Introduction
Purpose of this guidance
Public bodies[1] in Alberta are required to comply with the Protection of Privacy Act (POPA) and its associated regulations the Protection of Privacy (Ministerial) Regulation (M-Regulation) and the Protection of Privacy Regulation (Regulation). POPA governs the collection, use, disclosure and management of personal information[2] in the custody or control of public bodies. They are also required to provide access to individuals who request access to their own personal information in accordance with the Access to Information Act.
This guidance is designed to help public bodies meet their obligations under POPA and ATIA, as described, when engaging the services of a service provider to perform services on behalf of the public body that involves the service provider collecting, using, disclosing or managing personal information on the public body’s behalf. For example, a public body may want to use a new application to support one of their programs and the program involves the collection, use or disclosure of personal information. This could involve contracting an information technology service provider to provide support for the application, hosting the application remotely and providing back-up services for the records. Another example would be a public body hiring a records management company to store paper records containing personal information at an off-site storage facility with support services until the end of the records retention period.
Any service provider that is, or may be, planning to provide services to public bodies will also benefit from this guidance as it will have a better understanding about public bodies’ duties under these laws.
This guidance is not intended for public bodies who are entering into contracts with other public bodies in the development of a common or integrated program or service.
What is a “service provider”?
A service provider is any organization or body that is external to the public body and that provides services to the public body under a contract.
Where, as part of providing services to the public body, the service provider will have access to or collect, use or disclose personal information on behalf of the public body under a contract, the service provider becomes an “employee” of the public body for the purposes of POPA and is bound as an employee to adhere to the public body’s requirements under POPA as they relate to these activities.
Similarly, ATIA also applies to public bodies. If a service provider under a contract for services is tasked with providing access to personal information on behalf of the public body, it will be an “employee” of that public body for that purpose and subject to the ATIA requirements regarding access to the personal information. For most service provider contracts, the service provider’s only task in regard to access or correction requests under ATIA will be to cooperate with the public body in responding to these requests.
Why is it important to read this guidance?
The role of service providers has grown disproportionately in the past few decades due to the development of cloud services, software as a service and other mainly technology driven developments. According to a recent survey, 80% of organizations suffered a data breach in 2022 caused by a third party. In recognition that most organizations use service providers as part of their operations, many modern privacy laws contain obligations that hold service providers directly accountable for compliance under these laws including for breach reporting.
When public bodies enter into a contract with a service provider, they remain accountable for any collection, use or disclosure and management of information carried out on their behalf by the service provider. This guidance will assist public bodies to develop policies and procedures for contracting with service providers that align with their privacy obligations under POPA and, as applicable, under ATIA. This guidance should not be used in isolation but rather in conjunction with other policies and procedures (e.g., procurement, information classification, cybersecurity).
Explanatory note
Any reference to “POPA” that follows includes the right of access under the ATIA to one’s own personal information, unless the service provider is providing access and correction services on behalf of the public body, which will be explained.
Public bodies’ governance and accountability
To meet the requirements of POPA, a public body must have a governance framework in place to facilitate compliance. This includes having appropriate policies and procedures in place when contracting service providers.
Roles and Responsibilities
The head of the Public Body holds ultimate responsibility for decisions and compliance. The head may delegate others to have the authority to make decisions on behalf of the head (e.g. Privacy Officer), including entering into contracts with service providers.
As indicated, a service provider under a contract relationship with a public body is defined as an employee under POPA s. 1(h):
“employee”, in relation to a public body, includes a person who performs a service for the public body as an appointee, volunteer or student or under a contract or agency relationship with the public body;
While a contracted service provider is not an employee in the labor relations sense, it is included in the POPA definition of employee. This ensures it is bound by the Act. Because the types of services will vary, the public body will need to look at each situation and be sure to clearly articulate which privacy requirements must be met. Public bodies must ensure they, and by extension their service providers, are complying with POPA.
Public bodies are accountable for any information handled on their behalf by their service providers. Therefore, they must ensure any collection, use and disclosure is legally authorized under POPA. Having a contract in place with the appropriate terms and conditions provides the public body with assurance that it is able to maintain control of the information. Roles and responsibilities should be clear, including what activities are authorized and which ones are prohibited. Public bodies will need to ensure they are able to meet their obligations under POPA.
Privacy Management Program and Service Providers
Public bodies are required to have a Privacy Management Program (PMP) inclusive of policies and procedures for service provider procurement, contracting, and management including oversight and auditing. Public bodies must develop their procurement processes to meet POPA. The processes must ensure the public body is choosing a service provider who will be able to support the public body’s legal obligations under POPA. For more information on PMPs please see the OIPC’s Guidance for Public Bodies in Developing Privacy Management Programs.
