Legislation Overviews – Office of the Information and Privacy Commissioner of Alberta

Letter from OIPC to Ministers of PPHS and HSHS regarding Bill 11 – December 1 2025

Elaine Schiman — Mon, 01 Dec 2025 22:26:38 +0000

Privacy laws in Alberta

Chris Stinner — Wed, 11 Jun 2025 23:06:52 +0000

Privacy laws are meant to protect your autonomy and dignity as an individual by giving you control over the collection, use and disclosure of your personal or health information.

There are three privacy laws in Alberta. These laws apply to the public sector (such as government, police, municipalities), health sector (such as hospitals, doctors, pharmacies, dentists), and private sector organizations (such as retail stores, online stores and social media and other apps, and contractors).

Below is a description about how each law protects you and how you can exercise your rights under these laws. There is also information about the Office of the Information and Privacy Commissioner and the work we do.

Table of Contents

Public Sector
Health Sector
Private Sector
Exercising Your Privacy Rights
About the OIPC

Public Sector Privacy Law (applies to public bodies)

Protection of Privacy Act

The Protection of Privacy Act (POPA or Act) applies to public bodies in Alberta. Public bodies include government ministries or departments, government agencies, boards and commissions, school boards and charter schools, universities and colleges, municipalities, and police.

POPA went into force in June of 2025. It replaced the privacy part of Freedom of Information and Protection of Privacy Act (FOIP Act). The FOIP Act is no longer in force in Alberta and has been repealed.

POPA protects privacy by controlling the ways a public body may collect, use or disclose personal information. No personal information may be collected by or for a public body unless the collection is:

Authorized by another law or enactment
For purposes of law enforcement
Information that relates to and is necessary for an operating program or activity of the public body including a common or integrated program or activity

Your personal information must be collected directly from you subject to certain exceptions and when collected in this manner, you must be notified about the purpose of collection. Once collected, your personal information may be used or disclosed for the intended purpose of collection. Your personal information may be used or disclosed for other purposes in some situations, such as when you consent. A public body must also protect your personal information from loss or unauthorized access or disclosure and must notify you about a breach involving your personal information if there is a real risk of significant harm to you as a result of the breach.

You have rights under POPA as it relates to your personal information, including that information collected about you must be reasonably accurate, you have the right to access your personal information, and you can make a complaint if you believe that your personal information is being collected, used or disclosed contrary to the Act.

Under POPA, public bodies are permitted to data match personal information to create additional personal information. This is called “derived data” under POPA. Public bodies are also permitted to modify personal information so that it can no longer identify an individual. This is referred to in the Act as “non-personal data”. Derived data and non-personal data are subject to the Act, meaning that the Information and Privacy Commissioner has oversight of this data. If you believe that the process used to create derived data or non-personal data is not in accordance with the Act, you can make a complaint to the Commissioner.

It is an offence for a person to collect, use or disclose personal information contrary to the Act, to perform data matching contrary to the Act, and to reidentify or attempt to reidentify personal information from non-personal data.

See below for more information about exercising your privacy rights under POPA.

For more information on submitting a privacy complaint, click here.

Health Sector Privacy Law (applies to custodians)

Health Information Act

The Health Information Act (HIA or Act) applies to “custodians”, such as government departments responsible for health services in Alberta, provincial health agencies (Recovery Alberta, Assisted Living Alberta, Acute Care Alberta, Primary Care Alberta), hospital services (Alberta Health Services, Covenant Health, Lamont Health Care Centre), pharmacies and pharmacists, physicians, optometrists, registered nurses, dentists, and their health service providers or employees.

HIA protects privacy by controlling the ways a health custodian may collect, use or disclose health information, including diagnostic, treatment, care and registration information. Custodians are prohibited from collecting, using, or disclosing health information unless permitted by the Act.

Your health information may be used and disclosed by custodian for the purposes of providing you with health care including to other health care providers or other persons who may be involved in your health care. Your health information may also be used or disclosed for the purposes of managing the public health care system in Alberta and for making certain of your health information accessible electronically to those authorized to have this access. The electronic health care record in Alberta is called “Netcare”.

Custodians must consider your expressed wishes when deciding how much information to disclose to others and for making it accessible through Netcare. What this means is that if you inform your health care provider that you don’t want all of your health information, or certain kinds of information, such as highly sensitive health information, accessible by others, you can express this wish to a custodian and they must consider it before making the specified health information accessible.

