Procedures for Reviews and Privacy Complaints – Settlement Phase – ATIA and POPA

This document provides parties with a summary of the procedures under which reviews and privacy complaints are conducted under the new Access to Information Act (ATIA) and the Protection of Privacy Act (POPA) at the settlement phase.

In June of 2025, the Freedom Information and Protection of Privacy Act (FOIP Act) was repealed and replaced with the ATIA and POPA.  Please see below under the heading “Transition from FOIP to ATIA and POPA” for more information about whether your review falls under ATIA, POPA or the FOIP Act.

For information about the procedures for reviews and privacy complaints under the FOIP Act, HIA and PIPA see: Procedures for Reviews and Privacy Complaints – Settlement Phase – FOIP, PIPA, HIA.

What is a review?

Under ATIA, the Commissioner has authority to review any decision, act or failure to act by the head related to requests for access to information.  The Commissioner also has authority to review a decision by the head of a public body to give access to information of a third party.

Under POPA, the Commissioner has authority to review the collection, use or disclosure of an individual’s own personal information if the individual believes that the collection, use or disclosure was in contravention of POPA.  The Commissioner also has authority to review any decision, act or failure to act of the head related to a correction request.

Reviews generally have two phases.  A settlement phase, which involves the Case Resolution Team attempting to settle the matter under review, and an inquiry phase, which is a formal adjudicative hearing conducted by the Adjudication Team from which an order is issued.  An inquiry may occur if settlement is not achieved.

Reviews under ATIA and POPA are subject to specified time limits.

Back to top of the page

What is an investigation?

Under POPA, the Commissioner is authorized to investigate privacy complaints about the following:

  • That personal information about any person has been collected, used or disclosed by a public body contrary to POPA
  • That data derived from personal information or non-personal data has been created, used or disclosed by a public body contrary to POPA
  • Respecting the actual or attempted re-identification by any person of non-personal data created under section 21(1) of POPA

Privacy complaints will generally try to be settled by the Case Resolution Team.  However, the Commissioner may decide to have the complaint formally investigated by the Investigation Team.  At the conclusion of a formal investigation, an order may be issued.

Investigations into complaints are not subject to specified time limits in POPA.

Back to top of the page

What is the settlement phase?

The settlement phase is the first phase of a review or complaint investigation.  It is a process authorized by the Commissioner to explore opportunities to settle issues with the parties.  It may also be referred to as a mediation or investigation.  The majority of files are resolved at the settlement phase.

Please note that our office made some adjustments to our settlement procedures in 2024 and 2025 in the interest of creating greater efficiencies in our work. This page has been updated to reflect those changes.

Forms referenced in this document are available on our office’s website at https://oipc.ab.ca/forms/.

Please note that some important definitions are provided at the bottom of this page.

Back to top of the page

Commissioner’s Mandate

The Commissioner is not a part of the Government of Alberta. The Commissioner is an independent Officer of the Legislature and reports directly to the Alberta Legislative Assembly.

The Commissioner, through the Office of the Information and Privacy Commissioner (OIPC), carries out the legislative and regulatory responsibilities related to Alberta public bodies set out in the following laws:

  • Access to Information Act (ATIA) [in force June 2025]
  • Protection of Privacy Act (POPA) [in force June 2025]
  • Freedom of Information and Protection of Privacy Act [repealed June 2025] (FOIP Act)

 

Transition from FOIP to ATIA and POPA

Public bodies were subject to the FOIP Act until mid-June of 2025.  When ATIA and POPA are brought into force, these Acts will repeal the FOIP Act.  The ATIA applies to access to information requests.  POPA applies to review responses to correction requests made after POPA comes into force. It also applies to review complaints regarding the collection, use or disclosure of an individual’s own personal information by a public body where the individual first makes a complaint to the public body concerned.

The FOIP Act continues to apply to review responses to access or correction requests made or third parties notification decisions prior to June 2025. It also applies to complaints about the collection, use or disclosure of personal information by a public body which occurred prior to the repeal of the FOIP Act.   For more information, please see the Practice Note-Transitional- FOIP Act to ATIA and POPA.

