Introduction

In a world that increasingly depends on technology and personal information, organizational accountability is essential for maintaining public trust. This guidance explains what it means for a public body to be accountable today and how to establish a Privacy Management Program (PMP) to support that responsibility. It outlines the requirements for public bodies under Alberta’s Protection of Privacy Act (POPA) and Protection of Privacy (Ministerial) Regulation (M-Reg) and builds on earlier best-practice guidance from privacy commissioners in Alberta, British Columbia, and Canada in Getting Accountability Right with a Privacy Management Program. By following the approach described in this document, public bodies will be better prepared to meet their legal responsibilities under POPA, including protecting privacy, providing appropriate access to personal information, and supporting accountability, transparency, and fairness.

This guidance also includes a checklist to help public bodies set up a successful Privacy Management Program (see Appendix A).

Purpose and structure of this guidance

Purpose

The purpose of this guidance is to help public bodies comply with the POPA requirement to establish and implement a PMP. It addresses four topic areas that are needed for a public body to build its PMP:

1. preparing to set up and maintain a PMP,
2. legislative alignment, i.e. ensuring a public body’s PMP meets the requirements of POPA,
3. operationalizing accountability, i.e. translating legal requirements into actions a public body must take, and
4. program expectations, i.e., a comprehensive breakdown of the policies, practices, and roles required for effective internal oversight.

Structure

This guidance uses a ‘building block’ approach to help public bodies develop their PMP. Part 1 introduces the core building blocks of the PMP; organizational commitment, and a layered approach to program controls. Part 2 focuses on assessing and improving the PMP. Part 3 discusses how the PMP is used to demonstrate compliance.

1. Developing a Comprehensive Privacy Management Program

Organizational Commitment

Senior management commitment and support

Leadership is the cornerstone of building an organizational culture that respects privacy rights. For a PMP to be effective, senior management must take a leading role in promoting it.

• Resource allocation: the head of the public body must ensure that the designated privacy officer has the necessary financial, human, and technical resources to establish, implement, and periodically review, assess and update the PMP.
• Mandatory compliance: while public bodies face competing priorities, compliance with POPA is a legal obligation. This means that sufficient support must be given to meet the requirements under this Act.
• Public trust: the ability to collect personal information from Albertans effectively rests on public confidence. Proper funding and executive support for the public body’s PMP prevents the erosion of that trust.
• Reducing compliance overhead: a well-championed and PMP helps minimize the costly and time-intensive process of remediation by means of complaints, investigations, and court cases.

Designation and role of the Privacy Officer

The head of a public body must designate/identify one or more individuals as the Privacy Officer for the public body. The Privacy Officer is responsible for ensuring the public body’s compliance with POPA and its regulations[1].

Core responsibilities of the Privacy Officer:

• Liaison: Serving as the primary point of contact for privacy inquiries and concerns.
• Policy development: Supporting the creation, implementation, and maintenance of privacy policies and procedures.
• Compliance oversight: ensuring the public body adheres to POPA and overseeing the management of the PMP.

Regardless of the public body’s size, the Privacy Officer is accountable for the public body’s privacy practices. The Privacy Officer is the PMP’s architect and leader. The specific duties and activities include:

• Establishing and regularly revising program controls (policies, procedures, etc.).
• Developing and delivering employee training and education.
• Documenting, monitoring, and auditing the implementation of the PMP.
• Representing the public body during investigations by the Office of the Information and Privacy Commissioner (OIPC).

• Together with senior management, champion a workplace culture that prioritizes privacy.

Ensuring a Privacy Officer can do their work well

Privacy Officer within the public body’s governance structure

In many jurisdictions, a privacy officer, or equivalent official, is somewhat shielded from reprisal by executives who may have interests that conflict with those of the privacy officer’s role. Care must be taken to mitigate this potential conflict by having the Privacy Officer report directly to the head of the public body who is accountable for the overall performance and compliance of the public body.

Adequate resourcing

The need for resourcing is determined by the size and complexity of the public body.

• Small public bodies: The privacy officer may be able to manage privacy duties alongside other professional responsibilities.
• Large public bodies: In organizations that handle high volumes or sensitive personal information, the Privacy Officer should typically be a full-time role supported by dedicated staff (e.g. within a Privacy Office).

