A. General Information about the public body or bodies, existing PIAs, and the project *

Questions in this section are asked as a legislative requirement and to enable the OIPC in processing the PIA file.

Question 1

Section 26 of POPA requires a public body to prepare a PIA in the circumstances listed in section 7 of the M-Regulation, when a project involves the collection, use or disclosure of personal information. If a public body is not collecting, using or disclosing personal information as part of its project, there is no requirement under POPA to submit a PIA to the Commissioner for the project.

Question 2

The legislation is clear on when a public body is required to prepare a PIA, and only in the prescribed circumstances as listed in the POPA PIA template is a public body required under POPA to submit a PIA to the OIPC. Please note that the list of highly sensitive information identified under section 1 of the M-Regulation is not an exhaustive list. Other personal information may be of high sensitivity.

In this question, if only the last checkbox (the loss of, unauthorized access to or unauthorized disclosure of the personal information could result in significant harm) is selected, the public body may not be required to submit a PIA to the Commissioner. Nonetheless, the OIPC recommends that public bodies use the POPA PIA template while preparing PIAs under section 7(1)(a) of the M-Regulation as the Commissioner may request copies of those PIAs under section 27(1)(j) of POPA. Using the template will ensure that the public bodies complete their PIAs in alignment with the PIA requirements under POPA and the M-Regulation of which the PIA template is based on.

Question 3
When submitting a PIA to the OIPC as required under section 26 of POPA, the OIPC needs to know certain information about the public body including who the head of the public body is at the time the PIA is submitted. This is because under POPA the head has specified duties including for protection of personal information (section 10(1)).

Question 4
Section 7(4)(b) of the M-Regulation allows for two or more public bodies to submit a PIA for a common or integrated program or service, hence the need to know if the PIA is for such a project.

Question 5
No additional explanation needed.

Question 6
No additional explanation needed.

Question 7
Sometimes, a new PIA is related to a PIA which has already been submitted to the OIPC and is still under review. In such cases, it is important that the OIPC is aware of this PIA to ensure the recent PIA is not reviewed in isolation from the related PIA. There are also times where information in an existing PIA is referenced in a new PIA. It is also important to know if such a PIA exists or has been previously reviewed by the OIPC.

Question 8

A PIA amendment addresses privacy and security risks associated with changes to an existing project that impacts the collection, use and/or disclosure of personal information. A PIA amendment focuses on areas that have changed in an existing project, and how the public body has identified and addressed privacy and security risks associated with the change. An amendment to a previously submitted PIA requires that the updated or new PIA is reviewed in consultation with the previously submitted PIA.

Question 9
Some public bodies have their own filing convention for their internal use. Providing this number ensures the OIPC, in addition to the OIPC’s file number, references this number in its communication with the public body.

Question 10

This informs the OIPC whether the project under consideration has been implemented or not.

Question 11
This question aims to inform the public body which sections of the appendices to the POPA PIA template are relevant to their project as well as relevant resource expertise needed to assist the public body in completing the technical aspect of the PIA. The question also informs the OIPC what to consider regarding legislative requirements during the PIA review process as different projects may have unique compliance privacy and security issues to consider.

For projects that involve automated systems, section 7(3) of the M-Regulation states that a PIA must provide a level of detail commensurate with the complexity of the practice, program, project or service the PIA relates to. As such, the public body is required to also complete an Algorithm Impact Assessment (AIA). AIA is a tool used for identifying and addressing the risks and impacts of automated decision-making systems. Typically comprising of a set of questionnaires, the tool can be used to determine the impact level of an automated decision-making system including biases, human rights violations, ethical violations, marginalization and accessibility issues. The OIPC is in the process of developing an AIA tool. Once completed, it will be published on the https://oipc.ab.ca and a link to it will be added to the POPA PIA Template and this document. In the interim, the OIPC recommends that where a project involves automated systems, public bodies consult industry standard algorithm impact assessment guidelines in preparing and submitting their AIAs with their PIAs.

Back to top of the page

B. Details About the Project*

Question 12
This information assists the OIPC in understanding the project, its business rationale and the purpose or objective it intends to achieve for the public body. This question also informs the OIPC on why the collection, use and/or disclosure of personal information is required by the public body to meet the needs of the project. It is imperative that the public body provides sufficient detail on the project. In addition, in this question, the public body is required to provide technical information about the project under consideration. For instance, if the public body is a police agency implementing a body worn camera (BWC), the public body is expected to describe each body worn camera unit, its associated features and IT infrastructure that operates the BWC. Also, information on BWC storage media, how information is transferred from the camera to the IT network, where information is stored and who is responsible for managing the information, etc. must be provided. In other words, the entire lifecycle of the personal information involved must be addressed in all aspects of the project. The public body should also consider attaching technical details of the project as necessary.

Question 13

An electronic information system has specific technical requirements, such as logging and auditing, access controls, that need to be considered and assessed to ensure the access and privacy rights of Albertans are upheld, which is why we need this information.

Question 14

Other stakeholders’ involvement in a project may determine who is collecting, using or disclosing personal information in the project and as a result shed some light on how the public body ought to consider the legal authority for each stakeholder to collect, use and/or disclose personal information involved in the project.

Back to top of the page

C. Information About Your Privacy Management Program (PMP)*

Question 15

Section 25(1) of POPA requires a public body to establish and implement a PMP and make it public or provide a copy of the PMP upon request pursuant to section 25(5). These requirements will come into effect on June 11, 2026. The public body’s policies and procedures must comply with the requirements of POPA and its regulations. The OIPC has developed guidance to assist public bodies in meeting their PMP obligations under POPA.

Not having a PMP leaves a gap in the completion of the PIA. This could potentially lead to non-compliance. It is important to provide the OIPC PMP file number of the public body’s most current PMP where applicable, as doing so saves the public body time and effort by referencing the already submitted PMP and avoids duplication. Also from a PIA review standpoint, it is relevant to review the PIA to assess the public body’s compliance with applicable legislation.

For more information on PMPs please see the OIPC’s Guidance for Public Bodies in Developing Privacy Management Programs.

Back to top of the page

D. Identify Personal Information Involved and your Authority to Collect, Use or Disclose the Information*

Question 16

This question ensures that the public body identifies the personal information that it intends to collect, use or disclose in the project. In doing so, the public body would have to start thinking about its legal authority to collect, use or disclose personal information and whether those authorities align with sections 4, 12 and 13 of POPA, respectively. In addition, the public body is required to consider the limitation principle under sections 12(4) and 13(4) of POPA. Under section 12(4) the public body needs to explain how the use of personal information in the project is only to the extent necessary to enable the public body to carry out its identified purposes in a reasonable manner. Similarly, under section 13(4) of POPA, the public body needs to explain how the public body public disclosure of personal information is only to the extent necessary to enable the public body to carry out its identified purposes in a reasonable manner. Personal information means recorded information about an identifiable individual. Some examples of personal information include an individual’s name, home or business address, home or business email address, race, gender identity, fingerprints and financial history. For a complete listing of what is considered personal information, please see section 1(q) of POPA.

Question 17
Section 5 of POPA provides for the manner of collection of personal information. It is important that the collection of personal information for this project meets the requirements of section 5 of POPA. In this question, the public body needs to consider and explain how section 5(2) of POPA is complied with in this project if personal information is collected directly from the individuals who are the subjects of the information, including when and how a collection notice is provided to those individuals. In particular, the public body needs to explain whether section 5(2) of POPA applies to its project and how the public body complies with it.

Question 18
While there are legal authorities for public bodies in POPA to use or disclose personal information, there are situations where a public body may rely on individuals’ consent to use or disclose their personal information. Such consent must meet the prescribed requirements of section 2 of the Protection of Privacy Regulation (“the Regulation”). That is, the consent process for the project needs to clearly explain whether consent is obtained electronically or manually. Where consent is collected electronically, the public body should state how individuals give their consent. While a consent form is the implementation of the above consent requirements, public bodies need to have policies and procedures in place to collect and manage consent.

Question 19
There are circumstances where personal information can be collected indirectly, which means the collection comes from a source that is not the person whom the information is about. If that is the case in this project, this question gives the public body the opportunity to describe why, and how personal information is collected indirectly.

Question 20 – An information flow diagram is not the same as a business flow or a network diagram. An information flow diagram identifies the flow of specific pieces of information from one entity to another and when the entities involved are collecting, using or disclosing the information in question. It has arrows indicating the direction of flow of information between the entities. In some cases, information flow could be bi-directional between two entities. The information flows help in identifying the legal authority for collecting, using or disclosing personal information by each entity involved in the flow of the information. A network diagram depicts an IT network infrastructure or network segment and its associated components which may include, servers, routers, firewalls, databases, etc. A business flow diagram is a step-by-step process on how a specific business task is accomplished.

Question 21
No additional explanation needed.

Back to top of the page

E. Access, Correction, Accuracy, Retention, Disposition*

Question 22

This question is asked to remind a public body to ensure it takes steps to make individuals aware of their rights to request access to their personal information that is in the custody or under the control of the public body. Usually, public bodies should be transparent by making their access to information request processes public, with specific contact information of a person or business unit that handles access to information requests. In certain circumstances, public bodies should make proactive disclosure to minimize the number of access requests they get.

Question 23
While this may be addressed as part of the PMP, public bodies are required to have access request policies in place to ensure that Albertans can exercise their rights to access their information. Such a policy governs how a public body implements its access to personal information processes to ensure consistency in processing such requests.

Question 24

This question is asked to ensure a public body has established a process to make individuals aware of their right to request correction to their personal information involved in the project. Usually, public bodies should be transparent by making their correction to personal information request processes public with specific contact information of a person or business unit that handles correction requests.

Question 25

While this may be addressed as part of the PMP, public bodies are required to have correction request policies in place that govern how Albertans can exercise their rights to correct their personal information and to ensure consistency in processing such requests.

Question 26

Public bodies have an obligation to make every reasonable effort to ensure that information about individuals that the public body relies on to make decisions that affect those individuals is accurate and complete.

Question 27

It is important to understand how the public body complies with section 6(b) of POPA for this project by ensuring that there exists a retention and disposition policy for information used in this project to govern how long personal information must be retained.

Question 28

Implementing record retention and disposition policies into information systems ensures that information that has reached its retention period is automatically flagged by the system for disposition instead of it being a manual process that is prone to inconsistencies and human errors resulting in information being retained past its retention period. Information held longer than its retention period poses a risk of loss, unauthorized access, or unauthorized disclosure.

Back to top of the page

F. Protection of Information*

Question 29
Information security classification means assigning security levels to information that are based on the sensitivity of the information in question. Classifying the information based on the public body’s information classification standard assists the public body to protect the information by implementing security controls that are proportionate to the classification levels of the information. Each public body is required to implement an information security classification system to assist the public body to classify information that it collects, uses or discloses as required under section 2(1) of the M-Regulation. Public bodies must meet this requirement before submitting their PIAs to the Commissioner for review.

Question 30
The “reasonable security arrangements” standard set out in section 10(1) of POPA are determined by the security classification of the personal information involved in the project. If the security classification is high, then the security measures, i.e., the administrative, technical and physical safeguards, must be correspondingly high. Whereas, if the security classification is low, then fewer measures may suffice to meet the standard. Section 6(2(b) of the M-Regulation requires public bodies having custody or control of a high volume of personal information or highly sensitive personal information to have documented safeguards. POPA does not stipulate a threshold for “high volume” or “significant percentage of the population”. The interpretation of this section of the M-Regulation is contextual in relation to the project. Although Section 1 of the M-Regulation deems certain personal information to be highly sensitive (biometric and financial information, and personal information of minors and seniors), this list is not an exhaustive or exclusive list. Other types of personal information may be deemed to be highly sensitive in specific contexts.

1. Administrative safeguards govern the implementation of other protective measures and ensures that such measures are implemented consistently during the life cycle of the project. Consistent implementation of protective measures reduces vulnerabilities usually caused by lack of good security governance.
2. No additional explanation needed.
3. The technical safeguards should directly protect the information involved in the project, not just the general technical safeguards implemented by the public body. For instance, access controls should be specific for the project and describe how such controls ensure only authorized individuals have the right level of access to information involved in the project. In addition, any security assessments results such as vulnerability assessment and penetration tests conducted specific to the project should be included as part of the public body’s PIA submission, as such results provide additional information on risks that were identified and how they were resolved as part of the project implementation.

Question 31
Continuous assessment and monitoring of safeguards assists the public body in ensuring that the safeguards are working as expected. For instance, employees should be required to take refresher trainings on privacy and security. Also, monitoring controls such as intrusion detection and prevention systems should be implemented.

Question 32
Section 6(1)(b) of the M-Regulation requires public bodies to establish policies and procedures that ensures they comply with the public body’s obligations under POPA such as responding to incidents (unauthorized access to, unauthorized disclosure of or loss of personal information). Section 6(1)(d) of the M-Regulation also requires public bodies to train their employees about the employee’s obligations under POPA. As part of that training, public bodies should make their employees aware of their obligations under POPA, which includes notifying the public body of incidents under section 10(2) of POPA.

Question 33
Access control policies ensure that access to the Electronic Information System (EIS) is consistently managed, including requests to access the EIS, account provisioning and revocation of account when an employee no longer needs access to the EIS. Through enforceable access control policies, a public body will be able to ensure that an employee only gains access to the information they require to perform their job functions.

