Public Sector Privacy Law (applies to public bodies)

Protection of Privacy Act

The Protection of Privacy Act (POPA or Act) applies to public bodies in Alberta. Public bodies include government ministries or departments, government agencies, boards and commissions, school boards and charter schools, universities and colleges, municipalities, and police.

POPA went into force in June of 2025. It replaced the privacy part of Freedom of Information and Protection of Privacy Act (FOIP Act). The FOIP Act is no longer in force in Alberta and has been repealed.

POPA protects privacy by controlling the ways a public body may collect, use or disclose personal information. No personal information may be collected by or for a public body unless the collection is:

• Authorized by another law or enactment
• For purposes of law enforcement
• Information that relates to and is necessary for an operating program or activity of the public body including a common or integrated program or activity

Your personal information must be collected directly from you subject to certain exceptions and when collected in this manner, you must be notified about the purpose of collection. Once collected, your personal information may be used or disclosed for the intended purpose of collection. Your personal information may be used or disclosed for other purposes in some situations, such as when you consent. A public body must also protect your personal information from loss or unauthorized access or disclosure and must notify you about a breach involving your personal information if there is a real risk of significant harm to you as a result of the breach.

You have rights under POPA as it relates to your personal information, including that information collected about you must be reasonably accurate, you have the right to access your personal information, and you can make a complaint if you believe that your personal information is being collected, used or disclosed contrary to the Act.

Under POPA, public bodies are permitted to data match personal information to create additional personal information. This is called “derived data” under POPA. Public bodies are also permitted to modify personal information so that it can no longer identify an individual. This is referred to in the Act as “non-personal data”. Derived data and non-personal data are subject to the Act, meaning that the Information and Privacy Commissioner has oversight of this data. If you believe that the process used to create derived data or non-personal data is not in accordance with the Act, you can make a complaint to the Commissioner.

It is an offence for a person to collect, use or disclose personal information contrary to the Act, to perform data matching contrary to the Act, and to reidentify or attempt to reidentify personal information from non-personal data.

See below for more information about exercising your privacy rights under POPA.

For more information on submitting a privacy complaint, click here.

Back to top of the page

Health Sector Privacy Law (applies to custodians)

Health Information Act

The Health Information Act (HIA or Act) applies to “custodians”,  such as government departments responsible for health services in Alberta, provincial health agencies (Recovery Alberta, Assisted Living Alberta, Acute Care Alberta, Primary Care Alberta), hospital services (Alberta Health Services, Covenant Health, Lamont Health Care Centre), pharmacies and pharmacists, physicians, optometrists, registered nurses, dentists, and their health service providers or employees.

HIA protects privacy by controlling the ways a health custodian may collect, use or disclose health information, including diagnostic, treatment, care and registration information. Custodians are prohibited from collecting, using, or disclosing health information unless permitted by the Act.

Your health information may be used and disclosed by custodian for the purposes of providing you with health care including to other health care providers or other persons who may be involved in your health care. Your health information may also be used or disclosed for the purposes of managing the public health care system in Alberta and for making certain of your health information accessible electronically to those authorized to have this access. The electronic health care record in Alberta is called “Netcare”.

Custodians must consider your expressed wishes when deciding how much information to disclose to others and for making it accessible through Netcare. What this means is that if you inform your health care provider that you don’t want all of your health information, or certain kinds of information, such as highly sensitive health information, accessible by others, you can express this wish to a custodian and they must consider it before making the specified health information accessible.

If you were to express your wish to a custodian that you do not want your health information accessible through Netcare, the custodian could “mask” this information so that other care providers cannot access this information unless they “break the glass”, which means they may unmask it. Generally, this would only occur with your consent or in circumstances where you cannot give your consent due to your medical condition.

Your health information may also be disclosed with your consent. If disclosure of your health information is authorized without your consent, you have the right to ask about it. You also have the right to request a record – also known as an “audit log”. Requesting an audit log of Netcare accesses will show you who has accessed your health information in Netcare.

A custodian is required to protect your health information from loss, unauthorized access or disclosure and must notify you if your health information is involved in a breach and you are at risk of significant harm as a result of the breach.

