Privacy laws in Alberta

Privacy laws are meant to protect your autonomy and dignity as an individual by giving you control over the collection, use and disclosure of your personal or health information.

There are three privacy laws in Alberta. These laws apply to the public sector (such as government, police, municipalities), health sector (such as hospitals, doctors, pharmacies, dentists), and private sector organizations (such as retail stores, online stores and social media and other apps, and contractors).

Below is a description about how each law protects you and how you can exercise your rights under these laws. There is also information about the Office of the Information and Privacy Commissioner and the work we do.

Public Sector Privacy Law (applies to public bodies)

Protection of Privacy Act

The Protection of Privacy Act (POPA or Act) applies to public bodies in Alberta. Public bodies include government ministries or departments, government agencies, boards and commissions, school boards and charter schools, universities and colleges, municipalities, and police.

POPA went into force in June of 2025. It replaced the privacy part of Freedom of Information and Protection of Privacy Act (FOIP Act). The FOIP Act is no longer in force in Alberta and has been repealed.

POPA protects privacy by controlling the ways a public body may collect, use or disclose personal information. No personal information may be collected by or for a public body unless the collection is:

• Authorized by another law or enactment
• For purposes of law enforcement
• Information that relates to and is necessary for an operating program or activity of the public body including a common or integrated program or activity

Your personal information must be collected directly from you subject to certain exceptions and when collected in this manner, you must be notified about the purpose of collection. Once collected, your personal information may be used or disclosed for the intended purpose of collection. Your personal information may be used or disclosed for other purposes in some situations, such as when you consent. A public body must also protect your personal information from loss or unauthorized access or disclosure and must notify you about a breach involving your personal information if there is a real risk of significant harm to you as a result of the breach.

You have rights under POPA as it relates to your personal information, including that information collected about you must be reasonably accurate, you have the right to access your personal information, and you can make a complaint if you believe that your personal information is being collected, used or disclosed contrary to the Act.

Under POPA, public bodies are permitted to data match personal information to create additional personal information. This is called “derived data” under POPA. Public bodies are also permitted to modify personal information so that it can no longer identify an individual. This is referred to in the Act as “non-personal data”. Derived data and non-personal data are subject to the Act, meaning that the Information and Privacy Commissioner has oversight of this data. If you believe that the process used to create derived data or non-personal data is not in accordance with the Act, you can make a complaint to the Commissioner.

It is an offence for a person to collect, use or disclose personal information contrary to the Act, to perform data matching contrary to the Act, and to reidentify or attempt to reidentify personal information from non-personal data.

See below for more information about exercising your privacy rights under POPA.

For more information on submitting a privacy complaint, click here.

Back to top of the page

Health Sector Privacy Law (applies to custodians)

Health Information Act

The Health Information Act (HIA or Act) applies to “custodians”,  such as government departments responsible for health services in Alberta, provincial health agencies (Recovery Alberta, Assisted Living Alberta, Acute Care Alberta, Primary Care Alberta), hospital services (Alberta Health Services, Covenant Health, Lamont Health Care Centre), pharmacies and pharmacists, physicians, optometrists, registered nurses, dentists, and their health service providers or employees.

HIA protects privacy by controlling the ways a health custodian may collect, use or disclose health information, including diagnostic, treatment, care and registration information. Custodians are prohibited from collecting, using, or disclosing health information unless permitted by the Act.

Your health information may be used and disclosed by custodian for the purposes of providing you with health care including to other health care providers or other persons who may be involved in your health care. Your health information may also be used or disclosed for the purposes of managing the public health care system in Alberta and for making certain of your health information accessible electronically to those authorized to have this access. The electronic health care record in Alberta is called “Netcare”.

Custodians must consider your expressed wishes when deciding how much information to disclose to others and for making it accessible through Netcare. What this means is that if you inform your health care provider that you don’t want all of your health information, or certain kinds of information, such as highly sensitive health information, accessible by others, you can express this wish to a custodian and they must consider it before making the specified health information accessible.

If you were to express your wish to a custodian that you do not want your health information accessible through Netcare, the custodian could “mask” this information so that other care providers cannot access this information unless they “break the glass”, which means they may unmask it. Generally, this would only occur with your consent or in circumstances where you cannot give your consent due to your medical condition.

