Procedures for Reviews and Privacy Complaints – Settlement Phase – FOIP, HIA, PIPA

This document provides parties with a summary of the procedures under which reviews and investigations into privacy complaints are conducted under the Freedom of Information and Protection of Privacy Act (FOIP Act), the Health Information Act (HIA) and the Personal Information Protection Act (PIPA) at the settlement phase.  FOIP Act applies to public bodies, such as government departments, municipalities and police services.  HIA applies to health custodians including hospitals, physicians and dentists.  PIPA applies to organizations operating in the private sector.

In June of 2025, the FOIP Act was repealed and replaced with the Access to Information Act (ATIA) and the Protection of Privacy Act (POPA).  Please see below under the heading “Transition from FOIP to ATIA and POPA” for more information about whether your review falls under ATIA, POPA or the FOIP Act.

For information about the procedures for reviews and privacy complaints under the new ATIA and POPA, see:  Procedures for Reviews and Privacy Complaints – Settlement Phase – ATIA and POPA.

What is a review?

The Commissioner has authority under the FOIP Act, HIA and PIPA to review certain matters.

Under the FOIP Act, the Commissioner has authority to review the following matters:

  • any decision, act or failure to act by the head of a public body related to requests for access to information,
  • a decision by the head of a public body to give access to information of a third party,
  • whether a public body has collected, use or disclosed an individual’s own personal information contrary to the Act, and
  • any decision, act or failure to act of the head related to a correction request.

Under the HIA, the Commissioner has authority to review the following matters:

  • any decision, act or failure to act of a custodian related to a request for access or correction concerning one’s own health information,
  • where an individual believes that their own health information has been collected, used or disclosed by a custodian contrary to HIA, and
  • the refusal of a health custodian to disclose health information pursuant to s.47(2).

Under PIPA the Commissioner has authority to review any decision, act or failure to act of an organization related to a request for access by an individual to their own personal information.

Reviews generally have two phases.  A settlement phase, which involves the Case Resolution Team attempting to settle the matter under review, and an inquiry phase, which is a formal adjudicative hearing conducted by the Adjudication Team from which an order is issued.  An inquiry may occur if settlement is not achieved.

Back to top of the page

What is an investigation?

Under PIPA, the Commissioner is authorized to investigate privacy complaints about the following:

  • personal information has been collected, used or disclosed by an organization in contravention of this Act or in circumstances that are not in compliance with this Act,
  • notification of an incident described in section 34.1 has not been provided in accordance with this Act, and
  • an organization is not in compliance with this Act.

Privacy complaints will also generally try to be settled by the Case Resolution Team.  If settlement cannot be achieved, the matter may move to inquiry, like in the case of reviews.

Back to top of the page

What is the settlement phase?

The settlement phase is the first phase of a review or complaint investigation.  It is a process authorized by the Commissioner to explore opportunities to settle issues with the parties.  It may also be referred to as a mediation or investigation.  The majority of files are resolved at the settlement phase.

Please note that our office made some adjustments to our procedures in 2024 and 2025, in the interest of creating greater efficiencies in our work. This page has been updated to reflect those changes.

Forms referenced in this document are available on our office’s website at https://oipc.ab.ca/forms/.

Also, please note that some important definitions are provided at the bottom of this page.

Back to top of the page

Commissioner’s Mandate

The Commissioner is not a part of the Government of Alberta. The Commissioner is an independent Officer of the Legislature and reports directly to the Alberta Legislative Assembly.

Through the Office of the Information and Privacy Commissioner (OIPC), the Commissioner performs the legislative and regulatory responsibilities set out in the following laws:

  • Freedom of Information and Protection of Privacy Act (FOIP Act) [repealed June 11, 2025]
  • Access to Information Act (ATIA) [in force June 11, 2025]
  • Protection of Privacy Act (POPA) [in force June 11, 2025]
  • Health Information Act (HIA)
  • Personal Information Protection Act (PIPA)

 

Back to top of the page

Transition from FOIP to ATIA and POPA

Public bodies were subject to the FOIP Act until June 11, 2025.  When ATIA and POPA are brought into force, these Acts will repeal the FOIP Act.  The ATIA applies to access to information requests.  POPA applies to review responses to correction requests made after June 2025. It also applies to review complaints regarding the collection, use or disclosure of an individual’s own personal information by a public body where the individual first makes a complaint to the public body concerned after June 2025.

The FOIP Act continues to apply to review responses to access or correction requests made or third parties notification decisions prior to June 2025. It also applies to complaints about the collection, use or disclosure of personal information by a public body which occurred prior to the repeal of the FOIP Act.