In addition to the rights mentioned, you have the right under the HIA to request a correction of health information (not opinions), you have the right to access your health information and you can make a complaint if you believe that your health information has been collected, used, accessed or disclose contrary to the HIA.

It is an offence in the HIA to collect, use, access or disclose health information contrary to the HIA and to fail to protect health information as required by the Act.

See below for more information about exercising your privacy rights under HIA.

For more information on submitting a privacy complaint, click here.

Back to top of the page

Private Sector Privacy Law (applies to private organizations)

Personal Information Protection Act

The Personal Information Protection Act (PIPA or Act) applies to private organizations, such as businesses, employees, partnerships, trade unions and professional regulatory bodies.

PIPA protects privacy by controlling the ways a private organization may collect, use or disclose personal information and personal employee information.

Private sector organizations must have your consent to collect, use or disclose your personal information. Collection, use or disclosure without consent is authorized in some situations under PIPA. In addition to having consent, an organization must also have a reasonable purpose for this activity. The Act specifies that what is reasonable is what a reasonable person would consider appropriate in the circumstances.

If you are an employee, consent is not required for the collection, use or disclosure of personal employee information by the employer that is reasonably required for the  work relationship.

A private sector organization is required to protect your personal information from loss, unauthorized access and use or disclosure and must notify you about a breach of your personal information if you face a real risk of significant harm from the breach.

You have rights under PIPA, including the right to request access to your own personal information. You may make a complaint to the Information and Privacy Commissioner if you believe that your personal information has been collected, used, disclosed, accessed inappropriately or breached. You may also make a complaint to the Commissioner if you believe that an organization’s practices are not in compliance with PIPA.

It is an offence under PIPA for an organization, to collect, use, disclose or attempt to gain access to your personal information contrary to the Act.

See below for more information about exercising your privacy rights under PIPA.

For more information on submitting a privacy complaint, click here.

Back to top of the page

Exercising your Privacy Rights

Complaints about the collection, use or disclosure of your own personal information

If you believe your personal or health information has been collected, used, or disclosed improperly under POPA, HIA, or PIPA, you may submit a complaint in writing to the Office of the Information and Privacy Commissioner (OIPC). Before submitting your privacy complaint to the OIPC, you must first make your complaint to the public body, custodian or private organizations (as applicable).

Your written complaint must provide enough detail to support your belief that your personal or health information has been collected, used or disclosed in contravention of the law.

The Commissioner may assign a staff member to try and informally resolve your complaint (referred to as the settlement phase). If the matter is not resolved during the settlement phase, the Commissioner will decide if the matter will go inquiry. An inquiry is a formal hearing that results in an order being issued. An order made by the OIPC is final.

General complaints about non-compliance with privacy laws (not your own personal information)

You may also submit a general complaint under POPA in the following two circumstances: POPA Privacy/Correction Request form

1. You believe a public body created personal information from matching (or linking) two or more sources of personal information (this is referred to in POPA as data derived from data matching) contrary to the requirements for this activity as specified in POPA.
2. You believe there has been an actual or attempted reidentification of data by a person after personal information has been rendered as non-identifiable by a public body as required by POPA or its regulations.

You may also submit a general complaint under PIPA if you believe that an organization’s practices for protecting privacy as required by this Act are not in compliance. PIPA Request for Review/Complaint form

Back to top of the page

About the OIPC

The Information and Privacy Commissioner is responsible to monitor compliance with Alberta’s privacy laws to ensure their purposes are achieved. The work of the Commissioner is performed through the Office of the Information and Privacy Commissioner.

The Commissioner has broad authority under these laws to investigate allegations of non-compliance and to issue binding orders to enforce compliance. The Commissioner also has a number of additional responsibilities under these laws including advocating for privacy rights of Albertans. The Commissioner is an officer of the Legislature and in this capacity operates independently from government ministers and departments.

Disclaimer This document is not intended as, nor is it a substitute for, legal advice, and is not binding on the Information and Privacy Commissioner of Alberta. Responsibility for compliance with the law (and any applicable professional or trade standards or requirements) remains with each organization, custodian or public body. All examples used are provided as illustrations. The official versions of the laws the OIPC oversees and their associated regulations should be consulted for the exact wording and for all purposes of interpreting and applying the legislation. The Acts are available on the website of Alberta King's Printer.