If the project involves a high volume of personal information or highly sensitive personal information, a documented access control policy must be attached to the PIA submission. POPA does not stipulate a threshold for “high volume” or “significant percentage of the population”. The interpretation of this section of the M-Regulation is contextual in relation to the project. Although Section 1 of the M-Regulation deems certain personal information to be highly sensitive (biometric and financial information, and personal information of minors and seniors), this list is not an exhaustive or exclusive list. Other types of personal information may be deemed to be highly sensitive in specific contexts.

Question 34
Having an access requests process for the EIS ensures access requests are submitted by appropriate business heads for approval by the appropriate authority prior to processing and account provisioning. Each request should identify the permission level for employees requiring access and ensure the permission level gives the employee only the right access required for the specific job tasks.

Question 35
All access requests to the EIS must be approved by the appropriate level of management, to ensure that employees who access the EIS are authorized to do so.

Question 36
It is important to ensure that access to the EIS is revoked in a timely manner when employees no longer need such access, to prevent potential unauthorized access to personal information. It is also to ensure dormant accounts are removed from the system, as such accounts pose security risks.

Question 37
The access control table provides clarification on the access privileges of the users of the system including the kind of actions each user can take and what information the user can access, and how the permission limits users only to the information they need to perform their job tasks or functions. The public body’s information technology (IT) department plays a significant role in implementing access controls in systems and will be a good resource for assisting in completing this table.

Question 38
Logging and auditing policies ensure that information systems are built and implemented to capture audit logs of activities that are occurring within the system, including unauthorized activities listed under section 10(2) of POPA. Such a policy also ensures proactive auditing of information systems to detect and manage incidents defined under section 10(2) of POPA.

If the project involves a high volume of personal information or highly sensitive personal information, a documented auditing and logging policy must be attached to the PIA submission. POPA does not stipulate a threshold for “high volume” or “significant percentage of the population”. The interpretation of this section of the M-Regulation is contextual in relation to the project. Although Section 1 of the M-Regulation deems certain personal information to be highly sensitive (biometric and financial information, and personal information of minors and seniors), this list is not an exhaustive or exclusive list. Other types of personal information may be deemed to be highly sensitive in specific contexts.

Question 39
Being able to capture and maintain audit logs of personal information means that the public body can identify and investigate unauthorized access to, unauthorized disclosure of, or loss of personal information in order to meet its obligations under section 10(2) and (3) of POPA and sections 4(3), (4) and (5) of the M-Regulation.

Question 40
Proactive auditing is a way of monitoring access to an EIS to detect and respond to potential unauthorized access to, unauthorized disclosure of, or loss of personal information.

Question 41
No additional explanation needed.

Back to top of the page

G. Service Providers*

Question 42
Given that service providers, which includes corporations, are considered employees under section 1(h) of POPA, a public body is accountable for the service provider’s compliance with POPA. Therefore, it is important for the public body to consider privacy issues that may involve the service provider’s role in relation to any personal information it may collect, use, disclose or access as an “employee” of the public body.

Question 43
If a service provider will have access to personal information as part of providing its services to the public body or if it will collect, use or disclose personal information on behalf of the public body, the public body must ensure it complies with POPA as it relates to these activities. Therefore, the contract with the public body must address all related compliance issues such that through the implementation of the terms of the contract agreed to between the public body and the service provider, the public body has confidence that the service provider will comply with POPA in providing its services concerning any personal information involved in service delivery. A service provider must also protect the personal information it has in its custody, or that it is otherwise responsible for, according to the terms of the contract which must ensure compliance with section 10(1) of POPA, i.e., the security of the personal information must at minimum align with the public body’s security safeguards for this type of information. The agreement must also set out how the service provider interacts with the public body’s privacy management program. Without an agreement that addresses all these compliance related issues, there is a risk of non-compliance by the public body as a result of the activities of its service provider. Consequently, as part of the PIA review, any agreement entered into with a service provider must be reviewed by our office as part of the PIA review process. This is because the service provider agreement plays a central role in determining whether the service provider-employee is positioned within the terms of the contract to comply with POPA. Submitting a copy of the agreement with your PIA is a mandatory requirement.

Section 7(6) of the M-Regulation provides that where a public body is required under POPA or the Regulation, to enter into an agreement relating to the practice, program, project or service the PIA relates to, the portions of the agreement relating to the protection of privacy must be submitted to the Commissioner together with the PIA. Under section 1(1)(h) of POPA, an “employee” includes those providing a service to the public body “under contract.” The contract with the service provider would demonstrate the public body’s authority under POPA to share personal information with the service provider or otherwise permit it to collect, use or disclose personal information on its behalf. Therefore, it is an essential part of the PIA submission.

Question 44
A public body may delegate responding to access to information request responsibility to its service provider. However, the public body must ensure that its contractual agreement with the service provider adequately addresses access to information request processing and describe how the service will be provided to the public body.

Question 45
To ensure the public body is able to meet its obligations under POPA the public body must ensure it maintains control of the personal information involved in the project where this information is collected or accessible by the service provider. This is required to ensure the personal information remains subject to POPA and the Access to Information Act (ATIA) to preserve the rights of individuals concerning their personal information under these Acts. Failure to retain control of the personal information amounts to a disclosure, which is prohibited under POPA without authority for said disclosure. This means, that there is a high likelihood of a breach if a public body fails to retain control of personal information in an agreement and provides personal information to the service provider for the services. For this question, if the public body’s answer is yes, the public body must identify specific sections of its contract with the service provider that ensures the public body maintains control of the information for the project. Public bodies must meet this requirement before submitting their PIAs to the Commissioner for review.

Question 46
For this question, refer to the information set out in the commentary above for Question 43.

Question 47
Service providers are considered employees of the public body and should have appropriate training prior to accessing personal information and continue to have refresher training for the duration of their contract. Section 6(1)(d) of the M-Regulation.

Back to top of the page

H. Project Risk Assessment and Mitigation*

This section of the PIA template requires public bodies to identify the project’s privacy and security risks and associated administrative, technical and physical safeguards that address these risks. This completion guide provides some example descriptions of the types of risks identified in the POPA PIA Template risk table.

Question 48
Conducting security vulnerability assessments (VA) during the implementation of an information system that processes identifying information ensures exploitable security vulnerabilities or weaknesses are identified, prioritized and addressed in a timely manner. A penetration test (pentest) is performed to test if security controls are working as expected. VA and pentest are part of an overall risk management strategy and should be conducted periodically. Other security assessments can also be conducted and included in the PIA. Providing copies of these assessments with your PIA goes on to demonstrate the public body’s commitment to protect personal information pursuant to section 10 of POPA.

H1. General Risks (to be completed for all PIA submissions) *

Risk 1
E.g., personal information is collected by the public body and/or the information system is configured to accept personal information that does not relate directly to and is necessary for the project. Systems built for the global market have default configurations that allow for the collection of vast amounts of personal information. Such systems should be hardened by disabling data fields that are not required for specific project implementations to manage the risk of over collection.

Risk 2
E.g., information that was collected for this project is used for a purpose not directly related to the project, contrary to section 12 of POPA.

Risk 3
E.g., information that was collected for this project is disclosed contrary to section 13 of POPA. Personal information could be intercepted while in transit due to lack of appropriate security control, leading to unauthorized disclosure. There are also situations where the public body or its employees disclose personal information for secondary purposes without legal authority. Unauthorized disclosure could also be via insecure disposal of information processing media.

Risk 4
E.g., information collected for this project is accessed by unauthorized users or malicious software due to lack of reasonable safeguards, contrary to section 10(1) of POPA.

Risk 5
E.g., information collected for this project is lost as a result of human error or malicious software attacks, such as ransomware, which renders information inaccessible. This may lead to the inability of the public body to perform its business functions or respond to requests from individuals to access their information. Disgruntled employees can also deliberately destroy personal information. Also, changes to IT systems without proper IT change management process and lack of disaster recovery strategy could lead to loss of information.

Risk 6
E.g., A public body loses control of electronic and/or paper-based information as a result of insufficient or absence of contractual agreements with a third-party service provider. Loss of custody may involve the theft of paper records or a server that contains personal information in the public body’s premises.

Risk 7
E.g., information collected for this project is inadvertently or maliciously destroyed contrary to POPA and the policies of the public body, such that the public body is unable to respond to access to information requests or carry out its business functions. Lack of an enforceable record retention and disposition policy could also lead to unauthorized destruction.

Risk 8
E.g., information collected for this project is rendered inaccurate, or incomplete, contrary to section 6(a) of POPA. This may occur if employees are not adequately trained on good data entry practices or if system changes do not follow industry standard change management processes or information is not reasonably protected from unauthorized modification.

Risk 9
E.g., personal information collected for this project is retained contrary to section 6(b) of POPA or the project retention procedures as established by the public body (section 7(2)(f) of the M-Regulation). In some cases, this may be a consequence of the absence of a record retention policy or lack of enforcement of an existing record retention policy.

Risk 10
E.g., individuals’ information is collected for this project without providing proper notice at the time of collection, contrary to section 5(2) of POPA. Notice fails to align with the manner of collection and the requirement of POPA such as collecting personal information directly from individuals by telephone but providing notice via the public body’s website.

Risk 11
E.g., the public body fails to make individuals aware of their rights to request access to or correction of their personal information, and how to make such requests.

Risk 12
E.g., lack of or inadequate privacy breach management means that privacy breaches will not be consistently detected and managed. In addition, affected individuals of privacy breaches/incidents, the Commissioner and the Minister will not be notified in a timely manner as required under section 10(2) of POPA.

Risk 13
E.g. without assessing third parties’ controls, the public body is unable to attest whether the third party reasonably protects personal information in respect of the services provided to the public body in compliance with POPA and its regulations. As a result, the public body could fail to meet its obligations to protect personal information under section 10 of POPA.

Risk 14
E.g. personal information collected for this project for purposes under section 12 of POPA is being used for secondary purposes (e.g. to train artificial intelligence (AI) or by the third party for quality improvement purposes) without authority.

Risk 15
E.g., inadequate or absence of logging capabilities of systems limits the ability of the public body to identify and manage privacy breaches of personal information. In addition, it limits the Commissioner’s ability to investigate access to personal information violations including investigating potential offences under section 60 of POPA.

Risk 16
E.g., failure to have human oversight and validation measures for information systems could potentially lead to data accuracy and reliability issues.

Risk 17
Failing to conduct a security vulnerability assessment means that the public body may not be aware of exploitable security vulnerabilities that exists in its environment and as a result, would not take steps to address those security vulnerabilities in a timely manner thereby exposing personal information to potential compromise.

H2. Risks Associated with Cloud Computing

Risk 1
E.g. In a multitenant cloud environment, compromise of one environment could lead to the compromise of other environments due to inappropriate segregation and isolation of cloud resources. In addition, there could potentially be information leakage between environments leading to unauthorized disclosure of personal information.

Risk 2
E.g., lack of formalized contractual arrangements that specifically consider POPA requirements could lead to loss of custody and/or control of personal information stored in the cloud environment as well as gaps in security management and non-compliance with POPA.

Risk 3
E.g. the absence of clear and good governance on privacy and security of personal information could result in gaps in privacy and security management leading to non-compliance with POPA.

Risk 4
E.g., POPA requirements including privacy breach management is not addressed in the contractual agreement between the public body and the cloud provider, which could lead to non-compliance with section 10(2) of POPA.

Risk 5
E.g. a cloud provider goes out of business or declares bankruptcy, making it impossible for the public body to access personal information in the provider’s environment.

Risk 6
E.g., a cloud provider uses proprietary technologies, making it difficult for the public body to migrate services to another provider, locking-in the public body. A public body may want to change provider if the existing provider suffers multiple security incidents that have caused privacy breaches.

Risk 7
E.g., the USA PATRIOT Act and Cloud Act allow the US government to access personal information held by US-based companies in the US (USA PATRIOT Act) and anywhere in the world (Cloud Act).

Risk 8
E.g., a cloud provider uses personal information for their own purposes, such as de-identifying personal information and/or using the personal information for training their AI models.

Risk 9
E.g., the cloud provider sells personal information or fails to securely sanitize information processing media prior to re-use or disposition leading to unauthorized disclosure of the personal information.

Risk 10
E.g. lack of reasonable authentication and authorization controls such as failures to implement and enforce multifactor authentication could potentially lead to unauthorized access to personal information.

Risk 11
E.g. weak or lack of encryption could lead to unauthorized access to and disclosure of personal information in transit and at rest.

H3. Risks Associated with Research

Risk 1
E.g., the public body fails to assess whether non-identifying data can be used to accomplish the research purpose prior to disclosing individually identifying personal information or has not obtained the Commissioner’s approval for such disclosure as required under section 15(a) of POPA.

Risk 2
E.g., the public body fails to perform a public interest analysis prior to disclosing personal information for research or statistical purposes where the information is involved in data matching.

Risk 3
E.g. the public body fails to conduct an assessment of risk of harm prior to disclosing personal information for research or statistical purposes where the information is involved in data matching.

Risk 4
E.g., the public body has not approved conditions relating to security and confidentiality, the removal or destruction of individual identifiers and prohibition of subsequent use or disclosure of the information without express authorization of the public body.

Risk 5
E.g., a research agreement has not been signed prior to the public body disclosing personal information or the research agreement in place does not meet the requirements of section 15(d) of POPA and section 4 of the Regulation.