For more information, please see the Practice Note-Transitional- FOIP Act to ATIA and POPA.

Back to top of the page

What We Do…

  • Review the decisions of public bodies, health custodians, and private sector organizations in regards to requests for access to information or correction of personal or health information made under the Acts
  • Review or investigate complaints regarding the collection, use or disclosure of personal or health information
  • Under PIPA, investigate complaints about whether an organization is in compliance with the Act, such as enquiries into an organization’s general practices, and in relation the duty to notify the Commissioner about a privacy breach under section 34.1
  • Try and settle reviews and complaints
  • Where settlement cannot be achieved or as instructed by the Commissioner, conduct inquiries and issue binding orders

Back to top of the page

What We Do Not Do…

  • Act as an advocate on behalf of any party to a review or investigation
  • Release records that are the subject of a review
  • Store records on behalf of the Government of Alberta or any other party
  • Impose fines or award damages
  • Hear appeals of claims, benefits or decisions that do not fall under the Acts
  • Discipline, terminate or reinstate employees
  • Regulate the actions of individuals as private citizens
  • Regulate the constituency offices of members of the legislative assembly (but we do regulate access and privacy issues involving actions of cabinet members and ministries)

Back to top of the page

Making a Request for Review or Complaint to the Commissioner

Under the FOIP Act:

  • an applicant may ask the Commissioner to review any decision, act or failure to act by the public body that relates to an applicant’s access to information request or request for correction, and
  • a third party who has been notified by a public body that its information will be given to an applicant may ask the Commissioner to review that decision

Complete the ATIA Request for Review form to request any of these reviews under FOIP Act.

  • Under FOIP Act, a complainant may ask the Commissioner to review an individual’s belief that their own personal information has been collected, used or disclosed by a public body in contravention of this Act or any decision, act or failure to act in relation to a request to correct personal information.

Complete the POPA Request for Review Form to request any of these reviews under FOIP Act

Under HIA and PIPA:

    • an applicant may ask the Commissioner to review or investigate any act, decision or failure to act by a custodian or organization related to an access or correction request,
    • a complainant may ask the Commissioner to review or investigate their belief that their own personal or health information has been collected, used or disclosed contrary to this Act
  • Under PIPA, an individual may also ask the Commissioner to investigate whether an organization is in compliance with this Act, such as enquiries into an organization’s general practices.

Complete the PIPA Request for Review/Privacy Complaint and Correction Form for reviews or complaints under this Act

Complete the HIA Request for Review/Privacy Complaint and Correction Form for reviews or complaints under this Act

Back to top of the page

Time Limits to Request a Review

A review or investigation may be requested by completing the applicable form to the OIPC within the following timelines:

FOIP Act and HIA

Within 60 days after they are notified of the decision by the public body or custodian or become aware of an incident involving the collection, use and disclosure of personal or health information.

PIPA

Within 30 days from the day that they are notified of the decision by the organization. Incidents involving the collection, use and disclosure of personal information under PIPA must be delivered to the Commissioner within a reasonable time period.

The Commissioner may allow for reviews or complaints to be submitted outside of the time limits above, based on the circumstances and where the law permits.

Third Parties under FOIP

A third party must complete and submit the relevant form (see “Making a Request for Review or Complaint to the Commissioner” above) to the OIPC within 20 days after being notified by a public body of its decision to give an applicant access to third party information. The Commissioner has no power to allow a third party a longer period to submit a request for review.

Back to top of the page

Overview of Proceedings

Intake

To initiate a review or make privacy complaint, the applicable form must be completed (see “Making a Request for Review or Complaint to the Commissioner” above) AND submitted together with all supporting documents in one submission. Otherwise, the submission will be returned. We also enforce a 15-page limit for submissions.

Every submitted form is checked for:

  • Jurisdiction – is it something the OIPC can do under one of the Acts?
  • Whether it was received by the OIPC within the required time limits
  • Whether there is evidence that substantiates the request for review or complaint

Any person who submits a form for making a review or complaint will be contacted at the intake stage to discuss their submission and obtain clarification. They must be available to participate in our process and respond to requests in a timely manner, usually by phone and/or email. Otherwise, a file may not be opened. Any person who cannot meet this requirement, may name an agent to represent them.

The responding public body may also be contacted at this stage, as required.

Please note our refer-back process for privacy complaints and adequacy of search reviews.

Refer-back for privacy complaints

For complaints regarding the collection, use or disclosure of personal or health information, it is a requirement under OIPC processes to make the complaint first to the public body, custodian or organization, if the complainant has not already given the entity an opportunity to resolve the complaint.