Back to top of the page

Public Sector Access Law (applies to public bodies)

Access to Information Act

The Access to Information Act (ATIA or Act) applies to public bodies in Alberta. Public bodies include government ministries or departments, government agencies, boards and commissions, school boards and charter schools, universities and colleges, municipalities, and police.

ATIA went into force in June of 2025. It replaced the access to information part of the Freedom of Information and Protection of Privacy Act (FOIP Act). The FOIP Act is no longer in force in Alberta and has been repealed.

Under the ATIA, you have the right to:

• Request access to any information contained in a record that is in the custody or control of a public body, including your personal information, subject to limited and specific exceptions set out in the law
• Ask the OIPC to review a public body’s decision to withhold information from you in response to your access to information request
• Ask the OIPC to review when a public body has not responded to your access request within timelines or if you dispute a time extension the public body has taken to respond to your request
• Ask the OIPC to review a decision to release your personal or business information in response to another access request
• Ask the OIPC to review fees the public body has charged, estimated, or refused to waive in connection with your access request
• Ask the OIPC to review when a public body has disregarded or declared your request abandoned

To make an access request, submit it in writing to the public body that you think has the information. Provide enough detail to help find the information. You can ask to look at or receive a copy of the records.

An initial fee of $25 may be required when requesting access to general information. Additional fees may be charged depending on the extent of the request. You must be provided with an estimate of fees and you must accept the fees before your request is processed.

A fee does not apply to requesting your personal information except for the cost of producing a copy of the record. The fees that can be charged are set out in a Schedule to the ATIA Regulation. Fees can be waived in some situations, and you may ask the OIPC to review a decision to charge a fee.

There is no fee associated with asking the OIPC to review a decision made by a public body.

Back to top of the page

Health Sector Access Law (applies to custodians)

Health Information Act

The Health Information Act (HIA or Act) applies to “custodians”, such as the four government departments responsible for health services in Alberta, provincial health agencies (Recovery Alberta, Assisted Living Alberta, Acute Care Alberta, Primary Care Alberta), hospital services (Covenant Health, Lamont Health Care Centre), pharmacies and pharmacists, physicians, optometrists, registered nurses, dentists, and their health service providers or employees.

Under HIA, you have the right to:

• Request access to your own health information from a health custodian
• Ask the OIPC to review a health custodian’s decision to withhold information from you in response to your request for health information
• Ask for a correction of your health information
• Ask the OIPC to review a health custodian’s response to your request to correct your health information

To make an access request, submit it in writing to the health custodian that you think has the information. Provide enough detail to help find the information. You can ask to look at or receive a copy of the records.

An initial fee of $25 may be required when requesting access to a record containing health information. Processing of a request will not start until the $25 fee is paid, if applicable. Additional fees may be charged depending on the extent of the request. You must be provided with an estimate of fees and you must accept the fees before your request is processed.

A fee does not apply to requesting your health information except for the cost of producing a copy of the record. The fees that can be charged are set out in a Schedule to the HIA Regulation. Fees can be waived or reduced in some situations. You may ask the OIPC to review a decision to charge a fee.

There is no fee associated with asking the OIPC to review a decision made by a public body.

Back to top of the page

Private Sector Access Law (applies to private organization)

Personal Information Protection Act

The Personal Information Protection Act (PIPA) applies to private sector “organizations”, such as businesses, employees, partnerships, trade unions and professional regulatory bodies.

Under PIPA, you have the right to:

• Request access to your own personal information from an organization. The organization may refuse access to your personal information in certain circumstances prescribed by PIPA. Instead of requesting access, you can choose instead to request information about the use or disclosure of your personal information by the organization.
• Ask for a correction of your personal information
• Ask the OIPC to review a private sector organization’s response to your request for access or correction

To make an access request, submit it in writing to the private sector organization that you think has the information. Provide enough detail to help find the information.

You are not able to ask for general information about an organization, for example financial statements of a condominium corporation. You can only ask for information that is about you. You can also ask to look at or receive a copy of the records.