Budgetary Integration

Budget for the PMP and a public body’s privacy functions (e.g. Privacy Office) is required to ensure long-term sustainability of the PMP. Such funding should be established as a non-discretionary line item within the public body’s annual budget.

Auditing, reporting and escalation

A successful PMP must include reporting mechanisms. These tools ensure that the Privacy Officer and management remain informed about the program’s effectiveness, identify gaps, and implement solutions for improvement.

Internal audit and assurance

To maintain accountability, public bodies must incorporate the PMP into their internal audit program such that it is objectively evaluated for how well the PMP supports and achieves POPA compliance.

• Methodology: Audits should collect and document metrics that can be used to evaluate the PMP’s performance (percentage of employees who have been trained or retrained, how many complaints have been filed, how many privacy incidents have occurred, etc.).
• Independent review: In case of a significant privacy incident or systemic problems, public bodies should consider using external[2] auditors to provide an unbiased assessment of (parts of) their privacy compliance framework.

Incident escalation and management

Prompt reporting of a breach of personal information or of privacy complaints is essential. The PMP must clearly define the responsibilities, timelines and expectations of the escalation process.

• Duties of the head: Under POPA, the head is obligated to protect personal information in the custody or control of the public body and to make reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or destruction. If an incident involving the loss of, unauthorized access to or unauthorized disclosure of this personal information (Privacy Incident), the public body is required to notify individuals affected by the breach without unreasonable delay where there is a real risk of significant harm to these individuals (one or more) as required in the Act and regulations[3]. As well, public bodies must have a process to receive and manage complaints about any alleged unauthorized collection, use or disclosure of personal information[4].
• The Privacy Officer’s role: All Privacy Incidents must be escalated to the Privacy Officer. The Privacy Officer acts as the central manager of the Privacy Incident, coordinating with necessary experts, e.g. IT professionals, legal counsel, and communications advisors, etc. to resolve the matter. The Privacy Officer also reports Privacy Incidents to the head. For complaints, the Privacy Officer is responsible to investigate to determine whether the complaint is substantiated and take any action as may be needed to address the complaint and mitigate the risk of recurrence, including recommending discipline of employees for snooping or other serious violations.
• Progress tracking: For privacy complaints, staff should track progress and report to the privacy officer to ensure the organization is following its documented protocols effectively and timely. Such reporting, when properly implemented, ensures early detection of systemic problems with meeting the public body’s statutory obligations.

Testing and validation

Public bodies should periodically evaluate their Privacy Incident protocols. These exercises should evaluate:

• Identification: How quickly the Incident is spotted (and if it is spotted at all by staff).
• Escalation: How efficiently the right people are notified.
• Containment: How effectively the Incident is contained, e.g. any unauthorized access or disclosure is stopped.
• Compliance: how well the public body is able to fulfill its requirements regarding Privacy Incident Management under POPA[5].

Back to top of the page

Privacy management program requirements based on volume and sensitivity (determination)

POPA requires a tiered approach to public bodies’ PMPs. All public bodies must meet the requirements under section 6(1) of the M-Reg. Those public bodies that process high volumes or sensitive information must meet additional requirements under 6(2) of the M-Reg. The following determines if your public body needs to meet these additional requirements:

Sensitivity of personal information

A public body must determine if it has custody or control of highly sensitive information. Section 1 of the M-Reg defines high-sensitivity information as:

(a) biometric information about an individual;

(b) financial information about an individual;

(c) personal information respecting a minor, senior or vulnerable individual

Biometric information is further defined in section 1(a) of the Act as:

information derived from an individual’s unique measurable characteristics;

Volume of personal information

A public body must determine if it has custody or control of a high volume of Albertans’ personal information. High volume is not defined, as it is to be interpreted as a contextual, qualitative threshold based on risk.

Determination

In accordance with the determinations made, the public body must proceed with efforts to meet the requirements applicable to all public bodies, and if applicable, those imposed on public bodies that handle highly sensitive personal information, high volumes of personal information, or both. Implementing all the requirements found under section 6 of the regulation is also a matter of best practice, regardless of the handling of highly sensitive personal information or high volumes of personal information by a public body.