Back to top of the page

Appendix A. Data Matching

Only complete this section if the project involves data matching as defined under section 1(f) of POPA.

Question 1
No additional explanation needed.

Question 2
There are specific circumstances in which a public body may carry out data matching as listed in section 17(1) of POPA. Any prescribed purposes will be found in the regulation otherwise such a purpose does not exist.

Question 3
No additional explanation needed.

Question 4
Prior to collecting personal information from another public body for the purpose of data matching, a public body must first create a governance structure that clearly identifies the responsibilities and accountability of each public body involved in carrying out the data matching to ensure access and privacy rights of Albertans are protected. The governance structure must clearly identify the responsibilities and accountability of each public body as it relates to:

1. the custody and control of personal information,
2. the correction of errors or omissions in an individual’s personal information,
3. breach notifications, and
4. other duties imposed by the Act.

Public bodies must meet this requirement before submitting their PIAs to the Commissioner for review.

Question 5 – The data matching agreement is required to ensure clarity regarding the roles and responsibilities of each public body involved in the data matching project as well as legislative compliance. The minimum requirements of the agreement are as follows:

the agreement must:

1. identify

(i) the authority under which the public body will carry out data matching, and

(ii) the purpose for which the public body will carry out data matching,

1. identify each public body’s role and how each public body’s role relates to the purpose of the data matching to which the addendum relates,
2. describe how the personal information will be securely transmitted, matched or linked by the public bodies,
3. identify whether the data derived from the personal information used for data matching will be disclosed to the public body from whom the personal information was collected,
4. identify each public body’s responsibilities respecting reasonable security arrangements, including respecting administrative safeguards, physical safeguards and technical safeguards, for the protection of personal information against such risks as unauthorized access, collection, use, disclosure or destruction, and
5. establish a clear governance structure respecting the responsibilities and accountability of each public body.

Question 6

This question requires that a public body participating in data matching identifies collections, uses or disclosures of personal information that only apply to that public body. In doing so, the public body is required, by law, to have an addendum for the unique collections, uses or disclosures to accompany the join PIA submitted for the project.

Question 7
No additional explanation needed.

Question 8

Risk Assessment and Mitigation – Risks Associated with Data Matching.

This Completion Guide will provide some examples of the description of the types of risks identified in the Risk Assessment and Mitigation table for risks related to data matching.

Risk 1

E.g. section 7(2)(g) of the M-Regulation requires the establishment of a clear governance structure respecting the responsibilities and accountability of two public bodies involved in data matching if one public body is collecting personal information from another public body for the purpose of data matching.

Risk 2

E.g., this risk assessment is to ensure that section 17 of POPA is complied with, given that this section prohibits public bodies, except for the Office of Statistics and Information, from collecting personal information directly from an individual for the purpose of data matching.

Risk 3
E.g., section 6 of POPA requires a public body to make every reasonable effort to ensure that an individual’s personal information is accurate and complete before using such information to make a decision that directly affects that individual.

Risk 4
E.g., as required by section 6 of POPA, the quality of the source data will play a significant part in the quality of the resulting data from data matching, so it is important for public bodies to ensure that the quality of the source is validated prior to conducting the data matching.

Risk 5
E.g., data matching activities normally take place in a test environment. The resulting data is then migrated to the production environment. Therefore, the test environment security controls should be proportionate to the security classification of the data involved in data matching. Failure to implement reasonable and proportionate security arrangements to protect personal information within the public body’s data matching environment, exposes it to potential incidents under section 10 (2) of POPA especially given that a single test environment may be used for multiple projects and thus accessed by various users.

Risk 6
E.g. this is about validating the final product. The public body should ensure that the final product is the desired outcome, and that no data errors are in the resulting data set, or if errors are identified, that they are addressed. (section 6 of POPA).

Risk 7
E.g., this is about securely cleaning the test environment that was used for data matching by securely deleting personal information from that environment before it is used for other purposes or used by other users to prevent potential unauthorized access to personal information.

Back to top of the page

Appendix B. Common or Integrated Program or Service

Question 1
A common or integrated program or service must comply with specific requirements under POPA and the M-Regulation. It is therefore important for the public body to carefully consider those requirements prior to implementing new common or integrated program or service or making changes to an existing common or integrated program or service.

Question 2

Since common or integrated program or services requires each public body to identify its responsibilities and accountabilities identifying each public body assist in determining the areas of responsibility and accountability for each public body.

For question 2c, if the PIA is for a change in an existing common or integrated program or service, providing an existing PIA file number assists the OIPC in making reference to relevant information in that file during the review of the current PIA as the public body focuses on addressing privacy and security risks associated with the change. The public body may also choose to use the existing Microsoft Word copy of the existing PIA to identify areas that have changed by striking the outdated information and entering updated or new information in a different-colour text.

Question 3

This question is about making sure that there is a governance structure in place for the common or integrated program or services. This governance structure (a documented set of rules and processes that identify the roles, responsibilities and accountability for each public body participating in the integrated program or service), that clearly identifies responsibilities and accountabilities must be in place prior to the PIA being submitted to the Commissioner for review.

The governance structure must clearly identify the responsibilities and accountability of each public body as it relates to:

1. the custody and control of personal information,
2. the correction of errors or omissions in an individual’s personal information,
3. breach notifications, and
4. other duties imposed by the Act.

Question 4

This agreement is required to ensure each public body involved in a common or integrated program or service independently comply with POPA. The minimum requirements for such an agreement include:

1. identify the purpose of the common or integrated program or service,
2. identify each public body’s roles and responsibilities respecting the common or integrated program or service and how the roles and responsibilities of each public body relate to the purpose of the common or integrated program or service, identify each public body’s responsibilities under the Act,
3. establish rules respecting reasonable security arrangements, including respecting administrative safeguards, physical safeguards and technical safeguards, for the protection of personal information against such risks as unauthorized access, collection, use, disclosure or destruction, and
4. establish a clear governance structure respecting the responsibilities and accountability of each public body.

Question 5

This question requires that a public body participating in a common or integrated program or service identifies collections, uses or disclosures of personal information that only apply to that public body. In doing so, the public body is required, by law, to have an addendum PIA for the unique collections, uses or disclosures to accompany the joint PIA submitted for the project.

Question 6

Risk Assessment and Mitigation – Common or Integrated Program or Service Risks

This completion guide will provide some examples of the description of the types of risks identified in the Risk Assessment and Mitigation table for common or integrated program or service risks

Risk 1
E.g., governance structure including policies are not in place or are inadequate leading to inconsistencies in the management of the program that creates exploitable privacy and security vulnerabilities.

Risk 2
E.g., policies are not in place or are not clear on accountability for different aspects of the program including accountability for privacy.

Risk 3

E.g., the responsibilities of each public body involved in the common or integrated program including for privacy management are not clearly defined.

Risk 4

E.g., the information security classification for one or more public bodies do not align with the sensitivity of information, leading to gaps in the protection of personal information.

Risk 5
E.g., the public bodies involved fail to make individuals aware of how they can exercise their access and privacy rights under applicable POPA and ATIA.

Back to top of the page

Appendix C. Use of Automated Systems or Other Forms of Innovative Technology

Question 1

An Algorithm Impact Assessment (AIA), is a risk assessment or evaluation process that determines the impact of an automated system on individuals whose personal information is collected, used or disclosed in the use of automated systems such as artificial intelligence or other forms of innovative technology. Section 7(3) of the M-Regulation requires that a PIA contains a level of detail commensurate with the complexity of the practice, program, project or service the PIA relates to. As such, the public body is required to also complete an AIA. The OIPC is in the process of developing an AIA tool, which will be published on the OIPC website and a link included in the POPA PIA template and this document. In the interim, the OIPC recommends that where a project involves automated systems, public bodies consult industry standard algorithm impact assessment guidelines in preparing and submitting their AIAs with their PIAs.

Question 2

Risks Associated with the use of Automated Systems or other forms of innovative technology.

Risk 1
E.g. failure to maintain custody or control of personal information ingested by an automated system due to lack of controls to securely and automatically delete information from the automated system.

Risk 2
E.g. lack of or insufficient automated systems governance policies and procedures leads to inconsistent implementation and use of automated systems, resulting in automated systems-related vulnerabilities and privacy compliance issues.

Risk 3
E.g. automated systems such as artificial intelligence, are known to hallucinate by fabricating results or outputs. Lack of monitoring including lack of oversight of AI systems leads to failures to detect and address hallucination issues.

Risk 4
E.g. Using poor quality and unreliable training data leads to issues with automated systems results including hallucination. In addition, using training data that is not an accurate representation of the population where the automated systems will be deployed could potentially lead to inaccurate results and bias.

Risk 5
E.g. if inputs in automated systems are not validated and protected, such inputs can be manipulated prior to processing by the automated system. This makes input vulnerable to tampering and the automated system vulnerable to faulty results.

Risk 6
E.g., understanding whether the automated system model is static or dynamic, it may be difficult to implement the right monitoring mechanism for the models. For instance, while dynamic models continuously learn from new data sets in process, a static model is as good as its last update.

Risk 7
E.g., Underfitting an automated system model with its training data means that the automated system model is trained to be too broad in its generalization making the model prone to false positives when processing new data.

Risk 8
E.g., Overfitting an automated system model with its training data means that the automated system model is trained too closely aligned with its training data, leading to lack of generalization by the model and making the model prone to false negatives when it processes new data.

Risk 9
E.g., misconfiguration of an automated system is a security vulnerability that could be exploitable, leading potential to unauthorized access to or disclosure of personal information.

Risk 10
E.g., lack of processes for individuals to be made aware of and appeal decisions made by automated systems could infringe on individuals’ access and privacy rights.

Risk 11 – E.g., insufficient logging and auditing means that the activities of the automated system cannot be reasonably monitored to ensure it is working as expected or to detect potential compromise of the system.

Risk 12
E.g., lack of monitoring of the automated system based on established policies and processes means that issues with the functioning of the automated system cannot be detected and addressed in a timely manner.

Risk 13
E.g., without conducting a vulnerability assessment means that exploitable vulnerabilities associated with an automated system cannot be identified and addressed. A copy of the results of the assessment should form part of the PIA to demonstrate the public body’s commitment to protect personal information pursuant to section 10 of POPA.

Back to top of the page

Appendix D. PIA Cover Letter *

While the head of a public body may assign privacy responsibilities to other individuals within the public body, the head of the public body is ultimately accountable for meeting the public body’s obligations under POPA. To this end, the PIA must include a cover letter signed by the head of the public body.

Back to top of the page

Appendix E. PIA Submission Checklist *

This checklist is there to ensure the public body reviews its PIA and ensures all sections of the PIA have been considered, relevant sections completed, and all supporting document included in the PIA submission.

Back to top of the page

March 2026

What is a review?

Under ATIA, the Commissioner has authority to review any decision, act or failure to act by the head related to requests for access to information.  The Commissioner also has authority to review a decision by the head of a public body to give access to information of a third party.

Under POPA, the Commissioner has authority to review the collection, use or disclosure of an individual’s own personal information if the individual believes that the collection, use or disclosure was in contravention of POPA.  The Commissioner also has authority to review any decision, act or failure to act of the head related to a correction request.

Reviews generally have two phases.  A settlement phase, which involves the Case Resolution Team attempting to settle the matter under review, and an inquiry phase, which is a formal adjudicative hearing conducted by the Adjudication Team from which an order is issued.  An inquiry may occur if settlement is not achieved.

Reviews under ATIA and POPA are subject to specified time limits.

Back to top of the page

What is an investigation?

Under POPA, the Commissioner is authorized to investigate privacy complaints about the following:

• That personal information about any person has been collected, used or disclosed by a public body contrary to POPA
• That data derived from personal information or non-personal data has been created, used or disclosed by a public body contrary to POPA
• Respecting the actual or attempted re-identification by any person of non-personal data created under section 21(1) of POPA

Privacy complaints will generally try to be settled by the Case Resolution Team.  However, the Commissioner may decide to have the complaint formally investigated by the Investigation Team.  At the conclusion of a formal investigation, an order may be issued.

Investigations into complaints are not subject to specified time limits in POPA.

Back to top of the page

What is the settlement phase?

The settlement phase is the first phase of a review or complaint investigation.  It is a process authorized by the Commissioner to explore opportunities to settle issues with the parties.  It may also be referred to as a mediation or investigation.  The majority of files are resolved at the settlement phase.

Please note that our office made some adjustments to our settlement procedures in 2024 and 2025 in the interest of creating greater efficiencies in our work. This page has been updated to reflect those changes.

Forms referenced in this document are available on our office’s website at https://oipc.ab.ca/forms/.

Please note that some important definitions are provided at the bottom of this page.

Back to top of the page

Commissioner’s Mandate

The Commissioner is not a part of the Government of Alberta. The Commissioner is an independent Officer of the Legislature and reports directly to the Alberta Legislative Assembly.