You may be charged a fee for processing your request. No fees can be charged if requesting your information as an employee. You must be provided with an estimate of fees and you must accept the fees before your request is processed.

You may ask the OIPC to review a decision to charge a fee or how an estimate was created.

There is no fee associated with asking the OIPC to review a decision made by a private sector organization.

Back to top of the page

About the OIPC

The Information and Privacy Commissioner enforces how Alberta’s access to information laws are applied to ensure the purposes are achieved. The Commissioner reports to all members of the Legislative Assembly of Alberta and is independent from government ministers and departments

You may ask the OIPC to:

• Review a public, health or private sector organization’s decision that relates to your request to access information, including a failure to respond, a time extension, or in the case of ATIA, if the public body has disregarded or abandoned your request.
• Review a response to your request for correction
• Review a public body’s decision to release information about you in response to another access request (ATIA Act only)

To ask for a review of your request for access information or a correction request under HIA and PIPA, you must:

• Send your request to the OIPC in writing within the timelines set out in the laws
• Provide the OIPC with a copy of your request for access or correction and a copy of the response to your request.

For more information on submitting a request to review a response to an access to information request under ATIA, HIA or PIPA, click here.

For more information on submitting a request to review a correction request, click here.

Back to top of the page

June 2025

What is a review?

The Commissioner has authority under the FOIP Act, HIA and PIPA to review certain matters.

Under the FOIP Act, the Commissioner has authority to review the following matters:

• any decision, act or failure to act by the head of a public body related to requests for access to information,
• a decision by the head of a public body to give access to information of a third party,
• whether a public body has collected, use or disclosed an individual’s own personal information contrary to the Act, and
• any decision, act or failure to act of the head related to a correction request.

Under the HIA, the Commissioner has authority to review the following matters:

• any decision, act or failure to act of a custodian related to a request for access or correction concerning one’s own health information,
• where an individual believes that their own health information has been collected, used or disclosed by a custodian contrary to HIA, and
• the refusal of a health custodian to disclose health information pursuant to s.47(2).

Under PIPA the Commissioner has authority to review any decision, act or failure to act of an organization related to a request for access by an individual to their own personal information.

Reviews generally have two phases.  A settlement phase, which involves the Case Resolution Team attempting to settle the matter under review, and an inquiry phase, which is a formal adjudicative hearing conducted by the Adjudication Team from which an order is issued.  An inquiry may occur if settlement is not achieved.

Back to top of the page

What is an investigation?

Under PIPA, the Commissioner is authorized to investigate privacy complaints about the following:

• personal information has been collected, used or disclosed by an organization in contravention of this Act or in circumstances that are not in compliance with this Act,
• notification of an incident described in section 34.1 has not been provided in accordance with this Act, and
• an organization is not in compliance with this Act.

Privacy complaints will also generally try to be settled by the Case Resolution Team.  If settlement cannot be achieved, the matter may move to inquiry, like in the case of reviews.

Back to top of the page

What is the settlement phase?

The settlement phase is the first phase of a review or complaint investigation.  It is a process authorized by the Commissioner to explore opportunities to settle issues with the parties.  It may also be referred to as a mediation or investigation.  The majority of files are resolved at the settlement phase.

Please note that our office made some adjustments to our procedures in 2024 and 2025, in the interest of creating greater efficiencies in our work. This page has been updated to reflect those changes.

Forms referenced in this document are available on our office’s website at https://oipc.ab.ca/forms/.

Also, please note that some important definitions are provided at the bottom of this page.

Back to top of the page

Commissioner’s Mandate

The Commissioner is not a part of the Government of Alberta. The Commissioner is an independent Officer of the Legislature and reports directly to the Alberta Legislative Assembly.

Through the Office of the Information and Privacy Commissioner (OIPC), the Commissioner performs the legislative and regulatory responsibilities set out in the following laws:

• Freedom of Information and Protection of Privacy Act (FOIP Act) [repealed June 11, 2025]
• Access to Information Act (ATIA) [in force June 11, 2025]
• Protection of Privacy Act (POPA) [in force June 11, 2025]
• Health Information Act (HIA)
• Personal Information Protection Act (PIPA)

 

Back to top of the page

Transition from FOIP to ATIA and POPA

Public bodies were subject to the FOIP Act until June 11, 2025.  When ATIA and POPA are brought into force, these Acts will repeal the FOIP Act.  The ATIA applies to access to information requests.  POPA applies to review responses to correction requests made after June 2025. It also applies to review complaints regarding the collection, use or disclosure of an individual’s own personal information by a public body where the individual first makes a complaint to the public body concerned after June 2025.