If you were to express your wish to a custodian that you do not want your health information accessible through Netcare, the custodian could “mask” this information so that other care providers cannot access this information unless they “break the glass”, which means they may unmask it. Generally, this would only occur with your consent or in circumstances where you cannot give your consent due to your medical condition.

Your health information may also be disclosed with your consent. If disclosure of your health information is authorized without your consent, you have the right to ask about it. You also have the right to request a record – also known as an “audit log”. Requesting an audit log of Netcare accesses will show you who has accessed your health information in Netcare.

A custodian is required to protect your health information from loss, unauthorized access or disclosure and must notify you if your health information is involved in a breach and you are at risk of significant harm as a result of the breach.

In addition to the rights mentioned, you have the right under the HIA to request a correction of health information (not opinions), you have the right to access your health information and you can make a complaint if you believe that your health information has been collected, used, accessed or disclose contrary to the HIA.

It is an offence in the HIA to collect, use, access or disclose health information contrary to the HIA and to fail to protect health information as required by the Act.

See below for more information about exercising your privacy rights under HIA.

For more information on submitting a privacy complaint, click here.

Private Sector Privacy Law (applies to private organizations)

Personal Information Protection Act

The Personal Information Protection Act (PIPA or Act) applies to private organizations, such as businesses, employees, partnerships, trade unions and professional regulatory bodies.

PIPA protects privacy by controlling the ways a private organization may collect, use or disclose personal information and personal employee information.

Private sector organizations must have your consent to collect, use or disclose your personal information. Collection, use or disclosure without consent is authorized in some situations under PIPA. In addition to having consent, an organization must also have a reasonable purpose for this activity. The Act specifies that what is reasonable is what a reasonable person would consider appropriate in the circumstances.

If you are an employee, consent is not required for the collection, use or disclosure of personal employee information by the employer that is reasonably required for the work relationship.

A private sector organization is required to protect your personal information from loss, unauthorized access and use or disclosure and must notify you about a breach of your personal information if you face a real risk of significant harm from the breach.

You have rights under PIPA, including the right to request access to your own personal information. You may make a complaint to the Information and Privacy Commissioner if you believe that your personal information has been collected, used, disclosed, accessed inappropriately or breached. You may also make a complaint to the Commissioner if you believe that an organization’s practices are not in compliance with PIPA.

It is an offence under PIPA for an organization, to collect, use, disclose or attempt to gain access to your personal information contrary to the Act.

See below for more information about exercising your privacy rights under PIPA.

For more information on submitting a privacy complaint, click here.

Exercising your Privacy Rights

Complaints about the collection, use or disclosure of your own personal information

If you believe your personal or health information has been collected, used, or disclosed improperly under POPA, HIA, or PIPA, you may submit a complaint in writing to the Office of the Information and Privacy Commissioner (OIPC). Before submitting your privacy complaint to the OIPC, you must first make your complaint to the public body, custodian or private organizations (as applicable).

Your written complaint must provide enough detail to support your belief that your personal or health information has been collected, used or disclosed in contravention of the law.

The Commissioner may assign a staff member to try and informally resolve your complaint (referred to as the settlement phase). If the matter is not resolved during the settlement phase, the Commissioner will decide if the matter will go inquiry. An inquiry is a formal hearing that results in an order being issued. An order made by the OIPC is final.

General complaints about non-compliance with privacy laws (not your own personal information)

You may also submit a general complaint under POPA in the following two circumstances: POPA Privacy/Correction Request form

You believe a public body created personal information from matching (or linking) two or more sources of personal information (this is referred to in POPA as data derived from data matching) contrary to the requirements for this activity as specified in POPA.
You believe there has been an actual or attempted reidentification of data by a person after personal information has been rendered as non-identifiable by a public body as required by POPA or its regulations.

You may also submit a general complaint under PIPA if you believe that an organization’s practices for protecting privacy as required by this Act are not in compliance. PIPA Request for Review/Complaint form

About the OIPC

The Information and Privacy Commissioner is responsible to monitor compliance with Alberta’s privacy laws to ensure their purposes are achieved. The work of the Commissioner is performed through the Office of the Information and Privacy Commissioner.

The Commissioner has broad authority under these laws to investigate allegations of non-compliance and to issue binding orders to enforce compliance. The Commissioner also has a number of additional responsibilities under these laws including advocating for privacy rights of Albertans. The Commissioner is an officer of the Legislature and in this capacity operates independently from government ministers and departments.