Refer-back for adequacy of search reviews 

For reviews where the only concern is that an applicant believes the public body, organization or custodian holds more responsive records than what were processed in the request (an ‘adequate search concern’), the applicant must first submit the concern directly to the entity, along with supporting evidence as to why they believe additional records exist.

We require that the entity be given at least 30 business days to respond.  After attempting to resolve the matter directly with the entity, if the applicant still has reason to believe the response does not comply with the relevant law they can bring the concern back to our office. At that point, our office will consider whether further investigation by the OIPC is warranted.

Issue identification

Working with the applicant/complainant, the OIPC will identify the review or complaint issues at the intake phase. Only those issues that (a) have enough evidence; and, (b) are within our jurisdiction will move forward. Those issues will be communicated to the applicant/complainant to confirm their understanding and, if applicable, to advise on the limits of our jurisdiction.

If the OIPC proceeds with a review or investigation, a file is opened, and an acknowledgment letter (containing the confirmed issues) is issued to the applicant/complainant and the public body/custodian/organization. A copy of the request for review form and any attachments to the request are included with the letter. General privacy complaint forms or related materials will not generally be provided to an organization.

In the letter to the public body/custodian/organization, it will be asked to provide a contact person who will be responsible for working with the assigned investigator to settle the matter. The contact person must have the ability to settle the issues. This means that they must have timely access to the decision-maker or directly involve the decision-maker in the conversations.

New records requirements and timelines 

For access request reviews, the public body/custodian/organization will also be asked to provide a copy of the records to the OIPC with the inclusion of a records index, within 7 business days of a notification letter, in accordance with the Practice Note – Preparing Records at Issue and Index of Records.  It may also be asked to provide the OIPC with a copy of the access request and any correspondence concerning the request with the applicant.  The OIPC will provide a link to securely send records and any other sensitive documentation to the OIPC.

The requirement to provide records or information at issue does not apply to records or information over which solicitor-client privilege, litigation privilege, or informer privilege is being claimed.  The Practice Note – Providing Affidavits and other Evidence provides an explanation as to the expected content of the submission, even though it is not usually in affidavit form at the settlement stage.

 

Request for Review Forms and Attachments Are Disclosed

A copy of any request for review form and any attachments submitted along with the form must be disclosed to the public body, custodian or organization.  This is a requirement in these Acts.  As a result, any person submitting a request for review form under any of these Acts should specify to the OIPC if there is information in the form or accompanying attachments that they want the Commissioner to consider removing before sharing with the public body, custodian or organization.  In considering these requests, consideration will be given to whether the information should be disclosed for fairness purposes or if it is necessary to conduct the review.

Address for Service

Each party must provide an address for service to which all official communications will be sent for the purposes of the review/investigation.

As noted above, we must have an effective and timely means of communication with the parties. As such, each party is to provide us with an email address for this purpose. We also require a mailing address which may be used to deliver certain correspondence related to the file. We will use secure email or other forms of secure electronic transmission to send communications containing sensitive information.

Applicant/Complainant

The address for service is to be identified on the applicable form (see “Making a Request for Review or Complaint to the Commissioner” above).

Public Body/Custodian/Organization

The address for service of the public body/custodian/organization will be identified in the acknowledgement letter that the OIPC sends to each party as part of the initial notification process.

Changes or Updates

A party must use the Change of Contact and/or Address for Service Form on the OIPC website to update contact information or the address for service at any time during the review/investigation.

The address for service of each party will be circulated to all other parties.

Review and Investigation

An OIPC investigator, known as a Senior Information and Privacy Manager (SIPM) will be assigned to try to settle your request for review or privacy complaint.

The office receives a high volume of requests for reviews and complaints. As such, your file may be inactive until the SIPM has the capacity to begin to work on it. The parties will be notified when the SIPM starts actively working on the file. While the parties wait to hear from the SIPM, we encourage the parties to try to resolve the matter directly with one another.

Our new case resolution process involves us trying to settle matters under review or investigation in as short a time as is possible. That is why we try to settle matters verbally over the phone. As such, once a file is activated, we must be able to reach the parties, usually by phone, in a timely manner in order to participate in our case resolution process. If we cannot reach the applicant/complainant, we may discontinue the review or investigation. If this occurs, the parties will be notified.

The SIPM begins the review or investigation by examining the confirmed issues, the submission of the applicant/complainant and, in the case of a review of an access request, the records provided by the public body/custodian/organization. The SIPM also reviews the relevant law and any past cases that have interpreted the law against the issues to be determined.

The SIPM will contact the public body/custodian/organization (Respondent) to gather any relevant evidence necessary to form an opinion about whether the law was complied with by the respondent.