Back to top of the page

Program controls for all public bodies

Personal information inventory

A comprehensive personal information inventory is an essential prerequisite for privacy compliance under POPA. If a public body does not know the nature and volume of the personal information it collects, uses, and retains, it cannot realistically meet its statutory obligations. Additionally, an inventory is indispensable for meeting transparency requirements regarding personal information holdings (e.g. see section 57 of POPA regarding personal information banks). The personal information inventory directly supports section 6(1)(c) of the M-Reg, which mandates the establishment of a security classification system for personal information and data derived from personal information. Without a comprehensive inventory, a public body cannot accurately classify its personal information holdings. It would also be unable to apply and provide transparency about the appropriate safeguards required for automated systems that process personal information under Section 6(1)(b)(iii) of the M-Reg. The creation of a personal information inventory can be part of the broader effort to create a data inventory[6] for a public body.

What is a personal information inventory?

A personal information inventory should capture all recorded personal information that is in the custody or control of a public body, including that held by vendors. This personal information includes unique identifiers, biometrics, data, or meta-data that could, when combined with other data, reasonably identify an individual. Identifying the sensitivity and categories of this information is a prerequisite for the mandatory training of employees required by section 6(1)(d) of the M-Reg, as staff must understand the specific nature of the personal information they handle to fulfill their obligations, and specific to the way they work with personal information in the public body’s business processes. Furthermore, documenting this inventory allows the Privacy Officer to maintain effective oversight and ensure that the public body’s internal policies, including those for correcting information or managing Privacy Incidents, are grounded in an accurate map of the organization’s data landscape.

The personal information inventory role in PMPs

As highlighted, an accurate inventory is the baseline for designing and implementing an effective PMP. It provides the necessary data to manage information-sharing agreements and personal information banks, and is fundamental to detailing the authority for collection and the parties to whom personal information is disclosed. This inventory must be frequently updated, and by doing so it supports the Min Reg section 6(1)(e) requirement for periodic review and assessment of the PMP by providing a clear benchmark for what information is currently held and how it is protected. By doing the following, the public body creates the essential foundation for privacy compliance:

• documenting the location (physical and logical) of storage;
• the categories of personal information it holds;
• the categories of individuals , such as minors, adults, or seniors, whose personal information it holds;
• the specific purposes for data collected, used and disclosed; and by
• asserting the sensitivity and security classification of this personal information,

The personal information inventory will assist when the public body has to respond to complaints and access requests. It will assist in making determinations about when a privacy impact assessment (PIA) is required and makes completing the PIA easier. Lastly, it will help the Privacy Officer effectively establish and manage the PMP so the public body will be compliant with POPA and its regulations.

Policies, procedures and Safeguards

Public bodies are required to establish their internal operations through specific policies and procedures. Section 6(1)(b) of the M-Reg details these requirements and also refers back to the related sections of POPA.

Statutory policies and procedures

Public bodies must establish policies and procedures to handle:

Requests for Correction of personal information (section 6(1)(b)(i)(A) M-Reg, section 7 POPA)

• Accuracy: Policies and procedures must outline how the public body will receive and process requests to correct errors in personal information (e.g., birth dates, contact info).
• Opinions vs. facts: Since professional opinions cannot be ‘corrected’, the policy or procedures must provide a mechanism for individuals to append a statement of disagreement to the record.
• Notification: If a correction is made, the policies or procedures must include a process to notify any third party to whom the information was disclosed.

Privacy incidents (section 6(1)(b)(i)(B) M-Reg, section 10(2) POPA)

• Privacy Incident containment: Policies and procedures must detail immediate steps to contain a Privacy Incident.
• Investigation: Policies and procedures must guide the Privacy Officer on the duty to conduct an investigation to determine the cause of the Privacy Incident and the steps to take to prevent recurrence.
• Risk assessment: Policies and procedures must guide the Privacy Officer on evaluating whether a breach creates a “real risk of significant harm” (RROSH) to individuals ensuring adherence to the requirements in section 4 of the M-Reg.
• Reporting timelines: Policies and procedures must guide the Privacy Officer on how they will carry out their duty to notify the Minister, the OIPC, and to affected individuals “without unreasonable delay” about the Privacy Incident as prescribed by section 10 (2) of POPA and section 4 of the M-Reg.

