New Access and Privacy Legislation for Alberta Public Bodies 2: What’s the Situation Now?

Written By Stacey Wade, B.A., LLB

In our June blog, we offered highlights and some questions about the then unproclaimed Access to Information Act (ATIA) and the Protection of Privacy Act (POPA). As we expected, these acts were in fact declared in force on June 11. At that time, the government issued regulations that provide extensive explanation and detail about new requirements for public bodies, including the development of Privacy Management Programs (PMP) and completion of Privacy Impact Assessments (PIA).

Privacy Management Programs: The Details

The new POPA Regulations on PMPs are a combination of key definitions, required program elements, and decision-making criteria. 

First, a PMP must manage not only personal information (PI), but two other types of information that require special management: “data derived from personal information (DDPI)”, which is identifiable information created by data matching; and (confusingly) “non-personal data (NPD),” which is any data that has been de-identified, including synthetic data.

In addition, there are special requirements for managing “high-sensitivity information (HSI),” which includes PI that is:

  • Biometric,

  • Financial, or

  • About a minor, senior or vulnerable person.

In a nutshell, PMPs will need to manage and protect PI, DDPI, and NPD (confused yet?) in a comprehensive program that includes:

  • Policies on collection, use, and disclosure, requests for correction, privacy breaches, complaint response, and the use of automated systems that make decisions about individuals,

  • An implemented security classification system that identifies security measures for each class,

  • Mandatory and regularly updated training for staff, and

  • A regular system of program review and update.

That’s not all: if you have a “high volume” (not defined) of PI or HIS (which would be relevant to many, if not most, public bodies), you must develop and implement internal structures, policies, and measures regarding:

  • Program roles, responsibilities, and accountabilities,

  • PIA processes,

  • Proactive monitoring of information systems that contain PI,

  • Consent,

  • AI systems, DDPI, and NPD, and

  • Administrative, technical and administrative safeguards.

All of this must be collated into a comprehensive document describing all of these program components.  The kicker:  the PMP must be in place by June 2026. That’s not a lot of time.

Privacy Impact Assessments (PIA)

According to the regulations, a PIA needs to be completed for new practices, programs, systems, or services that involve collection, use and disclosure of PI if:

  • Unauthorized loss, use, or disclosure of PI could result in significant harm,

  • It involves HSI,

  • The PI represents a significant percentage of the public body’s constituency,

  • It requires data matching between two public bodies,

  • It is part of a common or integrated program between two public bodies,

  • It involves the use of innovative technology, or

  • It is requested by the Commissioner.

 In practical terms, essentially every new practice, program, system, and service that involves any significant amount of PI will require a PIA.

 What Now?

If your public body has never completed a PIA, the following list outlines what you will need to do to complete a compliant one:

  • Summary of purpose for collecting, using, and disclosing PI

  • List of types of PI involved

  • The legal authority for PI information flows

  • Risk and mitigation assessment and strategies

  • Administrative, technical and physical measures in place

  • Accuracy, correction, and retention measures

  • Accountabilities and roles for common program or data matching between two public bodies

Where Do You Start?

Many public bodies are no doubt going through the stages of shock, denial, and anger in responding to these extensive new program requirements. Most public bodies have little to no experience with PIAs. Small organizations are likely feeling particularly overwhelmed.  

Perhaps the best place to start is with policies; these will establish the decision-making criteria, program standards, roles, and processes that will govern the PMP. Training and information management operations will flow from there.

A word of warning

Your first instinct may be to search for “templates and checklists” for the required documentation and processes. There are many good examples publicly available that provide a starting point, but the new PMP and PIA requirements will require much more adaption and customization to the functional reality of your public body, and to the challenges of each case, which require detailed policy and decision-making resources.

We’re here to help

Cenera has the expertise and resources to set up PMPs, complete PIAs, and to establish all program elements that are required by the new legislation. We’re here to guide you. Contact us to start the conversation.

Stacey Wade, B.A., LLB

As a Senior Consultant with Cenera, Stacey works primarily in the Privacy and Information Management Practice. Stacey’s legal experience has provided her with strong skills in research, drafting, and interpretation and application of legislation, policy, and procedure.

In multiple organizations and jurisdictions, Stacey has completed Privacy Impact Assessments (PIAs), Privacy Gaps Assessments, and privacy and security assessments for organizations and delivers related training. Stacey also has experience in records management, completing records surveys, and analysis on several information governance projects. Putting her many talents and skills to good use, Stacey also supports Cenera’s Career Transition and Human Resources Consulting Practices.

Stacey holds a BA in Psychology from the University of Calgary, a law degree from the University of Alberta, and is a certified Professional of the Canadian Institute of Access and Privacy Professionals.

https://www.cenera.ca/stacey-wade
Next

Transforming Indigenous Recruitment and Retention in Your Organization