Disclaimer

This document is not intended as, nor is it a substitute for, legal advice, and is not binding on the Information and Privacy Commissioner of Alberta. Responsibility for compliance with the law (and any applicable professional or trade standards or requirements) remains with each organization, custodian or public body. All examples used are provided as illustrations. The official versions of the laws the OIPC oversees and their associated regulations should be consulted for the exact wording and for all purposes of interpreting and applying the legislation. The Acts are available on the website of Alberta King's Printer.

Access to information laws in Alberta

Chris Stinner — Wed, 11 Jun 2025 23:05:13 +0000

Access to information laws serve an important function in a modern society. The ability to access information directly from public institutions fosters openness and accountability. It also results in a more informed and engaged citizenry. It is one of the cornerstones of democracy.

The ability to access one’s own personal or health information is connected to protecting or advancing individual rights. Individuals are able to access their own personal and health information that public bodies, private sector organizations and custodians hold about them subject to limited and specific exemptions.

There are three laws in Alberta that facilitate access to information. These laws apply to the public sector (such as government, police, municipalities), health sector (such as hospitals, doctors, pharmacies, dentists), and private sector organizations (such as retail stores, online stores and social media and other apps, and contractors).

Below is a description about how these laws function and how you can exercise your rights under these laws. There is also information about the Office of the Information and Privacy Commissioner and the work we do.

Table of Contents

Public Sector
Health Sector
Private Sector
About the OIPC

Public Sector Access Law (applies to public bodies)

Access to Information Act

The Access to Information Act (ATIA or Act) applies to public bodies in Alberta. Public bodies include government ministries or departments, government agencies, boards and commissions, school boards and charter schools, universities and colleges, municipalities, and police.

ATIA went into force in June of 2025. It replaced the access to information part of the Freedom of Information and Protection of Privacy Act (FOIP Act). The FOIP Act is no longer in force in Alberta and has been repealed.

Under the ATIA, you have the right to:

Request access to any information contained in a record that is in the custody or control of a public body, including your personal information, subject to limited and specific exceptions set out in the law
Ask the OIPC to review a public body’s decision to withhold information from you in response to your access to information request
Ask the OIPC to review when a public body has not responded to your access request within timelines or if you dispute a time extension the public body has taken to respond to your request
Ask the OIPC to review a decision to release your personal or business information in response to another access request
Ask the OIPC to review fees the public body has charged, estimated, or refused to waive in connection with your access request
Ask the OIPC to review when a public body has disregarded or declared your request abandoned

To make an access request, submit it in writing to the public body that you think has the information. Provide enough detail to help find the information. You can ask to look at or receive a copy of the records.

An initial fee of $25 may be required when requesting access to general information. Additional fees may be charged depending on the extent of the request. You must be provided with an estimate of fees and you must accept the fees before your request is processed.

A fee does not apply to requesting your personal information except for the cost of producing a copy of the record. The fees that can be charged are set out in a Schedule to the ATIA Regulation. Fees can be waived in some situations, and you may ask the OIPC to review a decision to charge a fee.

There is no fee associated with asking the OIPC to review a decision made by a public body.

Health Sector Access Law (applies to custodians)

Health Information Act

The Health Information Act (HIA or Act) applies to “custodians”, such as the four government departments responsible for health services in Alberta, provincial health agencies (Recovery Alberta, Assisted Living Alberta, Acute Care Alberta, Primary Care Alberta), hospital services (Covenant Health, Lamont Health Care Centre), pharmacies and pharmacists, physicians, optometrists, registered nurses, dentists, and their health service providers or employees.

Under HIA, you have the right to:

Request access to your own health information from a health custodian
Ask the OIPC to review a health custodian’s decision to withhold information from you in response to your request for health information
Ask for a correction of your health information
Ask the OIPC to review a health custodian’s response to your request to correct your health information

To make an access request, submit it in writing to the health custodian that you think has the information. Provide enough detail to help find the information. You can ask to look at or receive a copy of the records.

An initial fee of $25 may be required when requesting access to a record containing health information. Processing of a request will not start until the $25 fee is paid, if applicable. Additional fees may be charged depending on the extent of the request. You must be provided with an estimate of fees and you must accept the fees before your request is processed.

A fee does not apply to requesting your health information except for the cost of producing a copy of the record. The fees that can be charged are set out in a Schedule to the HIA Regulation. Fees can be waived or reduced in some situations. You may ask the OIPC to review a decision to charge a fee.

There is no fee associated with asking the OIPC to review a decision made by a public body.