Complaints (section 6(1)(b)(i)(C), POPA section 38(2))

• Internal review first: Policies and procedures must establish a process for receiving and responding to privacy complaints, including any follow up by the OIPC. Under POPA, individuals are required to seek a response from the public body to their complaint before bringing the matter to the OIPC.
• Documentation: Procedures must be in place to systematically handle complaints, the steps taken following a complaint, and the final response provided to the complainant.

For more information see our guidance about breach notification to the OIPC.

Non-personal data management
If a public body creates or uses “non-personal data” (anonymized, synthetic, or de-identified data derived from personal information), Division 2 of Part 3 POPA, especially section 21, require specific oversight by the public body:

• Quality assurance: Non-personal data must be created in accordance with POPA requirements and as documented in the prescribed policy (section 6(1)(b)(ii) M-Reg). This means that policies should include requirements 1) to document personal information used to create the data, 2) the purpose for creating the data, 3) the method for creating the data, 4) a data quality assurance process to verify that de-identification methods are effective and cannot be easily reversed (re-identification).
• Auditability: Methods used to create non-personal data must be documented, and replicable for auditing purposes.
• Bias mitigation: Procedures should identify and account for potential biases in the non-personal data sets to ensure they remain accurate for research or planning.

Automated systems and AI

When personal information is used in automated systems[1], including those generating content (Generative AI) or making predictions/decisions, section 6(1)(b)(iii) M-Reg mandates rigorous safeguards. Policies and procedures should set out the following details:

• Transparency: Policies and procedures must ensure, and explain how individuals are notified if their information is being processed by an automated system to make a decision about them[2].
• Automated system specific information security controls: Technical controls must be documented and implemented (e.g., encryption of communication and data at rest, access control measures such as multi-factor authentication), and administrative controls (e.g., human-in-the-loop oversight)[3].
• Risk mitigation: Procedures should address how these systems will be monitored for algorithmic bias, procedural and outcome fairness, and emerging AI privacy threats[4] like unauthorized data scraping from or by AI model.

Periodic review of PMP

• Keeping the PMP up to date: The public body must establish timelines for the periodic review, assessment and update of the PMP as required by section 6(1)(e) of the M-Reg. Chapter 5 has more information on the steps required to do this effectively.
• Security classification: Based on the information obtained by making the personal information inventory, the public body can proceed by creating and maintaining a security classification system for personal information, data derived from personal information and non personal data (as required under section 6(1)(c) of the M-Reg). This classification can be continuously used to ensure the right controls are in place to protect personal information, e.g., based on the sensitivity or volume of information that needs to be protected.
• Mandatory training: Section 6(1)(d) of the M-Reg requires all employees (inclusive of service providers and other contractors) of the public body to undergo training about their obligations under POPA relevant to their work duties and to take mandatory retraining on a regular basis. Awareness of and training on the PMP is a core part of this training. An easy way to ensure any mandatory retraining happens, is to link it to annual performance evaluations of employees.

For more information on establishing AI governance in the Public Sector, various useful publications touching on the subject have been published[11].

Back to top of the page

Program controls for public bodies with sensitive or high volumes of personal information

For public bodies handling high volumes or highly sensitive personal information, the requirements established under section 6(1) of the M-Reg must be met in addition to those set out in section 6(2) of the M-Reg. This section lists additional privacy and accountability requirements to mitigate the elevated risks associated with large-scale and/or handling of sensitive personal information including that deemed of high sensitivity in section 1 of the M-Reg.

Ensuring delegation and accountability

Public bodies must document the specific roles and responsibilities of all employee roles (section 6(2)(a)(i) M-Reg), not just the Privacy Officer. This is commonly done by including privacy related tasks and obligations in policies, procedures, delegation documents (e.g. delegation matrix), job descriptions, etc. This effectively creates a chain of accountability from all staff working with personal information to senior management, and ultimately to the head of the public body. This requirement dovetails with the section 6(1)(d) M-Reg requirements for training (staff should be trained on their responsibilities as delegated).

