New Access and Privacy Legislation for Alberta Public Bodies: What’s the Situation?
Alberta has introduced two new laws to replace the long-standing Freedom of Information and Protection of Privacy Act (FOIP), which governed public bodies for 35 years. The legislation now splits FOIP into two distinct acts: the Access to Information Act (ATIA) and the Protection of Privacy Act (PPA). While both acts have been enacted, they are not yet proclaimed, meaning they are not currently in force.
A New Framework – But What Do We Call It?
Access and privacy rules have always been closely linked, so public bodies will likely continue managing both under a single program. Government communications refer to the new laws using ATIA/POPA. A more streamlined alternative, “ATIP” (Access to Information and Protection of Privacy) may be a helpful shorthand going forward.
When Will the Acts Come into Force?
The acts will only apply once proclaimed, which has practical implications. For instance, access requests filed after proclamation will be governed by ATIA, and public bodies must develop Privacy Impact Assessments (PIAs) and Privacy Management Programs (PMPs) under PPA. The Alberta Legislature removed the final legislative barriers in May 2025, so the only thing left is an Order in Council - but that will likely wait until Regulations are introduced, as these are essential for interpretation and implementation.
Best guess: proclamation could happen by the end of June 2025, or Fall of 2025, assuming Regulations are ready.
Where Are the Regulations?
While we have the acts, the Regulations, which detail key processes, have not yet been published. Here’s what we can expect or need to consider:
Fees
Currently set under FOIP, fees are expected to change. With digital requests now the norm, regulations may update provisions for electronic searching and delivery.
A major concern is whether public bodies will be allowed to charge fees for reviewing and severing records. Currently, this time-intensive task is not chargeable. If allowed, it could dramatically increase costs for requesters, potentially limiting access for individuals and smaller organizations.
Privacy Impact Assessments (PIAs)
Under PPA s. 26, public bodies must prepare PIAs in “prescribed circumstances” and may need to submit them to the Commissioner. Key questions include:
Which systems require a PIA?
Do PIAs apply only to new systems after proclamation?
Must PIAs be submitted or approved by the Commissioner?
What is the required form and content?
Alberta has been a leader in PIA use, particularly under the Health Information Act (HIA) since 2001. While the Commissioner’s office likely won’t dictate the PIA process under PPA, their existing PIA Guidelines will likely serve as a reference. Regulations may expand on what must be included, but a formal template is unlikely.
Privacy Management Programs (PMPs)
PPA s. 29(1) requires public bodies to implement PMPs tailored to the volume and sensitivity of personal information they handle. Details will be defined in Regulations, possibly similar to HIA regulations that list key security program characteristics. However, a one-size-fits-all policy template is unlikely due to the wide variability among public bodies and evolving technology.
New Requirements and Interpretive Uncertainty
While much of ATIA and PPA mirrors FOIP, there are new sections with significant interpretive uncertainties. Public bodies will need to develop implementation strategies as clarity emerges. Among the most notable areas of concern:
Duty to assist applicants
Power to disregard requests
Handling cabinet confidences and internal deliberations
Data matching practices
Appeals processes to the Commissioner
These new elements introduce both opportunities and challenges. A deeper exploration of these sections will be covered in a future blog post.
Still have questions? Our Privacy experts are here to help your organization navigate these upcoming changes. Visit cenera.ca/contact-us to connect with us.