The Commissioner, through the Office of the Information and Privacy Commissioner (OIPC), carries out the legislative and regulatory responsibilities related to Alberta public bodies set out in the following laws:

• Access to Information Act (ATIA) [in force June 2025]
• Protection of Privacy Act (POPA) [in force June 2025]
• Freedom of Information and Protection of Privacy Act [repealed June 2025] (FOIP Act)

 

Transition from FOIP to ATIA and POPA

Public bodies were subject to the FOIP Act until mid-June of 2025.  When ATIA and POPA are brought into force, these Acts will repeal the FOIP Act.  The ATIA applies to access to information requests.  POPA applies to review responses to correction requests made after POPA comes into force. It also applies to review complaints regarding the collection, use or disclosure of an individual’s own personal information by a public body where the individual first makes a complaint to the public body concerned.

The FOIP Act continues to apply to review responses to access or correction requests made or third parties notification decisions prior to June 2025. It also applies to complaints about the collection, use or disclosure of personal information by a public body which occurred prior to the repeal of the FOIP Act.   For more information, please see the Practice Note-Transitional- FOIP Act to ATIA and POPA.

Back to top of the page

What We Do…

• Review the decisions of public bodies in regard to requests for access to information or correction of personal information made under the Acts
• Review complaints regarding the collection, use or disclosure of personal information
• Under POPA, investigate complaints about whether an organization is in compliance with the Act, such as enquiries into an organization’s general practices
• Try and settle reviews and complaints
• Where settlement cannot be achieved or as instructed by the Commissioner, conduct inquiries and issue binding orders

Back to top of the page

What We Do Not Do…

• Act as an advocate on behalf of any party to a review or investigation
• Release records that are the subject of a review
• Store records on behalf of the Government of Alberta or any other party
• Impose fines or award damages
• Hear appeals of claims, benefits or decisions that do not fall under the Acts
• Discipline, terminate or reinstate employees
• Regulate the actions of individuals as private citizens
• Regulate the constituency offices of members of the legislative assembly (but we do regulate certain access and privacy issues involving actions of cabinet members and ministries)

Back to top of the page

Making a Request for Review or Complaint to the Commissioner

Under the Acts:

• Using the ATIA Request for Review form, an applicant may ask the Commissioner to review any decision, act or failure to act by the public body that relates to an applicant’s access to information request
• Using the ATIA Third-Party Request for Review form, a third party who has been notified by a public body under ATIA that its information will be given to an applicant may ask the Commissioner to review that decision
• Using the POPA Privacy/Correction Request form, an individual may ask the Commissioner to investigate if they believe that their own personal information has been collected, used or disclosed in contravention of POPA
• Any person may ask the Commissioner to investigate whether an organization or public body is in compliance with POPA, such as enquiries into an organization’s general practices.

Back to top of the page

Time Limits to Request a Review

A review may be requested by completing and submitting the applicable request for review form (see “Making a Request for Review or Complaint to the Commissioner” above) to the OIPC within the following timelines:

Note: for the interpretation of “business day” please see Practice Note – Business Day – ATIA and POPA

ATIA

For reviews of access requests, within 60 business days after an applicant is notified of the decision, act or failure to act that is the subject to the request.

POPA

For correction requests, within 60 business days after the individual is notified of the decision, act or failure to act that is the subject to the request.

For reviews concerning the collection, use or disclosure of one’s own personal information that may be contrary to POPA, no sooner than the expiry of the 30 business days that the public body has to respond to the privacy complaint AND within 60 business days after receiving a response to the privacy complaint from the public body – or in the case of non response, within 60 business days after the 30 business days the public body had to respond.

 

ATIA and Third Parties

For third party reviews, within 20 business days after being notified by a public body of its decision to give an applicant access to third party information. The Commissioner has no power to allow a third party a longer period to submit a request for review.

Note this important process change for public bodies and third parties: 

As of February 1, 2024, the OIPC no longer conducts courtesy searches on behalf of public bodies to determine if a third party request for review has been received by this office.  ATIA now requires that a third party deliver a written request to the Commissioner and the head of the Public Body.   

Back to top of the page

Overview of Proceedings

Intake

To initiate a review or make privacy complaint, the applicable form must be completed (see “Making a Request for Review or Complaint to the Commissioner” above) AND submitted together with all supporting documents in one submission. Otherwise, the submission will be returned. We also enforce a 15-page limit for submissions.

Every submitted form is checked for:

• Jurisdiction – is it something the OIPC can do under one of the Acts?
• Whether it was received by the OIPC within the required time limits
• Whether there is evidence that substantiates the request for review or complaint

Any person who submits a form for making a review or complaint will be contacted at the intake stage to discuss their submission and obtain clarification. They must be available to participate in our process and respond to requests in a timely manner, usually by phone and/or email. Otherwise, a file may not be opened. Any person who cannot meet this requirement, may name an agent to represent them.

The responding public body may also be contacted at this stage, as required.

Please note our refer-back process for privacy complaints and adequacy of search reviews.

Refer-back for privacy complaints

For complaints regarding the collection, use or disclosure of personal information under POPA about one’s own personal information, individuals must first make the complaint to the public body as required by POPA.

Refer-back for adequacy of search reviews 

For reviews under ATIA where the only concern is that an applicant believes the public body holds more responsive records than what were processed in the request (an ‘adequate search concern’), the applicant must first submit the concern directly to the public body, along with supporting evidence as to why they believe additional records exist.

We require that the public body be given at least 30 business days to respond.  After attempting to resolve the matter directly with the public body, if the applicant still has reason to believe the response does not comply with the relevant law they can bring the concern back to our office. At that point, our office will consider whether further investigation by the OIPC is warranted.

Issue identification

At the intake phase, the Intake Team will work with the person who submitted a form for making a request for review or privacy complaint to identify the issues for review or investigation.  Only those issues that (a) have enough evidence; and, (b) are within our jurisdiction will move forward. The identified issues will be communicated to the person to confirm their understanding and, if applicable, to advise on the limits of our jurisdiction.

If the OIPC proceeds with a review or investigation, a file is opened, and an acknowledgment letter (containing the confirmed issues) is sent to the person and the public body. A copy of any request for review form submitted is included with the letter. Forms submitted containing general privacy complaints made under POPA are not provided to the public body.

In the letter to the public body, it will be asked to provide a contact person who will be responsible for working with the assigned investigator to settle the matter. The contact person must have the ability to settle the issues. This means that they must have timely access to the decision-maker or directly involve the decision-maker in the conversations.

New records requirements and timelines 

For access request reviews, the public body will also be asked to provide a copy of the records to the OIPC with the inclusion of a records index within 7 business days of a notification letter, in accordance with the Practice Note – Preparing Records at Issue and Index of Records.  It may also be asked to provide the OIPC with a copy of the access request and any correspondence concerning the request with the applicant.  The OIPC will provide a link to securely send records and any other sensitive documentation to the OIPC.

The requirement to provide records or information at issue does not apply to records or information over which solicitor-client privilege, litigation privilege, or informer privilege is being claimed, or information withheld under sections 4(1)(a), (s), (t), (w), 27, 32(1)(a) or 32(2) of the ATIA. Public bodies (Respondents) will be required to provide a submission that contains the page numbers and an explanation that supports the application of the sections to the records.  The Practice Note – Providing Affidavits and other Evidence provides an explanation as to the expected content of the submission, even though it is not usually in affidavit form at the settlement stage.

 

Request for Review Forms and Attachments Are Disclosed

A copy of any request for review form and any attachments submitted along with the form must be disclosed to the public body under section 60(1)(a) of ATIA and section 39(1)(a) of POPA As a result, any person submitting one of these forms should specify to the OIPC if there is information in the form or accompanying attachments that they want the Commissioner to consider removing before sharing with the public body.  In considering these requests, consideration will be given to whether the information should be disclosed for fairness purposes or if it is necessary to conduct the review.

Address for Service

Each party to a review or investigation must provide an address for service to which all official communications will be sent for the purposes of the review or investigation.

As noted above, we must have an effective and timely means of communication with the parties.  As such, each party is to provide us with an email address for this purpose.  We also require a mailing address which may be used to deliver certain correspondence related to the file.  We will use secure email or other forms of secure electronic transmission to send communications containing sensitive information.

Person making the request for review or complaint

The address for service is to be identified on the applicable form.

Public Body

The address for service of the public body will be identified in the acknowledgement letter that the OIPC sends to each party as part of the initial notification process.

Changes or Updates

A party must use the Change of Contact and/or Address for Service Form on the OIPC website to update contact information or the address for service at any time during the review/investigation.

The address for service of each party will be circulated to all other parties.

Back to top of the page

Review and Investigation

An OIPC investigator, known as a Senior Information and Privacy Manager (SIPM) will be assigned to try to settle your request for review or privacy complaint.

The office receives a high volume of requests for reviews and complaints. As such, your file may be inactive until the SIPM has the capacity to begin to work on it.  The parties will be notified when the SIPM starts actively working on the file.  While the parties wait to hear from the SIPM, we encourage the parties to try to resolve the matter directly with one another.

Our new case resolution process involves us trying to settle matters under review or investigation in as short a time as is possible.  That is why we try to settle matters verbally over the phone.  As such, once a file is activated, we must be able to reach the parties, usually by phone, in a timely manner in order to participate in our settlement process.  If we cannot reach the party who requested the review or made the complaint, we may discontinue the review or investigation.  If this occurs, the parties will be notified.

The OIPC has shorter timelines to complete reviews under ATIA and POPA.  Therefore, it is imperative that all parties to a review provide requested information and be available for discussions about the matter in a timely fashion.  Requests to extend deadlines for providing information or discussing settlement must be reasonable with consideration for the shortened timelines.

The SIPM begins the review or investigation by examining the confirmed issues, the submissions received, and in the case of a review of an access request the records provided by the public body.  The SIPM also reviews the relevant law and any past cases that have interpreted the law against the issues to be determined.

The SIPM will contact the Respondent to gather any relevant evidence necessary to form an opinion about whether the law was complied with by the Respondent.

The SIPM may also need to contact the person who made the request or complaint for additional information.  Please note that we will not accept documented evidence from any party unless it is requested by the SIPM.  Any unsolicited evidence will be returned or deleted.

The SIPM will form an opinion about whether the Respondent has complied with the law as it relates to the issues under review or investigation.  The SIPM will discuss the opinion with the parties in an effort to settle the issues.  The Respondent may agree to take certain actions in order to remedy any non-compliance.

Any resolution reached will be documented in writing and sent to the parties.  As applicable, the SIPM will ensure that any agreed-upon terms are followed by the Respondent.

New rules respecting late raising of discretionary exceptions to access reviews

The OIPC will not consider any late raising of discretionary exceptions under ATIA at the settlement phase after the acknowledgement letter is issued.  This is because, at that time, we have confirmed the issues with the applicant.

Back to top of the page

Inquiries

If any or all of the issues are not settled during the settlement phase of a review, and the person who made the request for review wants to proceed further in the review process to inquiry, the SIPM will work with the parties to determine any agreed-upon facts.  The file will then be brought to the Commissioner to determine whether an inquiry will proceed, only on those unsettled issues.

Once the file is transferred to the Commissioner, the SIPM will close the file at the settlement stage.

Inquiries are formal adjudicative proceedings.  The inquiry process is not an examination of the process or an evaluation of the findings and recommendations made during the settlement phase. The inquiry gives the parties an opportunity to present their evidence “de novo” (from the beginning) and to rebut or support evidence presented by the other party.

The Commissioner may refuse to conduct an inquiry in certain circumstances:

• The subject matter has been dealt with in an order or investigation report of the Commissioner
• The circumstances warrant refusing to conduct an inquiry (for instance, if there is no meaningful remedy)
• Under ATIA, the applicant has not attempted to resolve the matter directly with the public body concerned.  The Commissioner currently considers this factor in relation to single-issue adequacy of search concerns.
• Under POPA, a person who believes that their own personal information has been collected used or disclosed in contravention of the Act did not make a complaint to the public body concerned before delivering a request for review to the Commissioner

A decision by the Commissioner to refuse to conduct an inquiry will be issued to the parties in writing.

If any unsettled issues proceed to inquiry, a Confirmation of Inquiry letter will be issued to the parties, which will confirm the issues for the inquiry.  A Notice of Inquiry will be issued at a later date which includes a copy of the applicable request for review form and attachments and sets out a schedule of dates for the written submissions of the parties.

Note: Under POPA, only reviews of an allegation of collecting, using or disclosing one’s own personal information and related to correction requests may proceed to inquiry; general privacy complaints cannot.

Affected Parties and Intervenors

Some inquiries may include “affected parties”.  An affected party is any other party who, in the opinion of the Commissioner, is affected by the request for review.  A copy of the request for review form and attachments may be provided to the affected party.

An affected party may make representations to the Commissioner at inquiry, but is not required to participate.

In certain cases, the Commissioner may give intervenor status to parties, if the Commissioner determines it is appropriate.  An intervenor can be useful in bringing a broader perspective to issues than the parties involved.

Order

On completing an inquiry, the Commissioner or delegated adjudicator must issue an Order disposing of the matter.

An Order made by the Commissioner or delegated adjudicator is final.  However, a party may apply to the Court of King’s Bench of Alberta for judicial review of an Order.

Back to top of the page

Timelines to complete a review

ATIA and POPA set out 180 business days to complete a review and may extend up to another 180 business days if needed to complete an inquiry.  These timelines apply to the time taken when the Commissioner authorizes a staff member to try and settle the matter under review.  A maximum of 180 business days will be allotted to the settlement phase prior to inquiry.

How will the OIPC count the 180 business days timeline for completion under ATIA/POPA?