Risk management

PIAs: Under section 6(2)(a)(ii) of the M-Reg, the process for completing and submitting PIAs must be formalized. This also means that public bodies must know when PIAs are required and make this part of assessment of new or revised programs, activities and services. Furthermore, the personal information inventory and security classification conducted under section 6(1)(c) of the M-Reg can help identifying when a PIA is required under section 7(1)(a) of the M-Reg. Lastly the public body should be aware of when PIAs must be submitted to the Commissioner in accordance with section 7(5) of the M-Reg, and include dedicated activities in program and project management for assessing whether the submission to the Commissioner is mandatory.

See our PIA resources to assist public bodies know when to submit a PIA to the OIPC and how to complete a PIA.

Proactive monitoring of information systems: Under section 6(2)(a)(iii) of the M-Reg, the public body is required to proactively monitor information systems that hold personal information and related data, and document such efforts in policies and procedures. This obligation is important given the central role information systems play in ensuring the safety of personal information, and the significant Privacy Incidents that can occur if such monitoring fails or is not implemented at all. To be sure, monitoring may not stop all Privacy Incidents from occurring, but often helps in limiting the extent of a Privacy Incident.

Best practices: As a matter of best practice, the public body may as part of the PMP, consider other risk management tools at its disposal that are relevant to mitigate privacy risks. The importance of conducting Security Threat and Risks Assessments (STRA) and/or an Algorithmic Impact Assessment (AIA) increases where the use of innovative technology may form a risk to the privacy protection of Albertans or other risks that can flow from the use of automated decision making systems, such as unfairness and bias. This can be seen either from an information security risk perspective (consider using STRAs), or when the accuracy, completeness and correct interpretation of personal information may affect algorithmically (or AI) derived processes or outcomes for individuals (consider using AIA). Furthermore, STRAs can be one way to work on complying with the requirements of 6(2)(a)(iii).

Consent and communication protocols

While all public bodies must manage personal information, those with sensitive data must have well-defined section 6(2)(a)(iv) M-Reg policies for obtaining consent, as well as consider the requirements under section 2 of the Protection of Privacy Regulation.

• Consent: Documentation must address how consent is captured and recorded across oral, electronic, and written interactions.
• Sensitivity context: For all consent, but especially for highly sensitive information[12] the policy or procedure must ensure that consent given is ‘informed and meaningful,’ providing clear evidence that the individual understands the implications of the data use.

AI governance and data matching

Building on the automated systems requirements in section 6(1)(b)(iii) of the M-Reg, section 6(2)(a)(v) of the M-Reg introduces specific requirements for Artificial Intelligence (AI) and data matching.

• AI policy: If the body uses AI, it must have specific policies governing its use, particularly how the AI creates derived data (data points inferred about an individual by a machine).
• Data matching policy and restrictions: Policies must strictly govern data matching activities, ensure compliance with part 3 of POPA, and ensure required PIAs are created and submitted to the OIPC as required by the regulations.
• Non-personal data and data derived from personal information: Section 6(2)(a)(v) of the M-Reg has some overlap with 6(1)(b)(ii), and requires a detailed policy or procedure on the creation of non-personal data and data derived from personal information.

Administrative, technical and physical safeguards

In addition to requirements regarding safeguards that apply to all public bodies under section 10 of POPA, under section 6(2)(b) of the M-Reg, public bodies managing high volumes or highly sensitive personal information must implement and document appropriate administrative, technical, and physical safeguards for the entire personal information/data lifecycle, covering not only the original personal information but also data derived from it and non-personal data sets[13].

Back to top of the page

2. Ongoing assessment and revision

Develop an oversight and review plan

Building on the foundational requirements of section 6(1) of the M-Reg and the enhanced expectations in section 6(2), a PMP is not static and requires periodic review under section 6(1)(e). Therefore, public bodies must establish timelines for the periodic review, assessment, and update of its PMP. Vital information for this process is provided via reporting and monitoring.