The SIPM may also need to contact the applicant/complainant for additional information. Please note that we will not accept documented evidence from an applicant/complainant unless it is requested by the SIPM. Any unsolicited evidence will be returned or deleted.

The SIPM will form an opinion about whether the Respondent has complied with the law as it relates to the issues under review or investigation. The SIPM will discuss the opinion with the parties in an effort to settle the issues. The Respondent may agree to take certain actions in order to remedy any non-compliance.

Any resolution reached will be documented in writing and sent to the parties. As applicable, the SIPM will ensure that any agreed-upon terms are followed by the Respondent.

Inquiries

If any or all of the issues are not settled and the applicant/complainant wants to proceed further in our process, the SIPM will work with the parties to determine any agreed-upon facts. The file will then be brought to the Commissioner to determine whether an inquiry will proceed, only on those unsettled issues.

Once the file is transferred to the Commissioner, the SIPM will close the file at the settlement stage.

Inquiries are formal adjudicative proceedings. The inquiry process is not an examination of the process or an evaluation of the findings and recommendations made during the review and investigation process. The inquiry gives the parties an opportunity to present their evidence “de novo” (from the beginning) and to rebut or support evidence presented by the other party.

The Commissioner may refuse to conduct an inquiry in certain circumstances:

  • The subject matter has been dealt with, in an order or investigation report of the Commissioner
  • The circumstances warrant refusing to conduct an inquiry (for instance, if there is no meaningful remedy)

A decision to refuse to conduct an inquiry will be issued to the parties in writing.

If any unsettled issues proceed to inquiry, a Confirmation of Inquiry letter will be issued to the parties, which will confirm the issues for the inquiry. A Notice of Inquiry will be issued at a later date which includes a copy of the Request for Review/Complaint Form and attachments and sets out a schedule of dates for the written submissions of the parties.

Affected Parties and Intervenors

Some inquiries may include “affected parties”. An affected party is any other party who, in the opinion of the Commissioner, is affected by the request for review or complaint. A copy of the relevant form (see “Making a Request for Review or Complaint to the Commissioner” above) and attachments may be provided to the affected party.

An affected party may make representation to the Commissioner at inquiry, but is not required to participate.

In certain cases, the Commissioner may give intervenor status to parties, if the Commissioner determines it is appropriate. An intervenor can be useful in bringing a broader perspective to issues than the parties involved.

Order

On completing an inquiry, the Commissioner or delegated adjudicator must issue an Order disposing of the matter.

An Order made by the Commissioner or delegated adjudicator is final. However, a party may apply to the Court of King’s Bench of Alberta for judicial review of an Order.

Timelines to complete a review

Under FOIP and HIA, the Commissioner is to complete a review within 90 days after the OIPC received the request for review or complaint unless that period is extended by the Commissioner.  PIPA allows the Commissioner to complete a review or investigation within one year from the day that the request for review/complaint was received by the OIPC. PIPA also allows the Commissioner to extend that period.

Parties will be notified as to the anticipated date for completion and any extensions to the anticipated date for completion.

For estimated timelines for the settlement phase of a review, see “How long will a review take” on the OIPC website at: https://oipc.ab.ca/information-access-review and https://oipc.ab.ca/privacy-correction-complaint

Back to top of the page

Definitions

  • Applicant – a person who makes an access to information request or a request for correction of their personal or health information under the FOIP Act, HIA or PIPA
  • Complainant – a person who believes their personal or health information has been collected, used or disclosed in contravention of one of the Acts
  • Custodians – health care providers and other identified entities subject to HIA
  • Organizations – private sector entities subject to PIPA
  • Public Bodies – public sector entities subject to FOIP Act
  • Senior Information and Privacy Manager (SIPM) – the person that the Commissioner has authorized to investigate and try to settle the confirmed issues at the settlement phase. May also be referred to as an investigator
  • Settlement – a process authorized by the Commissioner to explore opportunities to settle issues with the parties. May also be referred to as a mediation or investigation
  • Third Party – a person, a group of persons, or an organization other than an applicant or a Respondent (public body/custodian/organization)

If you have any questions with respect to the OIPC review/investigation process, please contact the OIPC.

Back to top of the page


June 2025


Disclaimer

This document is not intended as, nor is it a substitute for, legal advice, and is not binding on the Information and Privacy Commissioner of Alberta. Responsibility for compliance with the law (and any applicable professional or trade standards or requirements) remains with each organization, custodian or public body. All examples used are provided as illustrations. The official versions of the laws the OIPC oversees and their associated regulations should be consulted for the exact wording and for all purposes of interpreting and applying the legislation. The Acts are available on the website of Alberta King's Printer.