Pre-contract/Planning Phase
Public bodies should plan out their procurement strategy including spending some time thinking about what services are needed and how they will align with business needs, including compliance with POPA. This up-front planning will most likely save public bodies money in the long run and may even prevent the public body from experiencing a privacy or security breach.
Determining Scope of Services Involving Personal Information
Public bodies should identify:
- the business purpose for the activity and what service the public body is looking for.
- how the service fits into public body’s operations.
- the personal information that the service provider will collect, use or disclose on behalf of the public body to perform the service.
- its legal authority for this collection, use or disclosure of the personal information.
Determining Service Level Expectations
Determine the classification of personal information that the service provider will collect, use or disclose on behalf of the public body. This is necessary to establish the measures the service provider will need to implement to carry out the service for the public body in compliance with POPA.
Assessing the Privacy Posture of a Potential Service Provider
Before engaging a service provider, a public body may wish to examine the privacy posture of a potential service provider to assess whether it has in place privacy practices that will support the public body’s duties under POPA if the public body were to contract with the service provider for the services. The following are some areas a public body may wish to examine prior to considering whether to retain the services of a particular service provider (where this is permitted). Note that these considerations are not exhaustive but rather some key considerations.
- Does the service provider have a privacy policy? Often service providers will have a privacy policy on their website or in their marketing material. Public bodies can review these to see if at first glance they appear to have operationalized privacy practices in what appears to be a reasonable manner as part of their business, and references a privacy law to which they are subject. Service providers with transparent privacy policies that are easy to understand may enhance trust in their ability to protect the personal information that they will have access to in performing the services.
- Does the service provider have a privacy officer listed? Public bodies can contact the privacy officer with privacy questions they might have regarding the services and their privacy practices.
- Does the website:
- describe what personal information is collected, used or disclosed for the service and does this appear reasonable based on the service provided;
- describe any secondary uses of personal information, such as for improving products or services or marketing, or training artificial intelligence, which may not be permitted in some circumstances;
- mention selling personal information, which is prohibited under POPA but may be permitted under other privacy laws;
- mention the use of other third parties that help them provide the service (e.g. cloud providers, apps that link to the main service), which can create risks when subcontractors are part of the service.
- Does the service provider express a commitment concerning protecting the confidentiality, availability, and integrity of personal information in its custody or control? Does it provide any details as to how it does this?
- Does the service provider describe having security certifications?
- Does the service provider indicate where the personal information used in its services is processed and stored? Data stored in other jurisdictions may be subject to laws in those jurisdictions. In certain jurisdictions, access to information, including personal information, may be accessible by government or law enforcement in these jurisdictions.
- Has the service provider suffered a breach or been involved in court cases concerning its personal information processing or handling practices?
Conducting a Privacy Impact Assessment (PIA)
Before contracting with a service provider, public bodies should assess whether in contracting with a particular service provider, they will be in compliance with POPA. Completing a PIA is a useful tool to assist in assessing compliance.
POPA requires public bodies to complete PIAs in certain circumstances. The OIPC has developed a tool to help public bodies determine if they are required to prepare a PIA and if the PIA must be submitted to the OIPC for review (see POPA Privacy Impact Assessment Submission Assessment Tool). Whenever a public body submits a PIA to the OIPC, it must do so using the OIPC PIA template. Even if a PIA is not required to be prepared, when contracting with a service provider, a PIA will help a public body determine whether, in contracting the service, it will be compliance with POPA.
Completing a PIA will give public bodies confidence that when entering into a service provider relationship, they will be positioned to meet their obligations under POPA by identifying and mitigating any risks to privacy determined through the PIA process.
The public body may already have a PIA on a similar service. If so, consider reviewing that PIA to see what safeguards were put in place for the initiative. This may help with the writing of the new PIA. Be aware that PIAs are a point-in-time document and as technology evolves, the risks change too. Therefore, what was appropriate a few years ago may not be adequate today due to changes to legislation, products or services offered by service providers, technological risks, or other factors.
Complying with the Tendering Process
Depending on the size and complexity of a project, as well as the contract value, public bodies may be required to solicit proposals for services (open competition, selective tendering, limited tendering). Public bodies should Include requirements that will support POPA compliance in the Request for Proposal (RFP) and in the evaluation criteria used to choose the preferred service provider. It will be important to identify any mandatory requirements that must be met and to mitigate any risks to an acceptable level. Prepare to have individuals on the evaluation committee who have sufficient knowledge of access to information, privacy and security.
Contract
Once the public body has gathered information on the service and the service provider, the applicable privacy assessment has been completed, and the tendering process is complete if applicable, the public body will need to draft the contract for the service provider that will incorporate the requirements of POPA that the service provider will need to comply with for delivery of the service. The key areas that need to be addressed in any contract with a service provider wherein the service provider will collect, use, disclose, manage or have access to personal information are as follows.