Why periodic review is important

• • Public body initiated change: Public bodies regularly launch new (increasingly digital) services or change administrative practices. Periodic changes in organization structure may occur that merge or divest program areas from one public body to another. A review ensures that the section 6(1)(b) policies and procedures (for corrections, breaches, and complaints) stay relevant, and attuned to new or changed programs and activities, as well as when technology used in those programs and activities evolves.

• Closing compliance gaps resulting from changes in the public bodies’ environment: A PMP needs monitoring and frequent updating due to changed or new regulations, OIPC orders regarding POPA, or emerging privacy and information security threats[14]. Regular assessment allows the public body to find and fix non-compliance, introduce new best practices, and address weakness in their safeguards.
• Testing safeguards: For public bodies that process a high volume or highly sensitive personal information, periodic review is the only way to verify that the written administrative, technical, and physical safeguards (section 6(2)(b)) are actually being followed in practice. Given the dynamic nature of technology, periodic reassessment and testing is standard[15].

Reporting and monitoring

The designation of a Privacy Officer under section 6(1)(a) of the M-Reg is important in establishing oversight. In high-volume or sensitive environments, the Privacy Officer’s role expands under section 6(2)(a)(iii) of the M-Reg to include responsibility for proactively monitoring information systems that contain personal information to regularly assess and mitigate security risks.

The need for reporting

Reporting is a mechanism that supports accountability. The Privacy Officer acts as the bridge between technical operations and senior leadership:

• Senior management awareness: The Privacy Officer must report PMP performance and deficiencies to senior management. For example, if the mandatory training (section 6(1)(d) M-Reg) has limited effective uptake, or is not monitored and registered, leadership must be informed to authorize resources for retraining and measures such as instructing that the training form part of performance management.
• Showing due care: in some cases, the results of these internal reports and audits may be relied upon to prove that the public body is meeting its duty of care or other legal requirements. If used properly, and executed diligently, reporting and monitoring create assurance for, and proof of, due care for personal information.

The need for monitoring

Monitoring is a more direct and continuous observance of the PMP’s effectiveness (compared to the periodic and structured nature of reporting).

• Proactive monitoring: Under section 6(2)(a)(iii) of the M-Reg, the Privacy Officer can delegate and supervise the monitoring of information systems to mitigate risks before they become incidents. These activities typically involve auditing logs of access to (systems containing) personal information and to ensure the security classification system (section 6(1)(c) M-Reg) and related access controls are effective. The Privacy Officer need not be involved in depth in the day-to-day aspects of monitoring but will be accountable for the privacy-related components such as the incident thresholds of the monitoring and reporting.
• Algorithm and AI oversight: For Public Bodies using automated systems and AI, the privacy officer or any delegates must monitor automated systems to ensure they operate according to fairness principles, maintain the safeguards established in the PMP, and that their use does not result in the public body contravening POPA.

Back to top of the page

Assess and revise program controls

To maintain compliance with section 6(1)(e) of the M-Reg, reporting, monitoring and otherwise evaluating must be used to improve the PMP. This improvement cycle ensures that as the public body and its programs, activities and technology use evolve, its privacy controls adapt to meet emerging threats and operational changes.

The PMP improvement cycle

Assessing and revising program controls involves review and adjustment across these key areas:

a) update personal information inventories

The inventory is the foundation of the public body’s PMP. Periodic reviews must account for new data collection points, databases, and address personal information held as part of common or integrated programs or activities. If your inventory is outdated, your security classification system (6(1)(c) M-Reg) is likely inaccurate, risking leaving sensitive data under-protected. In addition, the timeliness or quality of responses to access requests may be affected.

b) revise policies and procedures

Policies and procedures should be revised based on lessons learned from the Privacy Officer’s monitoring (6(2)(a)(iii) M-Reg). If a specific procedure is consistently bypassed because it is too cumbersome, it must be redesigned to ensure it remains both functional and compliant with requirements in the Act and regulations.

c) update risk assessments

PIAs and related types of assessments (e.g. STRAs) are not one-and-done exercises. Under section 6(2)(a)(ii) of the M-Reg, the process for completing PIAs must be periodically revisited whenever a practice, program, project or service is substantially changed, not just when it is first put in place.