The OIPC considers a review to be “received” under section 60(1) of ATIA and section 39(1) of POPA and the 180 business days timeline starts once we have determined that:

• we have jurisdiction to conduct the review, and
• the OIPC has confirmed the issues for review in writing with the person who asked for the review.

Parties will be notified as to the anticipated date for completion and any extensions to the anticipated date for completion.

Back to top of the page

Definitions

• Applicant – a person who makes an access to information request under ATIA or a request for correction under POPA concerning their own personal information
• Complainant – a person who makes a general complaint about the privacy practices of a public body under POPA
• Public Bodies – public sector entities subject to ATIA and POPA
• Senior Information and Privacy Manager (SIPM) – the person that the Commissioner has authorized to investigate and try to settle the confirmed issues at the settlement phase.  May also be referred to as an investigator
• Settlement – a process authorized by the Commissioner to explore opportunities to settle issues with the parties.  May also be referred to as a mediation or investigation
• Third Party – a person, a group of persons, or an organization other than an applicant or other person who requests a review under POPA and the public body that is involved in the review

If you have any questions with respect to the OIPC review or investigation process, please contact the OIPC.

Back to top of the page

June 2025

What is a review?

The Commissioner has authority under the FOIP Act, HIA and PIPA to review certain matters.

Under the FOIP Act, the Commissioner has authority to review the following matters:

• any decision, act or failure to act by the head of a public body related to requests for access to information,
• a decision by the head of a public body to give access to information of a third party,
• whether a public body has collected, use or disclosed an individual’s own personal information contrary to the Act, and
• any decision, act or failure to act of the head related to a correction request.

Under the HIA, the Commissioner has authority to review the following matters:

• any decision, act or failure to act of a custodian related to a request for access or correction concerning one’s own health information,
• where an individual believes that their own health information has been collected, used or disclosed by a custodian contrary to HIA, and
• the refusal of a health custodian to disclose health information pursuant to s.47(2).

Under PIPA the Commissioner has authority to review any decision, act or failure to act of an organization related to a request for access by an individual to their own personal information.

Reviews generally have two phases.  A settlement phase, which involves the Case Resolution Team attempting to settle the matter under review, and an inquiry phase, which is a formal adjudicative hearing conducted by the Adjudication Team from which an order is issued.  An inquiry may occur if settlement is not achieved.

Back to top of the page

What is an investigation?

Under PIPA, the Commissioner is authorized to investigate privacy complaints about the following:

• personal information has been collected, used or disclosed by an organization in contravention of this Act or in circumstances that are not in compliance with this Act,
• notification of an incident described in section 34.1 has not been provided in accordance with this Act, and
• an organization is not in compliance with this Act.

Privacy complaints will also generally try to be settled by the Case Resolution Team.  If settlement cannot be achieved, the matter may move to inquiry, like in the case of reviews.

Back to top of the page

What is the settlement phase?

The settlement phase is the first phase of a review or complaint investigation.  It is a process authorized by the Commissioner to explore opportunities to settle issues with the parties.  It may also be referred to as a mediation or investigation.  The majority of files are resolved at the settlement phase.

Please note that our office made some adjustments to our procedures in 2024 and 2025, in the interest of creating greater efficiencies in our work. This page has been updated to reflect those changes.

Forms referenced in this document are available on our office’s website at https://oipc.ab.ca/forms/.

Also, please note that some important definitions are provided at the bottom of this page.

Back to top of the page

Commissioner’s Mandate

The Commissioner is not a part of the Government of Alberta. The Commissioner is an independent Officer of the Legislature and reports directly to the Alberta Legislative Assembly.

Through the Office of the Information and Privacy Commissioner (OIPC), the Commissioner performs the legislative and regulatory responsibilities set out in the following laws:

• Freedom of Information and Protection of Privacy Act (FOIP Act) [repealed June 11, 2025]
• Access to Information Act (ATIA) [in force June 11, 2025]
• Protection of Privacy Act (POPA) [in force June 11, 2025]
• Health Information Act (HIA)
• Personal Information Protection Act (PIPA)

 

Back to top of the page

Transition from FOIP to ATIA and POPA

Public bodies were subject to the FOIP Act until June 11, 2025.  When ATIA and POPA are brought into force, these Acts will repeal the FOIP Act.  The ATIA applies to access to information requests.  POPA applies to review responses to correction requests made after June 2025. It also applies to review complaints regarding the collection, use or disclosure of an individual’s own personal information by a public body where the individual first makes a complaint to the public body concerned after June 2025.

The FOIP Act continues to apply to review responses to access or correction requests made or third parties notification decisions prior to June 2025. It also applies to complaints about the collection, use or disclosure of personal information by a public body which occurred prior to the repeal of the FOIP Act.

For more information, please see the Practice Note-Transitional- FOIP Act to ATIA and POPA.

Back to top of the page

What We Do…

• Review the decisions of public bodies, health custodians, and private sector organizations in regards to requests for access to information or correction of personal or health information made under the Acts
• Review or investigate complaints regarding the collection, use or disclosure of personal or health information
• Under PIPA, investigate complaints about whether an organization is in compliance with the Act, such as enquiries into an organization’s general practices, and in relation the duty to notify the Commissioner about a privacy breach under section 34.1
• Try and settle reviews and complaints
• Where settlement cannot be achieved or as instructed by the Commissioner, conduct inquiries and issue binding orders

Back to top of the page

What We Do Not Do…

• Act as an advocate on behalf of any party to a review or investigation
• Release records that are the subject of a review
• Store records on behalf of the Government of Alberta or any other party
• Impose fines or award damages
• Hear appeals of claims, benefits or decisions that do not fall under the Acts
• Discipline, terminate or reinstate employees
• Regulate the actions of individuals as private citizens
• Regulate the constituency offices of members of the legislative assembly (but we do regulate access and privacy issues involving actions of cabinet members and ministries)

Back to top of the page

Making a Request for Review or Complaint to the Commissioner

Under the FOIP Act:

• an applicant may ask the Commissioner to review any decision, act or failure to act by the public body that relates to an applicant’s access to information request or request for correction, and
• a third party who has been notified by a public body that its information will be given to an applicant may ask the Commissioner to review that decision

Complete the ATIA Request for Review form to request any of these reviews under FOIP Act.

• Under FOIP Act, a complainant may ask the Commissioner to review an individual’s belief that their own personal information has been collected, used or disclosed by a public body in contravention of this Act or any decision, act or failure to act in relation to a request to correct personal information.

Complete the POPA Request for Review Form to request any of these reviews under FOIP Act

Under HIA and PIPA:

• • an applicant may ask the Commissioner to review or investigate any act, decision or failure to act by a custodian or organization related to an access or correction request,
  • a complainant may ask the Commissioner to review or investigate their belief that their own personal or health information has been collected, used or disclosed contrary to this Act

• Under PIPA, an individual may also ask the Commissioner to investigate whether an organization is in compliance with this Act, such as enquiries into an organization’s general practices.

Complete the PIPA Request for Review/Privacy Complaint and Correction Form for reviews or complaints under this Act

Complete the HIA Request for Review/Privacy Complaint and Correction Form for reviews or complaints under this Act

Back to top of the page

Time Limits to Request a Review

A review or investigation may be requested by completing the applicable form to the OIPC within the following timelines:

FOIP Act and HIA

Within 60 days after they are notified of the decision by the public body or custodian or become aware of an incident involving the collection, use and disclosure of personal or health information.

PIPA

Within 30 days from the day that they are notified of the decision by the organization. Incidents involving the collection, use and disclosure of personal information under PIPA must be delivered to the Commissioner within a reasonable time period.

The Commissioner may allow for reviews or complaints to be submitted outside of the time limits above, based on the circumstances and where the law permits.

Third Parties under FOIP

A third party must complete and submit the relevant form (see “Making a Request for Review or Complaint to the Commissioner” above) to the OIPC within 20 days after being notified by a public body of its decision to give an applicant access to third party information. The Commissioner has no power to allow a third party a longer period to submit a request for review.

Back to top of the page

Overview of Proceedings

Intake

To initiate a review or make privacy complaint, the applicable form must be completed (see “Making a Request for Review or Complaint to the Commissioner” above) AND submitted together with all supporting documents in one submission. Otherwise, the submission will be returned. We also enforce a 15-page limit for submissions.

Every submitted form is checked for:

• Jurisdiction – is it something the OIPC can do under one of the Acts?
• Whether it was received by the OIPC within the required time limits
• Whether there is evidence that substantiates the request for review or complaint

Any person who submits a form for making a review or complaint will be contacted at the intake stage to discuss their submission and obtain clarification. They must be available to participate in our process and respond to requests in a timely manner, usually by phone and/or email. Otherwise, a file may not be opened. Any person who cannot meet this requirement, may name an agent to represent them.

The responding public body may also be contacted at this stage, as required.

Please note our refer-back process for privacy complaints and adequacy of search reviews.

Refer-back for privacy complaints

For complaints regarding the collection, use or disclosure of personal or health information, it is a requirement under OIPC processes to make the complaint first to the public body, custodian or organization, if the complainant has not already given the entity an opportunity to resolve the complaint.

Refer-back for adequacy of search reviews 

For reviews where the only concern is that an applicant believes the public body, organization or custodian holds more responsive records than what were processed in the request (an ‘adequate search concern’), the applicant must first submit the concern directly to the entity, along with supporting evidence as to why they believe additional records exist.

We require that the entity be given at least 30 business days to respond.  After attempting to resolve the matter directly with the entity, if the applicant still has reason to believe the response does not comply with the relevant law they can bring the concern back to our office. At that point, our office will consider whether further investigation by the OIPC is warranted.

Issue identification

Working with the applicant/complainant, the OIPC will identify the review or complaint issues at the intake phase. Only those issues that (a) have enough evidence; and, (b) are within our jurisdiction will move forward. Those issues will be communicated to the applicant/complainant to confirm their understanding and, if applicable, to advise on the limits of our jurisdiction.

If the OIPC proceeds with a review or investigation, a file is opened, and an acknowledgment letter (containing the confirmed issues) is issued to the applicant/complainant and the public body/custodian/organization. A copy of the request for review form and any attachments to the request are included with the letter. General privacy complaint forms or related materials will not generally be provided to an organization.

In the letter to the public body/custodian/organization, it will be asked to provide a contact person who will be responsible for working with the assigned investigator to settle the matter. The contact person must have the ability to settle the issues. This means that they must have timely access to the decision-maker or directly involve the decision-maker in the conversations.

New records requirements and timelines 

For access request reviews, the public body/custodian/organization will also be asked to provide a copy of the records to the OIPC with the inclusion of a records index, within 7 business days of a notification letter, in accordance with the Practice Note – Preparing Records at Issue and Index of Records.  It may also be asked to provide the OIPC with a copy of the access request and any correspondence concerning the request with the applicant.  The OIPC will provide a link to securely send records and any other sensitive documentation to the OIPC.

The requirement to provide records or information at issue does not apply to records or information over which solicitor-client privilege, litigation privilege, or informer privilege is being claimed.  The Practice Note – Providing Affidavits and other Evidence provides an explanation as to the expected content of the submission, even though it is not usually in affidavit form at the settlement stage.

 

Request for Review Forms and Attachments Are Disclosed

A copy of any request for review form and any attachments submitted along with the form must be disclosed to the public body, custodian or organization.  This is a requirement in these Acts.  As a result, any person submitting a request for review form under any of these Acts should specify to the OIPC if there is information in the form or accompanying attachments that they want the Commissioner to consider removing before sharing with the public body, custodian or organization.  In considering these requests, consideration will be given to whether the information should be disclosed for fairness purposes or if it is necessary to conduct the review.

Address for Service

Each party must provide an address for service to which all official communications will be sent for the purposes of the review/investigation.

As noted above, we must have an effective and timely means of communication with the parties. As such, each party is to provide us with an email address for this purpose. We also require a mailing address which may be used to deliver certain correspondence related to the file. We will use secure email or other forms of secure electronic transmission to send communications containing sensitive information.

Applicant/Complainant

The address for service is to be identified on the applicable form (see “Making a Request for Review or Complaint to the Commissioner” above).

Public Body/Custodian/Organization

The address for service of the public body/custodian/organization will be identified in the acknowledgement letter that the OIPC sends to each party as part of the initial notification process.

Changes or Updates

A party must use the Change of Contact and/or Address for Service Form on the OIPC website to update contact information or the address for service at any time during the review/investigation.

The address for service of each party will be circulated to all other parties.

Review and Investigation

An OIPC investigator, known as a Senior Information and Privacy Manager (SIPM) will be assigned to try to settle your request for review or privacy complaint.

The office receives a high volume of requests for reviews and complaints. As such, your file may be inactive until the SIPM has the capacity to begin to work on it. The parties will be notified when the SIPM starts actively working on the file. While the parties wait to hear from the SIPM, we encourage the parties to try to resolve the matter directly with one another.

Our new case resolution process involves us trying to settle matters under review or investigation in as short a time as is possible. That is why we try to settle matters verbally over the phone. As such, once a file is activated, we must be able to reach the parties, usually by phone, in a timely manner in order to participate in our case resolution process. If we cannot reach the applicant/complainant, we may discontinue the review or investigation. If this occurs, the parties will be notified.