Control and Accountability
Maintaining control means stipulating in the contract that the public body at all times retains “control” over the information that will be in the custody of the service provider for the services. This is essential to ensuring that the personal information remains subject to POPA and that the public body is able to exercise its control over how this information is used and managed by the service provider.
The contract must set out the roles and responsibilities of the parties as it relates to the personal information while in the custody of the service provider. The public body must ensure these roles and responsibilities support its ability to meet POPA requirements. There are risks to storing data outside of Canada, or with service providers from certain countries, due to other countries having laws that may permit access for government activities, such as national defence, or for law enforcement. The contract should clarify how the service provider would notify the public body of any requests it receives to produce personal information it has in its custody.
Last, the contract should specify how the public body will maintain oversight of the service provider’s duties to ensure it complies with both contractual requirements and POPA and include the right of the public body to audit for compliance.
Legal Authorities for Collection, Use or Disclosure
The contract must define what the service provider can and cannot do with the personal information. Any collection, use or disclosure the service provider carries out on behalf of the public body must be legally authorized under POPA[3]. The contract provisions must clarify what activity is authorized as it relates to the personal information and what activity is prohibited and specify measures that must be taken by the service provider to ensure downstream compliance by its employees or subcontractors. Public bodies may also decide to contractually restrict service providers’ ability to subcontract altogether. Public bodies must also ensure that the contract allows them to meet all of POPA’s requirements, including for accuracy and security (more on this below) and completion of PIAs as may be required by the public body.
Requests for Access or Correction
The contract must also address requests for access to (as set out in ATIA) or correction of personal information (as set out in POPA). If the contractor is involved in this activity (i.e., by providing access or correction services on behalf of the public body), the contract should specify this and ensure the access or correction process that the contractor must follow is laid out in the contract. Who will interact with the OIPC regarding any reviews of these requests must also be clarified in the contract. While it might seem preferable that a contractor undertake these activities, there are risks of non-compliance due to the rigor in the access and correction processes laid out in the Acts with oversight by the Commissioner. Given this, a public body should generally maintain responsibility for processing access and correction requests for personal information in the custody of a contractor. In most cases, the role of a service provider as it relates to this activity will be cooperation with the public body to facilitate the public body’s response to these requests, which should be set out in the contract as a duty of cooperation by the service provider.
Safeguards and Retention
The contract must set out the specific security requirements that the contractor must meet, which must, at minimum, align with those of the public body and the requirements in POPA and its regulations. In addition, the contract should include wording that requires the service provider to cooperate with the public body for the preparation of PIAs or STRAs, or if the public body is under investigation by a regulatory authority.
The contract must also specify what the public body expects the service provider to do whenever it experiences a breach of personal information it holds on behalf of the public body, including timelines. This helps to ensure the public body can meet its requirements concerning breaches including for notification as required by POPA and its regulations.
The contract must also establish retention periods for the information stored by the service provider and establish a process for the service provider to certify to the public body when personal information has been destroyed at the end of its retention.
Complaint Handling
The contract must also address how any complaints alleging unauthorized access, collection, use or disclosure by the contractor (or their employees or subcontractors) will be handled. For the same reason as indicated for access and correction requests, it is recommended that public bodies maintain responsibility for complaints management. Additionally, managing complaints provides insight into the personal information handling practices of the service provider and provides the public body with the opportunity to address any issues that arise through this process.
Termination
In addition to the foregoing, the contract must outline clear outcomes in the event the service provider ceases to operate or the contract terminates. Public bodies must be able to terminate the contract and retrieve the records from the service provider with assurance that no records are retained by the service provider. Additionally, the contract should address compatibility between the service provider’s system of storing personal information and that of the public body’s. This is important, since the public body must be able to import the personal information into a new information system, or to archive it as dictated by applicable retention periods. The contract must include clear expectations around data format, applicable timelines and security arrangements. This will ensure the data can be moved across different information systems with minimal integration issues and it will be readable by the public body.
For more specific details to consider in a contract, please see the Appendix – Service Provider Contract Privacy Checklist.
Oversight
The public body should develop processes that ensure their service providers are meeting the contractual obligations. The frequency of these reviews may be informed by policies of the public body, which may be part of the public body’s Privacy Management Program. When auditing a service provider to verify adherence to contract terms, the public body should have defined processes to ensure the details of the audit are clearly documented and retained and there are distinct steps on how to escalate issues of non-compliance. There may be similar processes for audits conducted on a reactive basis, such as when an incident occurs.
The OIPC may request information from a public body due to a complaint or a request for review under ATIA or POPA. The Commissioner may also conduct investigations. The public body and by extension, the service provider, may be required to provide information to the Commissioner to conduct the review or investigation. Where a service provider is involved, they will be part of the review or investigation and must cooperate. That said, as an employee of the public body, any non-compliance by a service provider with POPA is non-compliance by the public body. Investigations may result in Orders or in the event of an offence, charges and fines.