e) improve incident response protocols as they are used

Every Privacy Incident is an opportunity to refine the policies and procedures or controls required under section 6(1)(b)(i) and 6(2)(b) of the M-Reg. Post-Privacy Incident debriefs should result in updates to response procedures, communication trees, containment strategies, and inform the enhancements of controls. Undertaking this work will minimize the risk of recurrence of harm stemming from unauthorized access to, disclosure or loss of personal information.

f) ensure service provider management

Public bodies remain responsible for data in the custody of service providers (e.g. third-party vendors). The improvement cycle must include regular audits of service provider contracts and security practices to ensure they align with the body’s administrative, physical or technical safeguards (6(2)(b)) and help the public body otherwise meet their obligations under POPA. Insufficient or weak service provider management can lead to privacy breaches[16].

For more information on this topic please see the OIPC’s Guidance for Public Bodies when Contracting Service Providers.

g) improve external communication for transparency and accountability

Transparency and accountability are core pillars of POPA, and of good governance in general. Public bodies should periodically review and if needed, update their public-facing privacy notices and complaint-handling procedures. Public bodies also may want to regularly review and update published information regarding the number of Privacy Incidents, access requests statistics, personal information banks, and their use of AI (e.g. an AI registry[17]). Communications should be simplified and updated to ensure the public clearly understands the public body’s practices in these regards, and how to exercise their rights to correction and to make complaints. Such practices of good governance, showcasing transparency and accountability, will increase public trust in the public body.

Back to top of the page

3. Demonstrating compliance

Access to the PMP by the public

Public bodies have an obligation under POPA, section 25(3), to provide the PMP to any person who requests a copy of the PMP. The regulation specifies that this may also be done by publishing the PMP, so it is readily accessible to the public. From a transparency and accessibility perspective, it is recommended that public bodies publish the PMP on their website.

Furthermore, the regulation cautions, and gives the public body the ability to redact or omit certain sensitive information relating to the security of personal information in the custody or under the control of the public body. Commonly, such information includes detailed descriptions of security controls, (parts of) assessments such as STRAs or penetration tests and similar documentation that may be used for adversarial purposes.

Back to top of the page

Using the PMP to reduce administrative burden

A public body can leverage the PMP for external messaging, and to reduce re-documenting parts of the PMP for purposes that lean on its policies and other controls. By referencing the PMP as a source, or quoting from it, where programs, activities and operations include privacy aspects, administrative burden can be reduced, and only a single source needs to be corrected should external feedback prompt the public body to do so. An example is citing the security standards contained in the PMP, within a PIA, or using its content as reference in external communications and engagement projects.

Back to top of the page

Appendix A – Checklist of PMP requirements for public bodies

The following checklist can help public bodies assess whether they have met the requirements for PMPs as set out in this Guidance.

Download a standalone copy of the checklist here  [PDF]

Requirements for all public bodies (see M-Reg section 6(1) and POPA section 25, 10)

☐  Designated Privacy Officer: Identify or designate an individual responsible for ensuring the public body’s compliance with the Act and regulations. Ensure that where necessary, authority is delegated from the head of the public body, to the Privacy Officer.

☐  Documented internal policies & procedures: Establish written rules addressing the public body’s duties, including:

☐  Access and correction: Processes for responding to requests for personal information or requests for correction.

☐  Privacy complaints: A defined process for receiving and responding to privacy-related complaints.

☐  Privacy Incident response: A policy and process for responding to breaches and notifying affected individuals in accordance with the Act and regulations

☐  Non-personal data: Policies for the creation, use, and disclosure of non-personal data (anonymized or synthetic data).

☐  Automated systems: Procedures for the use and safeguarding of personal information within automated systems (e.g., AI or algorithms).

☐  Personal information inventory: Create a personal information inventory which can be used to meet the requirements of the Act and regulations.

☐  Security classification system: Implement a system to classify personal information, derived data, and non-personal data based on sensitivity.

☐  Safeguards: Establish administrative, technical and physical safeguards for safeguarding and managing personal information.

☐  Mandatory employee training: Ensure all employees and contractors undergo regular training to understand their obligations under the Act.

☐  Periodic review cycle: Establish specific timelines for the regular review and assessment of the PMP to ensure it remains effective.

☐  Public transparency: Establish a process to make the PMP documentation available to the public upon request or by default (e.g. published on website).

