigations: A new exemption to disclosure protects the integrity of workplace investigations and the privacy of witnesses and third parties.
  • Commissioner Review Process Overhaul: The Commissioner can now decline to proceed with an inquiry under certain conditions, with set timelines for providing record indexes and supporting materials. Third party requests for review will proceed directly to inquiry, and requests for review of a public body’s decision to extend its time to respond, disregard a request, or abandon a request may proceed to an expedited inquiry. Further information is available on the OIPC website.
  • Increased Penalties: The offence threshold has shifted from “wilfully” to “knowingly”, with maximum fines increased from $10,000 to $50,000.

Key changes under POPA

The changes introduced under POPA represent a much more robust and future-oriented privacy framework. Some of the most significant developments include:

  • Manner of Collection Clarified: Public bodies are now expressly permitted to collect personal information indirectly when necessary for “common or integrated programs or services.” For personal information collected directly, there is a new requirement to notify individuals if their information may be used in automated systems for decisions, recommendations, or predictions (e.g., artificial intelligence).
  • Privacy Management Programs (“PMP”): Every public body must implement a PMP by June 11, 2026. These programs must include designated privacy officers, internal procedures, training, and documentation of privacy risks akin to what we have seen under BC’s public sector law. Detailed requirements are set out under the Protection of Privacy (Ministerial) Regulation, including additional requirements for public bodies with custody or control over a high volume of, or highly sensitive, personal information.
  • Mandatory Privacy Impact Assessments (PIAs): PIAs are now a requirement in prescribed circumstances and as detailed under the Protection of Privacy (Ministerial) Regulation.
  • Security Breach Notification: POPA introduces a formal breach notification requirement when there is a real risk of significant harm, similar to Alberta’s private sector law (PIPA), with corresponding requirements under the Protection of Privacy (Ministerial) Regulation.
  • Data Matching Rules Introduced: Public bodies may now engage in data matching for specified operational and research purposes, provided they follow security arrangements under the Regulations. Direct collection from individuals for the purpose of data matching to generate data derived from personal information is prohibited.
  • New Rules for Derived and Non-Personal Data: POPA introduces entirely new frameworks regulating the creation, use, disclosure, and protection of:
    • Data derived from personal information – defined as data “created by data matching, and that identifies any individual whose personal information was used in the data matching.”
    • Non-personal data – defined as “data derived from personal information, that has been generated, modified or anonymized so that it does not identify any individual, and includes synthetic data and any other type of non‑personal data identified in the regulations.”

This includes safeguards to prevent re-identification and ensures that even de-identified data is not beyond regulatory oversight.

  • Ban on the Sale of Personal Information: POPA codifies a strict prohibition on the sale of personal information.
  • High Penalties for Non-Compliance: As with ATIA, the threshold for offences has been lowered from “wilfully” to “knowingly.” Additional penalties corresponding to new laws on data derived from personal information and non-personal data have been added. Fines of up to $1 million may be imposed for certain offences, including unauthorized data matching or re-identification of non-personal data.

Key takeaways for public bodies

The implications of Alberta’s new legislation are wide-reaching and can demand a substantial amount of time and resources. With the deadline of June 11, 2026, the clock is ticking, and Alberta’s public bodies should promptly consider the following priorities:

  1. Start building your privacy management program
    With a 12-month grace period in place, now is the time to begin reviewing policies, assigning privacy roles, and building the infrastructure required for an effective PMP.
  2. Update internal procedures and contracts
    Ensure policies, data practices, and third-party service agreements reflect the new obligations – particularly around breach notification, data handling, and automated decision-making.
  3. Train your teams
    Staff across departments should understand how the new rules affect access requests, information security, and personal data usage. Privacy and security awareness must extend beyond the IT department.
  4. Prepare for new oversight processes
    The OIPC has already released new procedural guidance on reviews and inquiries. Public bodies must be ready to meet tight deadlines and submit detailed records and indexes when required.
  5. Document everything
    From access request communications to privacy breach assessments, the new statutes reinforce the importance of well-kept records to demonstrate compliance.

Final word

Alberta’s dual legislation model reflects broader trends in privacy law modernization, including greater accountability, risk-based assessment, and data governance. While the transition will require significant effort, the changes ultimately aim to promote clarity, transparency, and trust in how public bodies collect and manage personal information.

For more background, see our previous analysis on Bills 33 and 34: Bills 33 & 34: Modernizing Alberta’s public sector privacy protection & access to information laws (Dec 3, 2024).

For questions about how your public body can prepare for and comply with ATIA and POPA, please contact a member of Miller Thomson’s Technology, IP and Privacy Group.