԰������

With the repeal of FOIP, the Government of Alberta has separated access to information and privacy into two distinct frameworks: the (ATIA) and (POPA). These changes took effect on June 11, 2025. The new legislation, and applicable regulations, contain many of the same requirements as FOIP with some key changes and additions. 

ATIA aims to improve transparency while addressing concerns resulting from the administrative burden that may arise from requests for access to public records. Key changes include:

• Clarifying that electronic records are included in the scope of records that may be subject to public access to information requests.
• Extending time limits for responding to access to information requests.
• Adding discretionary exemptions allowing public bodies to disregard requests that would unreasonably interfere with operations, that are overly broad or incomprehensible, that have already been made public, or that are abusive, threatening, frivolous or vexatious.
• Adding exemptions for the disclosure of certain records, including records relating to workplace investigations or labour disputes.
• Increasing penalties for offences of up to $50,000.

POPA builds upon existing privacy requirements with a view to strengthen the rules that govern the protection of personal information held by public bodies. Key changes include: 

• Requiring each public body to develop and implement a comprehensive privacy management program, documenting their privacy policies, procedures and practices and promoting compliance with the legislation.
• Adding mandatory privacy breach reporting to affected individuals and to Alberta’s Office of the Information and Privacy Commissioner (OIPC).
• Adding mandatory privacy impact assessments (PIAs) when implementing any new, or a substantial change to an existing, administrative practice, program, project, or service that collects, uses or discloses personal information in certain prescribed circumstances.
• Expressly prohibiting the selling of personal information.
• Requiring public bodies to advise individuals at the time of collection if there is an intention to input their personal information into an automated system to generate content or make decisions, recommendations, or predictions, including an artificial intelligence, machine-learning, or deep-learning software or technology.
• Requiring the implementation of a data quality assurance process for the creation and management of “data derived from personal information” and “non-personal data,” including methods to track how personal information has been de-identified, tracked, managed, and secured.  
• Increasing penalties for privacy violations, including up to $200,000 for individuals and $1 million for organizations.

The Access and Privacy Office, reporting into ԰������ Legal Services, is responsible for overseeing ԰������’s compliance with Alberta’s access to information and privacy requirements (now governed by ATIA and POPA).

The Access and Privacy Office can provide compliance advice and guidance to ԰������ administrators and the broader campus community on all matters related to access to information and protection of privacy and is responsible for managing and responding to access to information requests.

Yes. The Access and Privacy Office is currently collaborating on a project to roll out updated privacy awareness training and annual refresher training for all ԰������ employees this fall.

This training will help staff understand their responsibilities under ATIA and POPA, and how to apply privacy best practices in their day-to-day work. 

Personal information includes any recorded information about an identifiable individual. This includes any information that may be used to identify an individual either alone or in combination with other available data. 

Personal information may include, but is not limited to an individual’s:

• Name and home or business contact information (unless provided in a business or professional capacity),
• Demographic information such as age, sex, gender, sexual orientation, weight, height, date of birth, race, colour, ethnicity, place of origin, citizenship and marital or family status,
• Unique identifiers such as driver’s license, passport, SIN, or student number,
• Income or financial information, including payroll or payment card information,
• Political or religious beliefs or associations,
• Educational, employment or criminal history,
• Physical or mental health status and health care history,
• Biometric information, such as fingerprints, blood type or genetic information, and
• Personal views and opinions, including survey response data.

԰������ may only collect personal information from individuals that is reasonably required for an operating program or activity of ԰������, or where specifically permitted under an enactment of Alberta or Canada.

Individuals must be advised at the time of collection the purposes for which their personal information is being collected, the statutory authority for the collection, and how it may be used or disclosed by ԰������. This can be achieved through a clear collection notice under section 5(2) of POPA, which should include:

• The title of the ԰������ operating program or activity the collection relates to,
• The target group of your collection (e.g., specific students, faculty, staff, etc.),
• The purpose of your collection, including how personal information may be used internally or disclosed externally,
• The type of personal information that will be collected,
• The specific legal authority (statute) for your collection of personal information,
• How you intend to safeguard confidentiality, including details regarding how personal information will be secured and managed,
• Whether you intend to input the information into an automated system to generate content to make decision, recommendations, or predictions, such as an AI, machine-learning or deep-learning system or technology, and
• The name, title, business phone number and business address of a contact person who can answer questions about the collection.