Enhanced Requirements if public bodies process sensitive or high volumes of PI (see M-Reg section 6(2))

The additional requirements to include policies and procedures for certain activities, and the public body’s duties regarding these activities, apply if the public body manages a high volume of personal information or highly sensitive information:

☐  Define accountability: Document the public body’s internal privacy management structure. Clearly document the roles, responsibilities, and accountabilities of all employees in relation to the public body’s obligations under the Act.

☐  Privacy Impact Assessment (PIA) process: Document policies and procedures for creation and ongoing management (updating as needed) of PIAs for new programs and activities or substantial changes to existing ones including for submitting the PIAs to the OIPC.

☐  Policies and procedures for proactive monitoring of information: Document policies and procedures setting out how the public body actively monitors systems holding personal information, data derived from personal information or non-personal data, to assess security measures and mitigate risks.

☐  Consent documentation: Document policies and procedures to ensure consent, written, oral or electronic, is obtained in accordance with POPA and its regulations.

☐  Employee and third-party oversight: Define the roles, responsibilities and accountabilities of employees (which in POPA include third-party contractors and service providers) of the public body in relation to the public body’s obligations under the Act.

☐  Policies for high-risk uses: Establish policies and procedures related to the use of personal information in artificial intelligence systems, the creation of data derived from personal information and the creation of non-personal data.

☐  Safeguards: Establish written administrative, technical and physical safeguards for managing personal information, data derived from personal information and non-personal data.

Back to top of the page

Appendix B – Infographics

Developing a Comprehensive Privacy Management Program

Maintaining and Using the Privacy Management Program

Appendix C – Glossary

Footnotes

[1] See POPA section 55 and M-Reg section 6(1)(a).

[2] The auditor should be at least ‘arms length’ from the process or program area audited. Consideration should be given to use an auditor who is external to the public body.

[3] Section 10 of POPA, section 1(1)(c) of the Protection of Privacy Regulation, and section 4 of the M-Reg.

[4] Section 38(2) of POPA and Section 6(1)(b)(i)(C) of the M-Reg.

[5] See https://oipc.ab.ca/wp-content/uploads/2022/02/Breach-Response-2018.pdf for generic breach guidance, and https://oipc.ab.ca/popa/breach/tool/ for the POPA breach notice assessment tool

[6] For an explanation regarding data inventory and how to create one, see https://www.dasca.org/world-of-data-science/article/what-is-data-inventory-and-how-to-create-it-effectively.

[7] Automated systems may include ‘traditional’ algorithms, as well as applications of AI.

[8] Also see sections 5 and 6 of POPA.

[9] For an introduction on the types of controls applicable to AI and many forms of automated systems that rely on it, see https://verifywise.ai/lexicon/ai-security-controls.

[10] See https://owaspai.org/docs/6_privacy/ for a primer on this subject.

[11] https://yukonaccountability.ca/sites/default/files/resources/OMB-GettingAheadoftheCurve-v6.pdf and https://oipc.ab.ca/wp-content/uploads/2025/08/AI-Comments-from-the-OIPC-Regarding-Responsible-AI-Governance-in-Alberta-July-15-2025.pdf

[12] See chapter 4(b) for details on sensitive personal information

[13] For a more comprehensive overview of the types of controls and their uses see https://purplesec.us/learn/security-controls/.

[14] See e.g. https://www.cyber.gc.ca/en/guidance/national-cyber-threat-assessment-2025-2026 and https://www.sentinelone.com/cybersecurity-101/cybersecurity/cyber-security-trends/.

[15] See e.g. https://www.nist.gov/privacy-framework/nist-sp-800-115 for details on activities such as vulnerability scanning and penetration testing.

[16] See https://www.verizon.com/business/resources/reports/dbir/ this 2025 report states ‘30% of breaches were linked to third-party involvement, twice as much as last year, and 
driven in part by vulnerability exploitation and business interruptions’.

[17] See https://www.canada.ca/en/treasury-board-secretariat/news/2025/11/canada-launches-first-register-of-ai-uses-in-federal-government.html for information regarding AI registry use by the Canadian federal government.

April 2026