The SIPM begins the review or investigation by examining the confirmed issues, the submission of the applicant/complainant and, in the case of a review of an access request, the records provided by the public body/custodian/organization. The SIPM also reviews the relevant law and any past cases that have interpreted the law against the issues to be determined.

The SIPM will contact the public body/custodian/organization (Respondent) to gather any relevant evidence necessary to form an opinion about whether the law was complied with by the respondent.

The SIPM may also need to contact the applicant/complainant for additional information. Please note that we will not accept documented evidence from an applicant/complainant unless it is requested by the SIPM. Any unsolicited evidence will be returned or deleted.

The SIPM will form an opinion about whether the Respondent has complied with the law as it relates to the issues under review or investigation. The SIPM will discuss the opinion with the parties in an effort to settle the issues. The Respondent may agree to take certain actions in order to remedy any non-compliance.

Any resolution reached will be documented in writing and sent to the parties. As applicable, the SIPM will ensure that any agreed-upon terms are followed by the Respondent.

Inquiries

If any or all of the issues are not settled and the applicant/complainant wants to proceed further in our process, the SIPM will work with the parties to determine any agreed-upon facts. The file will then be brought to the Commissioner to determine whether an inquiry will proceed, only on those unsettled issues.

Once the file is transferred to the Commissioner, the SIPM will close the file at the settlement stage.

Inquiries are formal adjudicative proceedings. The inquiry process is not an examination of the process or an evaluation of the findings and recommendations made during the review and investigation process. The inquiry gives the parties an opportunity to present their evidence “de novo” (from the beginning) and to rebut or support evidence presented by the other party.

The Commissioner may refuse to conduct an inquiry in certain circumstances:

• The subject matter has been dealt with, in an order or investigation report of the Commissioner
• The circumstances warrant refusing to conduct an inquiry (for instance, if there is no meaningful remedy)

A decision to refuse to conduct an inquiry will be issued to the parties in writing.

If any unsettled issues proceed to inquiry, a Confirmation of Inquiry letter will be issued to the parties, which will confirm the issues for the inquiry. A Notice of Inquiry will be issued at a later date which includes a copy of the Request for Review/Complaint Form and attachments and sets out a schedule of dates for the written submissions of the parties.

Affected Parties and Intervenors

Some inquiries may include “affected parties”. An affected party is any other party who, in the opinion of the Commissioner, is affected by the request for review or complaint. A copy of the relevant form (see “Making a Request for Review or Complaint to the Commissioner” above) and attachments may be provided to the affected party.

An affected party may make representation to the Commissioner at inquiry, but is not required to participate.

In certain cases, the Commissioner may give intervenor status to parties, if the Commissioner determines it is appropriate. An intervenor can be useful in bringing a broader perspective to issues than the parties involved.

Order

On completing an inquiry, the Commissioner or delegated adjudicator must issue an Order disposing of the matter.

An Order made by the Commissioner or delegated adjudicator is final. However, a party may apply to the Court of King’s Bench of Alberta for judicial review of an Order.

Timelines to complete a review

Under FOIP and HIA, the Commissioner is to complete a review within 90 days after the OIPC received the request for review or complaint unless that period is extended by the Commissioner.  PIPA allows the Commissioner to complete a review or investigation within one year from the day that the request for review/complaint was received by the OIPC. PIPA also allows the Commissioner to extend that period.

Parties will be notified as to the anticipated date for completion and any extensions to the anticipated date for completion.

For estimated timelines for the settlement phase of a review, see “How long will a review take” on the OIPC website at: https://oipc.ab.ca/information-access-review and https://oipc.ab.ca/privacy-correction-complaint

Back to top of the page

Definitions

• Applicant – a person who makes an access to information request or a request for correction of their personal or health information under the FOIP Act, HIA or PIPA
• Complainant – a person who believes their personal or health information has been collected, used or disclosed in contravention of one of the Acts
• Custodians – health care providers and other identified entities subject to HIA
• Organizations – private sector entities subject to PIPA
• Public Bodies – public sector entities subject to FOIP Act
• Senior Information and Privacy Manager (SIPM) – the person that the Commissioner has authorized to investigate and try to settle the confirmed issues at the settlement phase. May also be referred to as an investigator
• Settlement – a process authorized by the Commissioner to explore opportunities to settle issues with the parties. May also be referred to as a mediation or investigation
• Third Party – a person, a group of persons, or an organization other than an applicant or a Respondent (public body/custodian/organization)

If you have any questions with respect to the OIPC review/investigation process, please contact the OIPC.

Back to top of the page

June 2025

Preparing submissions

For inquiries relating to access requests under the FOIP Act, ATIA, PIPA and HIA, the respondent usually has the burden of proof, to show that the claimed exception applies. Where an applicant is requesting personal information about other individuals (third parties) under the FOIP Act or ATIA, the applicant has the burden of proof to show that the information ought to be provided to the applicant. Where third party organizations are objecting to the disclosure of their confidential business information under the FOIP Act or ATIA, the organization has the burden of proof. For additional guidance on preparing submissions for an inquiry into the application of exceptions to access, see Practice Note – Directions to Respondents When Making Submissions

For inquiries relating to privacy complaintsprivacy complaints includes complaints about the accuracy of an individual’s personal information and requests for reviews of decisions regarding a request to correct personal information under the FOIP Act, HIA, PIPA and POPA, the complainant has to provide some reason for the Commissioner to find that the event complained about occurred as alleged. The respondent must then show that it had authority to take the action it did.

The purpose of a submission is for the party to make their case as it relates to the issues in the inquiry. For example, in an inquiry relating to an access request, an applicant might explain why they believe an exception applied to information in a record does not apply. The Respondent must explain why the exception does apply. In an inquiry relating to a complaint about the collection, use, or disclosure of personal information, the complainant should show what collection, use, or disclosure of their personal information occurred, and explain why they believe the collection, use, or disclosure was not permitted. The Respondent explains how the collection, use or disclosure was authorized.

Unless otherwise specified in the Notice of Inquiry, where an applicant or complainant does not bear the burden of proof, the applicant or complainant can rely on their request for review an any attachments instead of providing a submission to the inquiry. The applicant or complainant must inform the Commissioner in writing that they are relying on these documents, following the instructions set out in the Notice of Inquiry.

Parties should ensure they address each issue set out in the Notice of Inquiry. Parties are also encouraged to review relevant Orders, case law, and OIPC Practice Notes. Orders and other OIPC decisions are available here and on CanLII.org. The parties may also review other Practice Notes that address specific issues, available on the OIPC website.

Information that may be useful for parties to provide to the Commissioner for an inquiry includes:

• Excerpts from relevant legislation or regulations that apply to the operations of the public body, custodian or organization, and that relate to the issues in the inquiry;
• Excerpts from policy manuals that set out relevant practices or policies of the public body, custodian or organization;
• Excerpts and pinpoint citations of relevant orders and relevant court decisions; and
• Excerpts and pinpoint citations of decisions made by Information and Privacy Commissioners in other jurisdictions that may be of assistance to the Commissioner when considering the issues.

It is important to identify how the above information relates to the issues set out for the inquiry.

Do not provide entire copies of statutes, regulations, court decisions or Orders.

Upon receipt of the parties’ submissions, the Commissioner may request additional information or arguments from one or more parties. Deadlines for responses will be provided.

Parties should be aware that submissions previously provided for the settlement phase are generally not carried forward to the inquiry. All materials provided to the Commissioner for the inquiry will be attached to the Notice of Inquiry; parties are responsible for ensuring that any additional information they want the Commissioner to consider in the inquiry is included in their inquiry submission.

 

Back to top of the page

Page limits for submissions

The maximum length for a submission is 20 pages. The Commissioner may decline to consider lengthy submissions. This limit does not include supporting evidence such as affidavits or excerpts of authorities.

Back to top of the page

Submissions are exchanged

Parties must provide a copy of their submissions and related documents to each of the other parties listed in the Notice of Inquiry. Submissions and other documents that are not exchanged with the other parties will not be provided to the adjudicator for the inquiry.

The exception is where a party has sought and received permission to provide a portion of their submission or other document in camera. Parties wanting to request that part of their submission be accepted in camera must make the request in accordance with the process set out in the Request to Provide an In Camera Submission form. Generally, the party must provide a proposed redacted version of the submission and provide detailed reasons for not exchanging the identified portions. Submissions will be accepted in camera only in specific circumstances set out in form.

Requests to provide part of a submission in camera may be rejected if they do not follow the process set out in the form.

Back to top of the page

Timelines for submissions

Each Act sets out specific time limits for completing inquiries under those Acts. While the OIPC considers these time limits to be directory – see Peters v East 3rd Street North Vancouver Limited Partnership, 2023 BCSC 879 (CanLII), at paragraph 27, or  Rahman v. Alberta College and Association of Respiratory Therapy, 2001 ABQB 222 (CanLII) – the inquiry process has been designed to meet those timelines in all possible cases.

Parties will be expected to provide their submissions and other requested information by the deadline provided in the Notice of Inquiry or correspondence from the adjudicator. A party may request a short time extension to provide a submission or response where necessary. Such requests must

• be made before the party’s deadline;
• be made in writing;
• include the additional time requested;
• include reasons for the request;
• be provided to the other parties listed in the Notice of Inquiry.

Decisions to grant extensions are at the discretion of the Commissioner and may be constrained by the time limits for completing the inquiry.

Parties are encouraged to submit their extension requests using the Request to Extend the Submission Deadline form, available on the OIPC website.

Back to top of the page

Decision following completion of inquiry

Once the above inquiry process is complete, the Commissioner will review the submissions and other materials provided for the inquiry, and make a determination on the issues. The Commissioner’s decision will be provided to the parties in writing.

Back to top of the page

Address for Service/Contact information

Written inquiries are conducted by email or other electronic means as determined by the Commissioner. Parties are required to provide an email address for service to be used for the exchange of written inquiry submissions and other correspondence.

Parties unable to participate electronically may request permission to participate by mail. A formal request must be made to the adjudication team to participate by mail.

All parties must also provide written notice, as outlined above, of any changes to their address for service. The form for change of contact or address for service is available on this page.

If the applicant or complainant who asked for the inquiry fails to provide a current address for service or fails to give notice of changes to the address for service, the Commissioner may discontinue the inquiry.

Back to top of the page

Correspondence with the OIPC

All inquiry materials must be provided in writing. During an inquiry, parties are asked to send all correspondence to the Adjudication Case Manager or Registrar of Expedited Inquiries, as directed. Do not contact or send correspondence directly to the Commissioner or adjudicator.

Parties with questions about the inquiry process can call or email the Adjudication Case Manager or Registrar of Expedited Inquiries; contact information will be provided in the correspondence sent to parties.

Back to top of the page

Expedited Inquiries

In some circumstances, a request for a review may be streamlined to an expedited inquiry process. In general, the following requests for review may proceed to an expedited inquiry:

• a public body’s failure to respond to an access request under the ATIA;
• a public body’s decision to extend its time to respond;
• a public body’s decision to disregard a request; or
• a public body’s decision that a request was abandoned.

An organization’s or custodian’s failure to respond to an access request under PIPA or the HIA may be streamlined directly to an expedited inquiry process.

The expedited inquiry process generally involves condensing the usual inquiry process, including shortening submission schedules, and a strict adherence to timelines. Where available, respondents are encouraged to provide their submission using the relevant form, available on the OIPC website at https://oipc.ab.ca/forms/.

Back to top of the page

Glossary of Terms

Term	Definition
Adjudication	The team that manages the inquiry phase.
Adjudicator	The person that the Commissioner has delegated to be the decision-maker in the inquiry.
Affected parties	Individuals or other organizations that could be affected by the decision made in the inquiry. May also be referred to as third parties.
Applicant	The individual who formally requested access to information or requested correction of their personal or health information under the ATIA, FOIP Act, HIA or PIPA.
Arguments	The reasons why a party believes the evidence shows certain facts to be true, and why the Commissioner should interpret the law a certain way.
Case Resolution	The team that conducts the settlement phase of a review.
Complainant	The individual who made a formal complaint that personal information was collected, used or disclosed in contravention of the FOIP Act, HIA or PIPA.
Custodian	The health service provider, whether an individual or an organization, from which the information was requested or against which the complaint was made (also called “respondent”).
Evidence	Information/material that establishes the facts on which a party is relying.
In camera	A portion of a submission provided only to the Commissioner in an inquiry.
Inquiry	A formal adjudicative process, usually conducted in writing.
Interveners	Individuals or organizations whose opinions or specialized knowledge can provide a broader understanding of the issues at inquiry.
Mediation/investigation	A process authorized by the Commissioner to explore opportunities to settle issues with the parties. May also be referred to as the settlement phase.
Notice of Inquiry	Identifies the parties involved in the inquiry and their contact information, the issues that will be addressed, and a schedule for submissions.
Organization	The business, corporation, union or partnership from which the information was requested or against which the complaint was made (also called “respondent”).
Parties	The respondent (public body, custodian or organization), applicant/complainant, or other affected parties who are part of the inquiry.
Public body	The government department or other public entity from which the information was requested or against which the complaint was made (also called “respondent”).
Respondent	The public body, custodian or organization that has duties under the legislation.
Senior Information and Privacy Manager	The person that the Commissioner has authorized to investigate and try to settle the confirmed issues at the Case Resolution phase. May also be referred to as an investigator.
Settlement	A process authorized by the Commissioner to explore opportunities to settle issues with the parties. May also be referred to as a mediation or investigation.
Submissions	Informs the Commissioner and the other parties about what a party thinks are the central issues in a case, and provides evidence and makes arguments about how those issues should be decided.
Third Parties	Parties, other than the respondent or applicant/complainant, who are part of the inquiry. For example, organizations and individuals whose information is the subject of an applicant’s access request. May also be referred to as affected parties.