Any personal information collected must be directly related to and necessary for achieving the identified purpose, and you should only collect the minimum amount of personal information reasonably required to achieve that purpose and not simply because it may be “nice to have”. For an example collection notice, please see the Guidelines for the Collection of Personal Information.

Yes. Your collection notice will need to be updated to reference POPA instead of FOIP and any reference to “section 33(c)” of FOIP should be replaced with “section 4(c)” of POPA. You should also review the language of your collection notice generally and make any required changes regarding how personal information will be collected, used, disclosed, or managed. 

Note that POPA now requires that you specifically advise individuals at the time of collection of any intention to input their personal information into an automated system to generate content to make decision, recommendations, or predictions, such as an AI, machine-learning or deep-learning system or technology. For an example collection notice, please see the Guidelines for the Collection of Personal Information.

Yes. Under POPA, personal information may only be used for the purpose for which it was originally collected or a use consistent with that purpose. Consistent use means that the use of the personal information is directly related to the original purpose and is a form of use that could have been reasonably expected by the individual at the time of collection.

If you or another faculty, department or business unit intend to use personal information for a secondary use that is not consistent with the original purpose of collection, then a new consent will be required unless the use is specifically permitted under POPA. The use should also be approved by the relevant data steward with institutional oversight over the information under the ԰������ Information Asset Management Policy and should only be used in accordance with the privacy impact assessment (PIA), where applicable.

Yes. Under POPA, personal information may only be disclosed to a third party for the purpose for which it was originally collected or for a reason consistent with that purpose. This means that the disclosure of the personal information must be directly related to the original purpose of its collection and could have been reasonably expected by the individual at the time of collection.

԰������ may also disclose personal information where specifically permitted under section 13 of POPA, including where it is not considered an unreasonable invasion of the individual's privacy. For example, it is generally not considered an unreasonable invasion of an individual's privacy to release the following information:

• Certain student enrolment or registration information as outlined in the ԰������ Privacy Policy,
• Information required to be disclosed under a law of Alberta or Canada,
• Information about an employee's job classification, salary range, discretionary benefits or employment responsibilities,
• Information that reveals business contact information or details regarding the supply of goods or services to ԰������,
• Information about a scholarship, honour or award granted by ԰������ to a third party, or
• Information about an individual who has been deceased for 25 years or more.

If you or another faculty, department or business unit intend to disclose personal information for a secondary purpose that is not consistent with the original purpose of collection, then a new consent will be required unless the disclosure is specifically permitted under POPA. The disclosure should also be approved by the relevant data steward with institutional oversight over the information under the ԰������ Information Asset Management Policy and should only be disclosed in accordance with the privacy impact assessment (PIA), where applicable.

԰������ must conduct a privacy impact assessment (PIA) where required under section 26 of POPA. This includes where ԰������ intends to implement any new, or make a substantial change to any existing, administrative practice, program, project or service that collects, uses or discloses personal information where the loss, unauthorized access to or unauthorized disclosure of that information could result in a real risk of significant harm to an individual. A PIA will also be required in all circumstances outlined in the POPA Protection of Privacy (Ministerial) Regulation, Alta Reg 143/2025.

A PIA must identify the risks associated with ԰������'s collection, use and disclosure of personal information and must:

• Include a summary of the purpose of the collection, use or disclosure of personal information for the proposed practice, program, project or service,
• Identify the types of personal information that will be collected, used or disclosed and reasonable security arrangements in place to protect the information,
• Identify the legal authority for the collection, use or disclosure of the information,
• Identify the privacy risks and mitigation strategies respecting the information,