Back to top of the page

What We Do…

  • Review the decisions of public bodies in regard to requests for access to information or correction of personal information made under the Acts
  • Review complaints regarding the collection, use or disclosure of personal information
  • Under POPA, investigate complaints about whether an organization is in compliance with the Act, such as enquiries into an organization’s general practices
  • Try and settle reviews and complaints
  • Where settlement cannot be achieved or as instructed by the Commissioner, conduct inquiries and issue binding orders

Back to top of the page

What We Do Not Do…

  • Act as an advocate on behalf of any party to a review or investigation
  • Release records that are the subject of a review
  • Store records on behalf of the Government of Alberta or any other party
  • Impose fines or award damages
  • Hear appeals of claims, benefits or decisions that do not fall under the Acts
  • Discipline, terminate or reinstate employees
  • Regulate the actions of individuals as private citizens
  • Regulate the constituency offices of members of the legislative assembly (but we do regulate certain access and privacy issues involving actions of cabinet members and ministries)

Back to top of the page

Making a Request for Review or Complaint to the Commissioner

Under the Acts:

  • Using the ATIA Request for Review form, an applicant may ask the Commissioner to review any decision, act or failure to act by the public body that relates to an applicant’s access to information request
  • Using the ATIA Third-Party Request for Review form, a third party who has been notified by a public body under ATIA that its information will be given to an applicant may ask the Commissioner to review that decision
  • Using the POPA Privacy/Correction Request form, an individual may ask the Commissioner to investigate if they believe that their own personal information has been collected, used or disclosed in contravention of POPA
  • Any person may ask the Commissioner to investigate whether an organization or public body is in compliance with POPA, such as enquiries into an organization’s general practices.

Back to top of the page

Time Limits to Request a Review

A review may be requested by completing and submitting the applicable request for review form (see “Making a Request for Review or Complaint to the Commissioner” above) to the OIPC within the following timelines:

Note: for the interpretation of “business day” please see Practice Note – Business Day – ATIA and POPA

ATIA

For reviews of access requests, within 60 business days after an applicant is notified of the decision, act or failure to act that is the subject to the request.

POPA

For correction requests, within 60 business days after the individual is notified of the decision, act or failure to act that is the subject to the request.

For reviews concerning the collection, use or disclosure of one’s own personal information that may be contrary to POPA, no sooner than the expiry of the 30 business days that the public body has to respond to the privacy complaint AND within 60 business days after receiving a response to the privacy complaint from the public body – or in the case of non response, within 60 business days after the 30 business days the public body had to respond.

 

ATIA and Third Parties

For third party reviews, within 20 business days after being notified by a public body of its decision to give an applicant access to third party information. The Commissioner has no power to allow a third party a longer period to submit a request for review.

Note this important process change for public bodies and third parties: 

As of February 1, 2024, the OIPC no longer conducts courtesy searches on behalf of public bodies to determine if a third party request for review has been received by this office.  ATIA now requires that a third party deliver a written request to the Commissioner and the head of the Public Body.   

Back to top of the page

Overview of Proceedings

Intake

To initiate a review or make privacy complaint, the applicable form must be completed (see “Making a Request for Review or Complaint to the Commissioner” above) AND submitted together with all supporting documents in one submission. Otherwise, the submission will be returned. We also enforce a 15-page limit for submissions.

Every submitted form is checked for:

  • Jurisdiction – is it something the OIPC can do under one of the Acts?
  • Whether it was received by the OIPC within the required time limits
  • Whether there is evidence that substantiates the request for review or complaint

Any person who submits a form for making a review or complaint will be contacted at the intake stage to discuss their submission and obtain clarification. They must be available to participate in our process and respond to requests in a timely manner, usually by phone and/or email. Otherwise, a file may not be opened. Any person who cannot meet this requirement, may name an agent to represent them.

The responding public body may also be contacted at this stage, as required.

Please note our refer-back process for privacy complaints and adequacy of search reviews.

Refer-back for privacy complaints

For complaints regarding the collection, use or disclosure of personal information under POPA about one’s own personal information, individuals must first make the complaint to the public body as required by POPA.

Refer-back for adequacy of search reviews 

For reviews under ATIA where the only concern is that an applicant believes the public body holds more responsive records than what were processed in the request (an ‘adequate search concern’), the applicant must first submit the concern directly to the public body, along with supporting evidence as to why they believe additional records exist.

We require that the public body be given at least 30 business days to respond.  After attempting to resolve the matter directly with the public body, if the applicant still has reason to believe the response does not comply with the relevant law they can bring the concern back to our office. At that point, our office will consider whether further investigation by the OIPC is warranted.

Issue identification

At the intake phase, the Intake Team will work with the person who submitted a form for making a request for review or privacy complaint to identify the issues for review or investigation.  Only those issues that (a) have enough evidence; and, (b) are within our jurisdiction will move forward. The identified issues will be communicated to the person to confirm their understanding and, if applicable, to advise on the limits of our jurisdiction.

If the OIPC proceeds with a review or investigation, a file is opened, and an acknowledgment letter (containing the confirmed issues) is sent to the person and the public body. A copy of any request for review form submitted is included with the letter. Forms submitted containing general privacy complaints made under POPA are not provided to the public body.