Your health information may also be disclosed with your consent. If disclosure of your health information is authorized without your consent, you have the right to ask about it. You also have the right to request a record – also known as an “audit log”. Requesting an audit log of Netcare accesses will show you who has accessed your health information in Netcare.

A custodian is required to protect your health information from loss, unauthorized access or disclosure and must notify you if your health information is involved in a breach and you are at risk of significant harm as a result of the breach.

In addition to the rights mentioned, you have the right under the HIA to request a correction of health information (not opinions), you have the right to access your health information and you can make a complaint if you believe that your health information has been collected, used, accessed or disclose contrary to the HIA.

It is an offence in the HIA to collect, use, access or disclose health information contrary to the HIA and to fail to protect health information as required by the Act.

See below for more information about exercising your privacy rights under HIA.

For more information on submitting a privacy complaint, click here.

Back to top of the page

Private Sector Privacy Law (applies to private organizations)

Personal Information Protection Act

The Personal Information Protection Act (PIPA or Act) applies to private organizations, such as businesses, employees, partnerships, trade unions and professional regulatory bodies.

PIPA protects privacy by controlling the ways a private organization may collect, use or disclose personal information and personal employee information.

Private sector organizations must have your consent to collect, use or disclose your personal information. Collection, use or disclosure without consent is authorized in some situations under PIPA. In addition to having consent, an organization must also have a reasonable purpose for this activity. The Act specifies that what is reasonable is what a reasonable person would consider appropriate in the circumstances.

If you are an employee, consent is not required for the collection, use or disclosure of personal employee information by the employer that is reasonably required for the  work relationship.

A private sector organization is required to protect your personal information from loss, unauthorized access and use or disclosure and must notify you about a breach of your personal information if you face a real risk of significant harm from the breach.

You have rights under PIPA, including the right to request access to your own personal information. You may make a complaint to the Information and Privacy Commissioner if you believe that your personal information has been collected, used, disclosed, accessed inappropriately or breached. You may also make a complaint to the Commissioner if you believe that an organization’s practices are not in compliance with PIPA.

It is an offence under PIPA for an organization, to collect, use, disclose or attempt to gain access to your personal information contrary to the Act.

See below for more information about exercising your privacy rights under PIPA.

For more information on submitting a privacy complaint, click here.

Back to top of the page

Exercising your Privacy Rights

Complaints about the collection, use or disclosure of your own personal information

If you believe your personal or health information has been collected, used, or disclosed improperly under POPA, HIA, or PIPA, you may submit a complaint in writing to the Office of the Information and Privacy Commissioner (OIPC). Before submitting your privacy complaint to the OIPC, you must first make your complaint to the public body, custodian or private organizations (as applicable).

Your written complaint must provide enough detail to support your belief that your personal or health information has been collected, used or disclosed in contravention of the law.

The Commissioner may assign a staff member to try and informally resolve your complaint (referred to as the settlement phase). If the matter is not resolved during the settlement phase, the Commissioner will decide if the matter will go inquiry. An inquiry is a formal hearing that results in an order being issued. An order made by the OIPC is final.

General complaints about non-compliance with privacy laws (not your own personal information)

You may also submit a general complaint under POPA in the following two circumstances: POPA Privacy/Correction Request form

1. You believe a public body created personal information from matching (or linking) two or more sources of personal information (this is referred to in POPA as data derived from data matching) contrary to the requirements for this activity as specified in POPA.
2. You believe there has been an actual or attempted reidentification of data by a person after personal information has been rendered as non-identifiable by a public body as required by POPA or its regulations.

You may also submit a general complaint under PIPA if you believe that an organization’s practices for protecting privacy as required by this Act are not in compliance. PIPA Request for Review/Complaint form

Back to top of the page

About the OIPC

The Information and Privacy Commissioner is responsible to monitor compliance with Alberta’s privacy laws to ensure their purposes are achieved. The work of the Commissioner is performed through the Office of the Information and Privacy Commissioner.

The Commissioner has broad authority under these laws to investigate allegations of non-compliance and to issue binding orders to enforce compliance. The Commissioner also has a number of additional responsibilities under these laws including advocating for privacy rights of Albertans. The Commissioner is an officer of the Legislature and in this capacity operates independently from government ministers and departments.

Back to top of the page