Conclusion
Public bodies collect, use and disclose personal information in order to provide public services to Albertans. When entering into a contract with a service provider, public bodies remain accountable for this information and must have appropriate policies and procedures to ensure, in the use of service providers, they will meet their obligations under POPA.
Public bodies must ensure that contracts entered into with service providers contain clauses that will ensure the service provider, and its employees or subcontractors, comply with the public body’s duties under POPA. Having an accountability framework such as a PMP with appropriate policies and procedures regarding contracting with service providers will help guide those who are part of the processes involved in retaining the services of a service provider, including for procurement, contracting and, managing contracts to ensure legal obligations are met.
This guidance is meant to support the public body in developing policies and procedures for acquiring and managing service providers that will facilitate compliance with POPA and in contracting and oversight.
We welcome any feedback concerning this guidance. Please send the same to generalinfo@oipc.ab.ca.
Appendix – Service Provider Contract Privacy Checklist
Public bodies can use this checklist whenever they seek to enter into a contract with a service provider who performs a service on behalf of the public body and in doing so has access to personal information subject to the Protection of Privacy Act:
Download the checklist here [DOCX] [PDF]
References
Ontario IPC Guidance: Privacy and Access in Public Sector Contracting with Third Party Service Providers
Treasury Board of Canada Secretariat Guidance Document: Taking Privacy into Account Before Making Contracting Decisions
Government of Alberta, Contractor’s Guide to the Freedom of Information and Protection of Privacy Act
Footnotes
[1] (t) “public body” means
(i) a department, branch or office of the Government of Alberta,
(ii) an agency, board, commission, corporation, office or other body designated as a public body in the regulations,
(iii) the Executive Council Office,
(iv) the office of a member of the Executive Council,
(v) the Legislative Assembly Office,
(vi) the office of the Auditor General, the Ombudsman, the Chief Electoral Officer, the Ethics Commissioner, the Information and Privacy Commissioner, the Child and Youth Advocate or the Public Interest Commissioner, or
(vii) a local public body,
but does not include
(viii) the office of the Speaker of the Legislative Assembly and the office of a Member of the Legislative Assembly, or
(ix) the Court of Appeal, the Court of King’s Bench or the Court of Justice;
The full definition of a public body can be found in the ATIA at Alberta King’s Printer.
[2] Bolded terms can be found in the Glossary.
[3] Often, service providers that provide services nationally or internationally reference legislation that does not apply to Alberta’s public sector, such as PIPEDA, the GDPR or the public sector privacy laws of other jurisdictions. These laws differ from POPA and compliance with these laws does not ensure compliance with POPA.
Glossary
| Term | POPA Ref | Definition |
|---|---|---|
| Common or Integrated Program or Service | 1(d) | (d) “common or integrated program or service”, in relation to a public body, means a program or service planned, administered, delivered, managed, monitored or evaluated by (i) the public body working collaboratively with one or more other public bodies, or (ii) another public body working on behalf of (A) the public body, or (B) the public body and one or more other public bodies; |
| Data derived from Personal Information | 1(e) | “data derived from personal information” means data created by data matching, and that identifies any individual whose personal information was used in the data matching; |
| Employee | 1(h) | “employee”, in relation to a public body, includes a person who performs a service for the public body as an appointee, volunteer or student or under a contract or agency relationship with the public body; |
| Head of the Public Body | 1(i) | “head”, in relation to a public body, means a head as defined in the Access to Information Act |
| Information | for the purpose of this document, “information” is used to refer to any records in the control of the public body including personal information, data derived from personal information, non-personal information, and other business records. | |
| Non-Personal Data | 1(n) | “non personal data” means data, including data derived from personal information, that has been generated, modified or anonymized so that it does not identify any individual, and includes synthetic data and any other type of non personal data identified in the regulations; |
| Personal Information | 1(q) | recorded information about an identifiable individual, including the individual’s name, home or business address, home or business telephone number, home or business email address, or other contact information, except where the individual has provided the information on behalf of the individual’s employer or principal in the individual’s capacity as an employee or agent, the individual’s race, national or ethnic origin, colour or religious or political beliefs or associations, the individual’s age, gender identity, sex, sexual orientation, marital status or family status, an identifying number, symbol or other particular assigned to the individual, the individual’s fingerprints, other biometric information, blood type, genetic information or inheritable characteristics, information about the individual’s health and health care history, including information about the individual’s physical or mental health, information about the individual’s educational, financial, employment or criminal history, including criminal records where a pardon has been given, anyone else’s opinions about the individual, and the individual’s personal views or opinions, except if they are about someone else; |
| Privacy Management Program | 1(t) | “privacy management program” means a privacy management program established and implemented under section 25 |
| Record | 1(v) | “record” means a record as defined in the Access to Information Act; |
April 2026
Disclaimer |