In the letter to the public body, it will be asked to provide a contact person who will be responsible for working with the assigned investigator to settle the matter. The contact person must have the ability to settle the issues. This means that they must have timely access to the decision-maker or directly involve the decision-maker in the conversations.

New records requirements and timelines 

For access request reviews, the public body will also be asked to provide a copy of the records to the OIPC with the inclusion of a records index within 7 business days of a notification letter, in accordance with the Practice Note – Preparing Records at Issue and Index of Records.  It may also be asked to provide the OIPC with a copy of the access request and any correspondence concerning the request with the applicant.  The OIPC will provide a link to securely send records and any other sensitive documentation to the OIPC.

The requirement to provide records or information at issue does not apply to records or information over which solicitor-client privilege, litigation privilege, or informer privilege is being claimed, or information withheld under sections 4(1)(a), (s), (t), (w), 27, 32(1)(a) or 32(2) of the ATIA. Public bodies (Respondents) will be required to provide a submission that contains the page numbers and an explanation that supports the application of the sections to the records.  The Practice Note – Providing Affidavits and other Evidence provides an explanation as to the expected content of the submission, even though it is not usually in affidavit form at the settlement stage.

 

Request for Review Forms and Attachments Are Disclosed

A copy of any request for review form and any attachments submitted along with the form must be disclosed to the public body under section 60(1)(a) of ATIA and section 39(1)(a) of POPA As a result, any person submitting one of these forms should specify to the OIPC if there is information in the form or accompanying attachments that they want the Commissioner to consider removing before sharing with the public body.  In considering these requests, consideration will be given to whether the information should be disclosed for fairness purposes or if it is necessary to conduct the review.

Address for Service

Each party to a review or investigation must provide an address for service to which all official communications will be sent for the purposes of the review or investigation.

As noted above, we must have an effective and timely means of communication with the parties.  As such, each party is to provide us with an email address for this purpose.  We also require a mailing address which may be used to deliver certain correspondence related to the file.  We will use secure email or other forms of secure electronic transmission to send communications containing sensitive information.

Person making the request for review or complaint

The address for service is to be identified on the applicable form.

Public Body

The address for service of the public body will be identified in the acknowledgement letter that the OIPC sends to each party as part of the initial notification process.

Changes or Updates

A party must use the Change of Contact and/or Address for Service Form on the OIPC website to update contact information or the address for service at any time during the review/investigation.

The address for service of each party will be circulated to all other parties.

Back to top of the page

Review and Investigation

An OIPC investigator, known as a Senior Information and Privacy Manager (SIPM) will be assigned to try to settle your request for review or privacy complaint.

The office receives a high volume of requests for reviews and complaints. As such, your file may be inactive until the SIPM has the capacity to begin to work on it.  The parties will be notified when the SIPM starts actively working on the file.  While the parties wait to hear from the SIPM, we encourage the parties to try to resolve the matter directly with one another.

Our new case resolution process involves us trying to settle matters under review or investigation in as short a time as is possible.  That is why we try to settle matters verbally over the phone.  As such, once a file is activated, we must be able to reach the parties, usually by phone, in a timely manner in order to participate in our settlement process.  If we cannot reach the party who requested the review or made the complaint, we may discontinue the review or investigation.  If this occurs, the parties will be notified.

The OIPC has shorter timelines to complete reviews under ATIA and POPA.  Therefore, it is imperative that all parties to a review provide requested information and be available for discussions about the matter in a timely fashion.  Requests to extend deadlines for providing information or discussing settlement must be reasonable with consideration for the shortened timelines.

The SIPM begins the review or investigation by examining the confirmed issues, the submissions received, and in the case of a review of an access request the records provided by the public body.  The SIPM also reviews the relevant law and any past cases that have interpreted the law against the issues to be determined.

The SIPM will contact the Respondent to gather any relevant evidence necessary to form an opinion about whether the law was complied with by the Respondent.

The SIPM may also need to contact the person who made the request or complaint for additional information.  Please note that we will not accept documented evidence from any party unless it is requested by the SIPM.  Any unsolicited evidence will be returned or deleted.

The SIPM will form an opinion about whether the Respondent has complied with the law as it relates to the issues under review or investigation.  The SIPM will discuss the opinion with the parties in an effort to settle the issues.  The Respondent may agree to take certain actions in order to remedy any non-compliance.

Any resolution reached will be documented in writing and sent to the parties.  As applicable, the SIPM will ensure that any agreed-upon terms are followed by the Respondent.

New rules respecting late raising of discretionary exceptions to access reviews

The OIPC will not consider any late raising of discretionary exceptions under ATIA at the settlement phase after the acknowledgement letter is issued.  This is because, at that time, we have confirmed the issues with the applicant.

