Requirement for privacy management programs in effect next June.
The Office of the Information and Privacy Commissioner (OIPC) of Alberta has developed new resources to help public bodies comply with the requirement to establish and implement a privacy management program (PMP) under Alberta’s Protection of Privacy Act (POPA) and Protection of Privacy (Ministerial) Regulation.
The new resources outline the privacy management program requirements for public bodies under POPA and its regulation and build on earlier best-practice guidance from privacy commissioners in Alberta, British Columbia, and Canada.
“By following the approach described in these resources, public bodies will be better prepared to meet their legal responsibilities under POPA,” said Information and Privacy Commissioner Diane McLeod. “This includes protecting privacy, providing appropriate access to personal information, and supporting accountability, transparency, and fairness.”
POPA came into force in June 2025. However, the legislation provided a one-year grace period for public bodies to have a PMP in place.
The guidance will help public bodies understand how to develop a PMP and what the OIPC will be looking for when assessing the PMPs of public bodies. It uses a ‘building block’ approach to guide public bodies through the development of their PMPs and provides a useful checklist of PMP requirements for public bodies, including the enhanced requirements for public bodies that process sensitive or high volumes of personal information.
In addition, the OIPC has developed a companion document for public bodies when contracting service providers. This is because public bodies need to consider both the work of their employees and any contracted service providers when developing PMPs.
“The massive privacy breach in December 2024 that affected educational institutions using PowerSchool education technology is a compelling example of the need for public bodies to develop and maintain high standards for protecting sensitive personal information, including when using service providers,” added McLeod.
Both resources are available on the OIPC website at oipc.ab.ca. Click here to view the Guidance for Public Bodies in Developing Privacy Management Programs and here to view the Guidance for Public Bodies when Contracting Service Providers.
Through the OIPC, the Information and Privacy Commissioner performs the responsibilities set out in Alberta’s access to information and privacy laws, the Access to Information Act, the Protection of Privacy Act, the Freedom of Information and Protection of Privacy Act during the transition period, the Health Information Act, and the Personal Information Protection Act. The Commissioner operates independently of government.
For more information:
Elaine Schiman
Communications Manager
Office of the Information and Privacy Commissioner of Alberta
communications@oipc.ab.ca
Mobile: (587) 983-8766