Private Sector Access Law (applies to private organization)

Personal Information Protection Act

The Personal Information Protection Act (PIPA) applies to private sector “organizations”, such as businesses, employees, partnerships, trade unions and professional regulatory bodies.

Under PIPA, you have the right to:

Request access to your own personal information from an organization. The organization may refuse access to your personal information in certain circumstances prescribed by PIPA. Instead of requesting access, you can choose instead to request information about the use or disclosure of your personal information by the organization.
Ask for a correction of your personal information
Ask the OIPC to review a private sector organization’s response to your request for access or correction

To make an access request, submit it in writing to the private sector organization that you think has the information. Provide enough detail to help find the information.

You are not able to ask for general information about an organization, for example financial statements of a condominium corporation. You can only ask for information that is about you. You can also ask to look at or receive a copy of the records.

You may be charged a fee for processing your request. No fees can be charged if requesting your information as an employee. You must be provided with an estimate of fees and you must accept the fees before your request is processed.

You may ask the OIPC to review a decision to charge a fee or how an estimate was created.

There is no fee associated with asking the OIPC to review a decision made by a private sector organization.

About the OIPC

The Information and Privacy Commissioner enforces how Alberta’s access to information laws are applied to ensure the purposes are achieved. The Commissioner reports to all members of the Legislative Assembly of Alberta and is independent from government ministers and departments

You may ask the OIPC to:

Review a public, health or private sector organization’s decision that relates to your request to access information, including a failure to respond, a time extension, or in the case of ATIA, if the public body has disregarded or abandoned your request.
Review a response to your request for correction
Review a public body’s decision to release information about you in response to another access request (ATIA Act only)

To ask for a review of your request for access information or a correction request under HIA and PIPA, you must:

Send your request to the OIPC in writing within the timelines set out in the laws
Provide the OIPC with a copy of your request for access or correction and a copy of the response to your request.

For more information on submitting a request to review a response to an access to information request under ATIA, HIA or PIPA, click here.

For more information on submitting a request to review a correction request, click here.

June 2025

Letters from OIPC to Government of Alberta regarding Bills 33 and 34 – November 20, 2024

Elaine Schiman — Wed, 20 Nov 2024 19:05:09 +0000

On November 20, 2024, the Office of the Information and Privacy Commissioner provided comments to the Government of Alberta regarding Bills 33 and 34, which were tabled in the Legislative Assembly of Alberta on November 6, 2024. The bills are designed to create two new pieces of legislation to replace the existing public sector access and privacy law, the Freedom of Information and Protection of Privacy Act (FOIP Act).

Please click here to read the OIPC’s letter and comments to the Minister of Technology and Innovation, Nate Glubish, on Bill 33.

Please click here to read the OIPC’s letter and comments to the Minister of Service Alberta and Red Tape Reduction, Dale Nally, on Bill 34.

PIPA: 10 Steps to Implement PIPA

ssibbald — Tue, 01 Mar 2022 20:50:59 +0000

Alberta’s Personal Information Protection Act (PIPA) sets out the rules for handling the personal information of an organization’s customers and employees. The Act came into effect in Alberta on January 1, 2004.

In the Act, organizations include corporations, unincorporated associations, trade unions, partnerships, and individuals running their own businesses. There are special rules that apply to non-profit organizations and self-governing professional organizations. PIPA does not regulate the collecting, using, or disclosing of personal information for domestic, artistic, literary, or journalistic purposes.

To implement the Act on private sector privacy, follow these steps.

1. Put Someone in Charge

Put someone in charge with enough authority and resources to do the job. This employee would be the contact for the public and employees when privacy issues arise.

You may want to assign other staff to help prepare the organization for the Act. A team is likely more effective since areas such as information technology, records management, legal services, human resources and operations will be affected.

2. Become Familiar with the Act

The staff working on privacy matters will need to be familiar with the Act.

3. Review How Your Organization Handles Personal Information

Look at how you handle personal information in the organization, from when it is collected to when it is destroyed. Ask these questions:

What personal information do we collect? Is any of it particularly sensitive information?
Why do we collect it?
Are individuals likely to be aware that we collect this information? Do they know why it is collected?
How do we collect it? Does it come from the individual at the cash register, a form, a survey, loyalty program, or online transaction? Is any personal information collected by a contractor located outside Canada, on our behalf?
What do we use it for? Where do we use it?
Who is it disclosed to? Does the organization contract out any functions or activities involving personal information? Does it go to any business partners?
Where do we keep it? Is it stored in one place or in several places? Is personal information transferred to another country for processing or storage?
How is it secured?
Who has access to or uses it? Who needs to have access?
When is it disposed of? How is it disposed of?
Do we have a process in place to deal with security breaches?