Back to top of the page

In this document, “Commissioner” means the Commissioner or the Commissioner’s delegated Adjudicator or authorized Senior Information and Privacy Manager.

This Practice Note clarifies whether and when the Office of the Information and Privacy Commissioner (OIPC) will consider a new discretionary exception to access raised by a public body after an applicant has requested a review.

Rationale for the clarification

Past Orders of this office have found that in an inquiry, public bodies cannot raise the application of discretionary exceptions under the Freedom of Information and Protection of Privacy Act (FOIP Act) that were not originally applied in the public body’s decision to the applicant, where raising the new exception would result in delay or prejudice to other parties.

It has become increasingly common for public bodies to raise new exceptions to access during the review or inquiry processes. At times, public bodies have wholly reprocessed responsive records following the review, resulting in new decisions that bear little resemblance to those originally communicated to the applicant that were subject to the review.

It is the head of the public body, or the delegate of the head, that is assigned the responsibility of determining whether to withhold information in response to an access request. When the head of a public body, or the head’s delegate, makes a decision regarding access, that decision must be communicated to the applicant. The applicant is given 60 business days under the Access to Information Act (ATIA) to assess the response and decide whether to request a review. It is unfair to the applicant for the public body’s response to become a moving target.

Further, the ATIA imposes new limits on the time for the OIPC to complete the review process under that Act. In order to meet those time limits, the office has taken steps to identify and minimize delays in the review process. The late-raising of new discretionary exceptions reduces the timeliness and effectiveness of the settlement phase of the review, during which the parties are contacted by this office to attempt to settle the issues, or narrow and confirm the issues for a subsequent inquiry.

That said, from time to time a public body’s response to an applicant may contain an error or omission that the public body later corrects. The OIPC may accept such corrections, where it is appropriate to do so.

Given the above, the OIPC is clarifying when and whether the OIPC will consider a public body’s decision to apply a new discretionary exception to access that was communicated to the applicant after the applicant has delivered a request for review to the public body and OIPC.

Back to top of the page

OIPC approach to late-raising discretionary exceptions to access under the ATIA

Under the ATIA, applicants seeking a review of a public body’s decisions regarding access must deliver a copy of their request for review to the OIPC and the head of the Public Body. Once the OIPC has confirmed the issues for the review, the OIPC will send an acknowledgement letter; this letter will set out the issues to be addressed in the settlement phase of the review.

If the public body has amended its response to the applicant’s access request after the applicant delivered their request for review, the public body must ensure that the new response was communicated to the applicant as required under the Act. A copy of this response must also be provided to the OIPC, quoting the file number provided in the acknowledgement letter.

Any amended response that includes a new application of a discretionary exception, that is communicated to the applicant and OIPC before the acknowledgement letter is issued will generally be considered in that phase of the review if the applicant is interested in pursuing it. Any amended response that includes a new application of a discretionary exception that is communicated to the applicant and OIPC after the acknowledgement letter is issued might not be considered.

If an inquiry is subsequently conducted into the matter, the adjudicator will consider whether to permit a public body to raise a new discretionary exception to access.

In determining whether to permit a public body to apply a new discretionary exception to access, the Commissioner will consider:

• the impact of the new claim on the integrity of the review process;
• the prejudice to the parties in either permitting or refusing to consider the new discretionary exception;
• the public interest in either permitting or refusing to consider the new discretionary exception; and
• any other extenuating circumstance.

Back to top of the page

Arguments and information about the law

Arguments and information about the law include citing the applicable tests for applying an exception, as set out in past Orders and court decisions. This part of the submission may be brief for each exception applied, especially where the interpretation of the exception and tests to be applied are settled.

Where an exception has not been considered in past Orders or court decisions, the respondent should explain how it believes the exception applies. Similarly, if a respondent disagrees with how an exception has been applied in past Orders, the respondent should explain how it believes the exception should be applied and why. Respondent should provide support for such arguments, such as case law.

Back to top of the page

Arguments and information about the factual context of the records

Arguments and information about the factual context of the records includes information that shows why an exception applies to the particular information at issue.

Many exceptions to access can be applied only in particular circumstances. For example,

• Under the FOIP Act and the ATIA, some exceptions to access apply only where the relevant information is created by or for individuals holding specific positions or is in correspondence between individuals holding specific positions[1].
• Under PIPA, some exceptions apply to personal information that was collected in specific circumstances, such as for an investigation[2] or information collected by mediators in the course of conducting a mediation[3].
• Under the FOIP Act, ATIA, HIA, and PIPA, several exceptions apply where the disclosure of the relevant information could reasonably be expected to result in a specified outcome[4]. The Supreme Court of Canada has set out the evidentiary standard to be used in access-to-information legislation wherever the phrase “could reasonably be expected to” appears: there must be a reasonable expectation of probable harm, and the party claiming the exception must provide sufficient evidence to show that the likelihood of the specified outcome is considerably above a mere possibility[5].

It is important for respondents to provide sufficient factual information to show that the circumstances set out in each exception being applied are present in each case. Relevant information may include the position titles and responsibilities of individuals involved in creating and receiving the information, and details of the circumstance in which the records were created.

Respondents applying exceptions that include the phrase “could reasonably be expected to” must provide sufficient evidence to meet this evidentiary standard. Respondents should clearly explain how the information being withheld could lead to the stated outcome; merely assertions are generally insufficient.

Parties may not succeed in an inquiry if they do not provide evidence to support their arguments. It is not sufficient to provide the Commissioner with records and leave it up to the Commissioner to try to draw from the records the facts on which the decisions will be based. The Commissioner requires that persons representing the public body, custodian or organization provide evidence speaking to the contents of the records, for example by explaining how each part of a record for which an exception to disclosure is claimed falls within the exception.

If the success of an argument depends on underlying facts, providing the argument alone is not sufficient. The underlying facts must be established by evidence. As well, evidence should not be provided in the form of unattributed assertions made in the context of an argument. If a fact is being put forward, it must be shown how this fact is known to be true (e.g., by way of a statement, preferably sworn, of someone who knows the fact, or by other objective evidence, such as documents).

Back to top of the page

Points to address in drafting a submission

• Clearly identify each part of a record that has been withheld from disclosure and address each exception applied.
• Review previous Orders [or relevant Interpretation Bulletins] to determine how the exceptions have been applied, and how those interpretations apply to the information being withheld.
• Clearly state how each provision, and the relevant tests for each provision, apply to the information being withheld.
  • This should be done on a record-by-record, page-by-page, or line-by-line basis, as appropriate.
  • Respondents may identify and group similar information in the pages in their arguments.
• Where the exception applied is a discretionary exception, the respondent should include a discussion of the exercise of discretion in applying that exception to withhold information.
  • The exercise of discretion should be addressed on a record-by-record, page-by-page, or line-by-line basis, as appropriate.
  • The respondent should ensure it addresses all relevant factors, and explain why they do or do not apply in the specific circumstances of the information/record.
• Where the exception applied requires proof that a record was created for a particular purpose, or was created by or for particular positions, provide the relevant facts to support the application of that exception.
• Where the respondent is providing an affidavit in support of its factual or legal claims, ensure that the affidavit includes the requirements set out in Practice Note: Providing Affidavits and Other Evidence.
• Ensure each issue set out in the Notice of Inquiry is addressed.

Back to top of the page

[1] For example, sections 27(1)(b) and (c) of the FOIP Act and 32(1)(b) and (c) of the ATIA
[2] For example, section 24(2)(c)
[3] For example, section 24(2)(e)
[4] For example, sections 20(1) of the FOIP Act and 21(1) of the ATIA; section 11(1)(a) of the HIA; section 24(3)(a) of PIPA
[5] Merck Frosst Canada Ltd. v. Canada (Health), 2012 SCC 3 (CanLII), [2012] 1 SCR 23

General Guidelines when providing affidavits

In an inquiry, affidavits are to be exchanged with the other parties to the inquiry.

An affidavit must contain information about the person swearing the affidavit, including the individual’s name and an explanation of how they have knowledge of the evidence being presented in the affidavit.

An affidavit should, wherever possible, be sworn by a person having personal knowledge of the facts being sworn to.

Affidavit evidence should be sufficiently detailed to allow the Commissioner and parties to an inquiry to fully understand its contents, and should, wherever possible, be confined to facts within the personal knowledge of the person swearing the affidavit.

Parties shall ensure that all affidavits provided to the Commissioner are truthful, complete, and accurate.

It is an offence under the Acts for anyone to willfully make a false statement to, mislead, or attempt to mislead the Commissioner in the performance of their functions.

Back to top of the page

Affidavits in support of a Respondent’s search for records

The duty to assist under section 10 of the FOIP Act, section 12 of the ATIA, section 27 of PIPA and section 10 of the HIA includes a duty to conduct an adequate search for records.  The respondent has the burden of proving that it conducted an adequate search for records responsive to an access request.

In an inquiry addressing a respondent’s search for records, it is helpful for the respondent to provide the Commissioner with an affidavit regarding the search conducted for records responsive to the applicant’s access request. In addition to the elements set out in the general guidelines above, the respondent may wish to consider addressing the following:

 The specific steps taken by the respondent to identify and locate records responsive to the applicant’s access request.

• The scope of the search conducted, such as physical sites, program areas, specific databases, off-site storage areas, etc.
• The steps taken to identify and locate all possible repositories where there may be records relevant to the access request: keyword searches, records retention and disposition schedules, etc.
• Who did the search? (Note:  that person or persons is the best person to provide the direct evidence).
• Why the respondent believes no more responsive records exist other than what has been found or produced.
• Any other relevant information.

Back to top of the page

Affidavits in support of an application of sections 4(1)(a), (s), (t), or (w) of the ATIA

Where a public body has refused access to records or information for the reason that the records or information are excluded from the scope of the ATIA under sections 4(1)(a), (s), (t), or (w) of that Act, the public body has the burden of proving that there is no right of access (section 63(1)).

In an inquiry addressing a public body’s claim that section 4(1)(a), (s), (t), or (w) of the ATIA applies, it is helpful for the respondent to provide the Commissioner with an affidavit setting out the relevant facts. In addition to the elements set out in the general guidelines above, the affidavit should include a schedule in which the public body lists the records to which it has applied sections 4(1)(a), (s), (t), or (w) of the ATIA, along with the description for each record. The description for each record should include sufficient detail to satisfy the public body’s burden of proof. Certain subsections may require specific information, for example:

• whether the public body has custody or control of the record and if not, why not (sections 4(1)(a), (s));
• who created the record (section 4(1)(t), (w));
• the position titles of the individuals involved in the communications (section 4(1)(w));
• Any other information relevant to the particular exclusion being claimed.

If the public body wishes to provide additional information regarding its application of these provisions in camera, it may request permission to do so following the process set out in Request to Provide an In Camera Submission form.

A public body is not precluded from providing the relevant records to the Commissioner as evidence.

Back to top of the page

Affidavits and other evidence in support of a claim of cabinet confidences under section 27 of the ATIA

Where a public body withholds information under section 27 of the ATIA in response to an access request, the public body has the burden of proving that there is no right of access (section 63(1)).

If a public body does not provide records or information to the Commissioner on the basis that section 27 applies to that record or information, the Commissioner may require the public body to attest that this provision applies to the information or record over which it is claimed (section 50(7)). Section 11 of the ATIA Regulation states that a public body may provide this attestation by way of a letter:

• signed or approved by the head of the public body; and
• containing a description of the record or information explaining how section 27 applies to the record or information.

A description must be provided for each record containing information to which section 27 is applied. Therefore, an attestation should include a schedule in which the public body lists the records to which it has applied sections 27(1)( or (2) of the ATIA, along with the description for each record. The description for each record should include sufficient detail to satisfy the public body’s burden of proof. The public body should address the particular elements set out in the subsection being claimed.

As the public body bears the burden of proof, a public body may also consider providing an affidavit in support of its claim.

If the public body wishes to provide additional information regarding its application of section 27 in camera, it may request permission to do so following the process set out in the Request to Provide an In Camera Submission form.

A public body is not precluded from providing the relevant records to the Commissioner as evidence.

Back to top of the page

Affidavits in support of a claim of legal privilege

A respondent is not required to provide the Commissioner with records or information over which solicitor-client privilege, litigation privilege, or informer privilege is being claimed under the FOIP Act or PIPA, or to which section 32(1)(a) or (2) of the ATIA has been applied[1]. This part of the Practice Note applies to legal privilege under the ATIA, and solicitor-client, litigation and informer privilege under the FOIP Act and PIPA.

Where a respondent withholds information in response to an access request claiming a relevant privilege, the respondent has the burden of proving that there is no right of access[2]. The respondent is not precluded from providing the relevant records to the Commissioner as evidence.

As stated in Edmonton (City) Police Service v Alberta (Information and Privacy Commissioner, 2020 ABQB 10 (EPS), when a respondent does not provide records that it asserts are subject to privilege for review, it is required to establish its claim by meeting the civil litigation standard for refusing to produce such records, set out in Canadian Natural Resources Ltd v ShawCor Ltd, 2014 ABCA 289 (CanLII), 580 A.R. 265 (ShawCor).