Back to top of the page

Inquiries

If any or all of the issues are not settled during the settlement phase of a review, and the person who made the request for review wants to proceed further in the review process to inquiry, the SIPM will work with the parties to determine any agreed-upon facts.  The file will then be brought to the Commissioner to determine whether an inquiry will proceed, only on those unsettled issues.

Once the file is transferred to the Commissioner, the SIPM will close the file at the settlement stage.

Inquiries are formal adjudicative proceedings.  The inquiry process is not an examination of the process or an evaluation of the findings and recommendations made during the settlement phase. The inquiry gives the parties an opportunity to present their evidence “de novo” (from the beginning) and to rebut or support evidence presented by the other party.

The Commissioner may refuse to conduct an inquiry in certain circumstances:

  • The subject matter has been dealt with in an order or investigation report of the Commissioner
  • The circumstances warrant refusing to conduct an inquiry (for instance, if there is no meaningful remedy)
  • Under ATIA, the applicant has not attempted to resolve the matter directly with the public body concerned.  The Commissioner currently considers this factor in relation to single-issue adequacy of search concerns.
  • Under POPA, a person who believes that their own personal information has been collected used or disclosed in contravention of the Act did not make a complaint to the public body concerned before delivering a request for review to the Commissioner

A decision by the Commissioner to refuse to conduct an inquiry will be issued to the parties in writing.

If any unsettled issues proceed to inquiry, a Confirmation of Inquiry letter will be issued to the parties, which will confirm the issues for the inquiry.  A Notice of Inquiry will be issued at a later date which includes a copy of the applicable request for review form and attachments and sets out a schedule of dates for the written submissions of the parties.

Note: Under POPA, only reviews of an allegation of collecting, using or disclosing one’s own personal information and related to correction requests may proceed to inquiry; general privacy complaints cannot.

Affected Parties and Intervenors

Some inquiries may include “affected parties”.  An affected party is any other party who, in the opinion of the Commissioner, is affected by the request for review.  A copy of the request for review form and attachments may be provided to the affected party.

An affected party may make representations to the Commissioner at inquiry, but is not required to participate.

In certain cases, the Commissioner may give intervenor status to parties, if the Commissioner determines it is appropriate.  An intervenor can be useful in bringing a broader perspective to issues than the parties involved.

Order

On completing an inquiry, the Commissioner or delegated adjudicator must issue an Order disposing of the matter.

An Order made by the Commissioner or delegated adjudicator is final.  However, a party may apply to the Court of King’s Bench of Alberta for judicial review of an Order.

Back to top of the page

Timelines to complete a review

ATIA and POPA set out 180 business days to complete a review and may extend up to another 180 business days if needed to complete an inquiry.  These timelines apply to the time taken when the Commissioner authorizes a staff member to try and settle the matter under review.  A maximum of 180 business days will be allotted to the settlement phase prior to inquiry.

How will the OIPC count the 180 business days timeline for completion under ATIA/POPA?

The OIPC considers a review to be “received” under section 60(1) of ATIA and section 39(1) of POPA and the 180 business days timeline starts once we have determined that:

  • we have jurisdiction to conduct the review, and
  • the OIPC has confirmed the issues for review in writing with the person who asked for the review.

Parties will be notified as to the anticipated date for completion and any extensions to the anticipated date for completion.

Back to top of the page

Definitions

  • Applicant – a person who makes an access to information request under ATIA or a request for correction under POPA concerning their own personal information
  • Complainant – a person who makes a general complaint about the privacy practices of a public body under POPA
  • Public Bodies – public sector entities subject to ATIA and POPA
  • Senior Information and Privacy Manager (SIPM) – the person that the Commissioner has authorized to investigate and try to settle the confirmed issues at the settlement phase.  May also be referred to as an investigator
  • Settlement – a process authorized by the Commissioner to explore opportunities to settle issues with the parties.  May also be referred to as a mediation or investigation
  • Third Party – a person, a group of persons, or an organization other than an applicant or other person who requests a review under POPA and the public body that is involved in the review

If you have any questions with respect to the OIPC review or investigation process, please contact the OIPC.

Back to top of the page


June 2025


Disclaimer

This document is not intended as, nor is it a substitute for, legal advice, and is not binding on the Information and Privacy Commissioner of Alberta. Responsibility for compliance with the law (and any applicable professional or trade standards or requirements) remains with each organization, custodian or public body. All examples used are provided as illustrations. The official versions of the laws the OIPC oversees and their associated regulations should be consulted for the exact wording and for all purposes of interpreting and applying the legislation. The Acts are available on the website of Alberta King's Printer.