4. Put Your Practices to the Test

Consider whether your organization’s information handling processes measure up against the Act. Develop a plan to overcome any deficiencies, starting with the most problematic areas. These include your handling of the most sensitive personal information collected or of the most vulnerable to improper use or disclosure.

5. Develop Privacy Policies and Practices

Consult the staff that handles personal information when developing privacy policies and practices to comply with the Act. Written information on these policies must be available to the public on request.

Consider policies and practices in the following areas:

Protecting employee and customer personal information, and ensuring its accuracy, storage, and disposal.
Ways to obtain and record consents, and handling withdrawals of consent.
Ways to record uses and disclosures of personal information.
Ways to keep information as accurate as is needed for decision-making.
Adequate security measures to protect personal information, including information on- site, with staff traveling for business, or in the custody of contractors.
If service providers outside Canada are used to collect, use, disclose or store personal information, the countries in which those service providers are located, and the purposes for which the service providers are authorized to collect, use or disclose personal information.
Developing keep-and-destroy procedures so you can destroy personal information no longer required in a secure manner.

6. Train Staff

Ensure you adequately train staff for their responsibilities. Training may cover such areas as:

The principles of privacy protection.
The organization’s policies and practices.
How the Act affects their specific job and the personal information they handle or are responsible for.
How to handle or redirect questions received under the Act.
What to do in the event of a security breach.

7. Develop an Access and Complaint Handling Process

Employees or the public may send PIPA-related questions and complaints to you or to the Office of the Information and Privacy Commissioner. Set up sound, specific practices to handle these inquiries, as well as requests for access to, or for correcting, personal information.

8. Review and Revise Forms, and Create Notice Statements

In most situations, when an organization collects personal information, the organization needs to give notice of the purposes for the collection. If an organization uses a service provider outside of Canada to collect or process personal information, the organization must also notify the individual of how to access the organization’s policies on its use of service providers, as well as the position name of a person who is able to answer questions about the use of the service providers. Add these notices to forms and websites as necessary. Make sure the paper and online versions of the forms and notices are kept current and say the same thing.

9. Review and Revise Contracts

Your responsibility to protect personal information continues when the organization provides personal information to a contractor for processing. Contracts should contain clauses to clarify that the organization is legally responsible for that personal information. They should set out expectations regarding the collecting, using, and disclosing of personal information on the organization’s behalf.

Your organization can develop standard wording for agreements with contractors when personal information is disclosed for processing.

10. Consider Employees’ Personal Information

Personal employee information is also covered by the Act. “Personal employee information” is, in respect of an individual who is a potential, current or former employee of an organization, personal information reasonably required by the organization for the purposes of establishing, managing or terminating an employment or volunteer work relationship, or managing the post- employment or post-volunteer work relationship. While consent is not required to collect, use or disclose personal employee information, activities unrelated to managing employees may require consent. An organization will need to decide when it requires an employee’s consent to collect, use, or disclose personal information. Build these processes into your normal business practices.

May 2010

PIPA on a Page

ssibbald — Mon, 28 Feb 2022 22:34:24 +0000

Obtain consent for collecting, using and disclosing personal information, except when inappropriate (for example, in an emergency or when consent would compromise the availability or accuracy of the information). Obtain the consent in a form appropriate to the kind of information concerned. If an individual modifies or withdraws his or her consent, respect the changes.
Collect personal information only for reasonable purposes and only as much as is reasonable for those purposes. Except when inappropriate, collect personal information directly from the individual concerned and inform the individual of how you will use and disclose the information.
Use and disclose personal information only for the purposes for which it was collected, unless the individual consents or the Act permits the use or disclosure without consent.
On request, provide an individual with information about the existence, use and disclosure of the individual’s personal information and provide access to that information, if reasonable. On request, correct information that is inaccurate.
Ensure that any personal information is as accurate as necessary for the collection purposes; ensure that personal information is secure; and keep the information only as long as reasonable for business and legal reasons.
Destroy or anonymize the personal information once it is no longer needed.
Notify the Information and Privacy Commissioner of an incident that involves the loss of or unauthorized access to or disclosure of personal information that may pose a real risk of significant harm to individuals.
Designate an individual to make sure you comply with the Act and make information about the organization’s management of personal information available on request.

May 2010

PIPA Guide

ssibbald — Mon, 28 Feb 2022 18:16:47 +0000