Following Alberta (Information and Privacy Commissioner) v. University of Calgary, 2016 SCC 53 (CanLII) and ShawCor, affidavits of records provided in support of claims of legal privilege must comply with Rules 5.7 and 5.8 of the Alberta Rules of Court (producible records, and records for which there is an objection to produce). In ShawCor, the Alberta Court of Appeal discussed the application of Rules 5.7 and 5.8 of the Rules of Court (producible records, and records for which there is an objection to produce). The Court stated (at para. 42-43):

… Therefore, in explaining the grounds for claiming privilege over a specific record, a party will necessarily need to provide sufficient information about that record that, short of disclosing privileged information, shows why the claimed privilege is applicable to it. Depending on the circumstances, this may require more or less than the “brief description” contemplated under Rule 5.7(1)(b) although we expect that oftentimes the brief description will suffice.

Accordingly, under either interpretation of the relevant Rules, a party must provide a sufficient description of a record claimed to be privileged to assist other parties in assessing the validity of that claim. From this, it follows that all relevant and material records must be numbered and, at a minimum, briefly described, including those records for which privilege is claimed. As noted, though, this is subject to the proviso that the description need not reveal any information that is privileged.

In addition to the elements set out in the general guidelines above, the affidavit should include a schedule in which the respondent lists the records (or bundle of records) for which privilege is claimed, along with the description for each record or bundle. A group of records may be numbered and treated as a single record if the records are all of the same nature, and the bundle is described in sufficient detail to enable the Commissioner to understand what it contains. The description for each record (or each bundle) must be sufficient to meet that test, without revealing the privileged information.

For claims of solicitor-client privilege, the Respondent should provide:

• Information about the relationship between the Respondent and the lawyer in the context of the relevant communication
• Information about the circumstances to establish that the record was created in the course of requesting or providing legal advice or is a record revealing such a request or advice
• Information about the confidentiality of the communication

For claims of litigation privilege, the Respondent should provide:

• Information establishing that the record was created for the dominant purpose of litigation
• Information establishing that the litigation has not ended

In Pritchard v. Ontario (Human Rights Commission) [2004] 1 SCR 809, the SCC determined that more evidence to support the application of solicitor-client privilege is required when advice sought from or given by an in-house or government lawyer is at issue. This is because such lawyers may be called upon to give policy advice, which is not legal advice. The Court said:

Owing to the nature of the work of in-house counsel, often having both legal and non-legal responsibilities, each situation must be assessed on a case-by-case basis to determine if the circumstances were such that the privilege arose. Whether or not the privilege will attach depends on the nature of the relationship, the subject matter of the advice, and the circumstances in which it is sought and rendered.

Therefore, a respondent that is claiming solicitor-client privilege over the advice of an in-house or government lawyer must provide sufficient information about the relationship between the lawyer and the respondent and about the circumstances in which the advice is being requested and provided, to establish that the subject-matter is legal advice rather than policy or other advice.

If the respondent wishes to provide additional information regarding its claim of privilege in camera, it may request permission to do so following the process set out in the Request to Provide an In Camera Submission form.

Back to top of the page

Sample Affidavit

 

OIPC File Number  _____________________

Applicant  __________________________________________

Respondent Public Body/Organization/Custodian __________________________________________

Affidavit of (name and status) Sworn (or Affirmed) by _____________________ on _______________, 20__

 

I, ______________________ of (municipality, province), have personal knowledge of the following (or, where applicable, I am informed and do believe that):

I am an authorized representative of (name of Respondent).

I have reviewed the records.

The records listed in Schedule 1 are in the custody or under the control of (name of Respondent).

(Name of Respondent) objects to produce the records listed in Schedule 1 on the grounds of privilege identified in that Schedule.

 

SWORN (OR AFFIRMED) BEFORE ME

at ___________________________, Alberta, this _____ day of _______________, 20___.

Commissioner for Oaths in and for the Province of Alberta

____________________________________

(Signature of Representative)

_____________________________________

 

Schedule 1

Records in the custody or under the control of (name of Respondent) for which there is an objection to produce on the ground of [cite relevant exception or legal privilege]:

	Exception or Privilege Claimed	Description
1.
2.
3.

 

Back to top of the page

 

[1] Sections 27(1)(a) of the FOIP Act, 32(1)(a) and (2) of the ATIA, 24(2)(a) of PIPA

[2] Section 63(1) of ATIA, section 71(1) of the FOIP Act, and section 51 of PIPA

Records at Issue

When the Commissioner requests records at issue for a review, respondents must:

Document all redacting decisions made regarding the records.

If the respondent decides to release more information following the settlement phase, the records and information at issue will consist only of records and information still being withheld.

Provide a copy of the records in electronic format.

The Commissioner may specify the method and format respondents must use to provide the records.

Provide copies of the records at issue, not originals.

A respondent must keep its own set of records at issue so that it can make arguments or respond to questions.

Indicate the information that has been withheld or severed, and cite under what provision.

With respect to severed information, the preferred format is one copy of an unredacted version that identifies the severing decisions (e.g. by highlighting or outlining). Where this is not practicable, the Commissioner may accept both a severed and unredacted version of the records.

The section numbers of the applicable legislation (i.e. exceptions to disclosure) that are being relied on to withhold records or information are to be noted on the page adjacent to each redaction. Where multiple exceptions are applied to information in a page, it must be clear which exception applies to what information. For example, in some cases one exception is applied to only to one sentence in a paragraph, and another exception is applied to the whole paragraph. The records must clearly show which exception was applied to only the sentence and which sentence it was applied to, as well as which exception was applied to the whole paragraph.

Blank pages of records withheld in their entirety need not be provided where there are large numbers of such pages, or where all the records are withheld, but it must be made clear in an index

of records stating how many such records there are, and which section of the applicable legislation is being applied to each page.

If a respondent is proposing to disclose information but a third party objects to its disclosure, then this information should be labeled in the records as “third party objection”.

Document only those redaction decisions that have been or are being communicated in a response to an applicant.

If a respondent has made a decision to apply a particular provision (i.e. exception to disclosure) and has communicated this decision to the applicant, then the notation in the records as to which exception was applied should refer to only that provision.

The records should not refer to, or indicate, any severing decisions that are not current or that have not been communicated to the applicant.

Number the records, with the numbering also on records provided to third parties and the applicant.

The page numbers of the records provided to the Commissioner must be consistent with the page numbers of the records provided to the applicant and third parties. If severed or blank pages provided to a third party or applicant have different numbers than those provided to the Commissioner, it becomes difficult, and in some cases impossible, to identify the records to which the parties are referring in their submission.

If there are multiple packages of records, the page numbering must be consecutive from the first package to the last, unless this is not practicable. For example, with two binders of different documents, each one may already have pages numbered in sequence. In that case, the binders may be described as “Record A” and “Record B” and the pages do not need to be renumbered; identification such as “Record A, page 2” is sufficient. A loose collection of diverse records, however, should always be numbered in sequence.

Be legible.

The records should be reviewed to make sure that the copies can be read, to the fullest extent possible.

The deadline for providing the records to the Commissioner for the settlement phase is set out in the acknowledgement letter issued when a review is opened.

Back to top of the page

Additional requirements for records provided for an inquiry

Records provided for an inquiry must not contain notations or explanations other than to note the provision applied.

Respondents are to provide reasons for applying a provision in their submission to the inquiry and not in the records at issue (see Practice Note: Inquiry Procedures). Additional notations or explanations appearing in the records at issue are not properly before the Commissioner in an inquiry and will not be reviewed or relied on in the inquiry.

This limitation does not apply to the records provided for the settlement phase of the review.

Back to top of the page

Index of Records

When there are more than three (3) pages of records at issue, the respondent must provide an index of records to the Commissioner for the review. The index of records is to be provided in a table format. The index of records required for the review at the settlement phase must include the following:

• All of the pages numbered in sequence, unless this is not practical (see above).
• For withheld or severed pages, a column identifying the section number(s) of the applicable legislation under which the information has been withheld.

Indexes of records provided at the settlement phase may also include a column containing a description of the nature of the records or information being withheld but is not required.

A deadline for providing the index of records for the settlement phase will be provided to the respondent in writing.

Indexes of records provided for an inquiry must also include a column containing a description of the nature of the records or information being withheld (e.g. “email”, “letter”, “briefing note”, “report”, etc.). It is helpful to include titles and dates of documents if that information is not at issue.

In an inquiry, a copy of the index of records must be provided to the applicant and/or third party with the respondent’s submission (see Practice Note: Inquiry Procedures)

The index of records is to be sent by the respondent to the Commissioner and all other parties named on the Notice of Inquiry with the respondent’s submission. It should be labelled “Index of Records (Provided to the Parties)”.

Because the index of records must be provided to the other parties in an inquiry, it should not itself reveal any information that the party preparing it seeks to withhold from the other parties.

Index of Records Example

The index of records should account for each of the withheld or redacted pages, and every section of the applicable legislation applied. As a result, the index of records should be comprised of two tables:

• Table 1 according to page numbers, with descriptions of the records or information if the index is provided for an inquiry.
• Table 2 according to the sections of the applicable legislation in which the descriptions need not be

The two tables ensure the person conducting the review can quickly identify and locate the information and exceptions at issue in the records.

Table 1 Example

Page Number	Description	Section(s) of the Act
1-17	Cabinet minutes	22(1)
18-19	Minister’s report to Cabinet	22(1), 16(1)(a)(ii),(b), (c)(i), 25(1)(c)
20-22	Third party report to Treasurer	22(1), 16(1)(a)(ii), (b), (c)(i)
23	Public Body X’s letter to Minister of Public Body Y re: development in City Y	21(1)(a)(ii), 25(1)(c)
24-30	Memo re: Policy Options for Public Body Y	Disclosed
Record A	Treasury’s financial analysis for Cabinet	22(1)
Record B	Third Party’s report to Public Body X	16(1)(a)(ii),(b),(c)(i)

Table 2 Example

Section(s) of the Act	Page Number(s)
Section 16(1)(a)(ii),(b), (c)(i)	18-19, 20-22; Record B
Section 21(1)(a)(ii)	23
Section 22(1)	1-17, 18-22; Record A: 1-5
Section 25(1)(c)	18-19, 23

Back to top of the page

Preparing Records at Issue Checklist

	Are the records numbered?
	Is the numbering consistent, such that the numbers on the records are the same as those on records provided previously to the applicant or a third party?
	Are the records legible? If the records are in electronic form, can they be opened?
	Are all redaction decisions current and clearly indicated on the records?
	Has the requestor been told about all the redaction decisions documented on the records?
	Has a set of records been kept for the respondent’s use in the inquiry?
	If the records are for an inquiry, have all extraneous comments been removed from the records?
	Should an index of records be provided? If so, has an index of records been prepared?

Back to top of the page

Glossary of Terms

Term	Definition
Adjudication	The team that manages the inquiry phase.
Adjudicator	The person that the Commissioner has delegated to be the decision-maker in the inquiry.
Affected parties	Individuals or other organizations that could be affected by the decision made in the inquiry. May also be referred to as third parties.
Applicant	The individual who formally requested access to information or requested correction of their personal or health information under the ATIA, FOIP Act, HIA or PIPA.
Arguments	The reasons why a party believes the evidence shows certain facts to be true, and why the Commissioner should interpret the law a certain way.
Case Resolution	The team that conducts the settlement phase of a review.
Complainant	The individual who made a formal complaint that personal information was collected, used or disclosed in contravention of the FOIP Act, HIA or PIPA.
Custodian	The health service provider, whether an individual or an organization, from which the information was requested or against which the complaint was made (also called “respondent”).
Evidence	Information/material that establishes the facts on which a party is relying.
In camera	A portion of a submission provided only to the Commissioner in an inquiry.
Inquiry	A formal adjudicative process, usually conducted in writing.
Interveners	Individuals or organizations whose opinions or specialized knowledge can provide a broader understanding of the issues at inquiry.
Mediation/investigation	A process authorized by the Commissioner to explore opportunities to settle issues with the parties. May also be referred to as the settlement phase.
Notice of Inquiry	Identifies the parties involved in the inquiry and their contact information, the issues that will be addressed, and a schedule for submissions.
Organization	The business, corporation, union or partnership from which the information was requested or against which the complaint was made (also called “respondent”).
Parties	The respondent (public body, custodian or organization), applicant/complainant, or other affected parties who are part of the inquiry.
Public body	The government department or other public entity from which the information was requested or against which the complaint was made (also called “respondent”).
Respondent	The public body, custodian or organization that has duties under the legislation.
Senior Information and Privacy Manager	The person that the Commissioner has authorized to investigate and try to settle the confirmed issues at the Case Resolution phase. May also be referred to as an investigator.
Settlement	A process authorized by the Commissioner to explore opportunities to settle issues with the parties. May also be referred to as a mediation or investigation.
Submissions	Informs the Commissioner and the other parties about what a party thinks are the central issues in a case, and provides evidence and makes arguments about how those issues should be decided.
Third Parties	Parties, other than the respondent or applicant/complainant, who are part of the inquiry. For example, organizations and individuals whose information is the subject of an applicant’s access request. May also be referred to as affected parties.

Back to top of the page