The FOIP Act continues to apply to review responses to access or correction requests made or third parties notification decisions prior to June 2025. It also applies to complaints about the collection, use or disclosure of personal information by a public body which occurred prior to the repeal of the FOIP Act.

For more information, please see the Practice Note-Transitional- FOIP Act to ATIA and POPA.

Back to top of the page

What We Do…

• Review the decisions of public bodies, health custodians, and private sector organizations in regards to requests for access to information or correction of personal or health information made under the Acts
• Review or investigate complaints regarding the collection, use or disclosure of personal or health information
• Under PIPA, investigate complaints about whether an organization is in compliance with the Act, such as enquiries into an organization’s general practices, and in relation the duty to notify the Commissioner about a privacy breach under section 34.1
• Try and settle reviews and complaints
• Where settlement cannot be achieved or as instructed by the Commissioner, conduct inquiries and issue binding orders

Back to top of the page

What We Do Not Do…

• Act as an advocate on behalf of any party to a review or investigation
• Release records that are the subject of a review
• Store records on behalf of the Government of Alberta or any other party
• Impose fines or award damages
• Hear appeals of claims, benefits or decisions that do not fall under the Acts
• Discipline, terminate or reinstate employees
• Regulate the actions of individuals as private citizens
• Regulate the constituency offices of members of the legislative assembly (but we do regulate access and privacy issues involving actions of cabinet members and ministries)

Back to top of the page

Making a Request for Review or Complaint to the Commissioner

Under the FOIP Act:

• an applicant may ask the Commissioner to review any decision, act or failure to act by the public body that relates to an applicant’s access to information request or request for correction, and
• a third party who has been notified by a public body that its information will be given to an applicant may ask the Commissioner to review that decision

Complete the ATIA Request for Review form to request any of these reviews under FOIP Act.

• Under FOIP Act, a complainant may ask the Commissioner to review an individual’s belief that their own personal information has been collected, used or disclosed by a public body in contravention of this Act or any decision, act or failure to act in relation to a request to correct personal information.

Complete the POPA Request for Review Form to request any of these reviews under FOIP Act

Under HIA and PIPA:

• • an applicant may ask the Commissioner to review or investigate any act, decision or failure to act by a custodian or organization related to an access or correction request,
  • a complainant may ask the Commissioner to review or investigate their belief that their own personal or health information has been collected, used or disclosed contrary to this Act

• Under PIPA, an individual may also ask the Commissioner to investigate whether an organization is in compliance with this Act, such as enquiries into an organization’s general practices.

Complete the PIPA Request for Review/Privacy Complaint and Correction Form for reviews or complaints under this Act

Complete the HIA Request for Review/Privacy Complaint and Correction Form for reviews or complaints under this Act

Back to top of the page

Time Limits to Request a Review

A review or investigation may be requested by completing the applicable form to the OIPC within the following timelines:

FOIP Act and HIA

Within 60 days after they are notified of the decision by the public body or custodian or become aware of an incident involving the collection, use and disclosure of personal or health information.

PIPA

Within 30 days from the day that they are notified of the decision by the organization. Incidents involving the collection, use and disclosure of personal information under PIPA must be delivered to the Commissioner within a reasonable time period.

The Commissioner may allow for reviews or complaints to be submitted outside of the time limits above, based on the circumstances and where the law permits.

Third Parties under FOIP

A third party must complete and submit the relevant form (see “Making a Request for Review or Complaint to the Commissioner” above) to the OIPC within 20 days after being notified by a public body of its decision to give an applicant access to third party information. The Commissioner has no power to allow a third party a longer period to submit a request for review.

Back to top of the page

Overview of Proceedings

Intake

To initiate a review or make privacy complaint, the applicable form must be completed (see “Making a Request for Review or Complaint to the Commissioner” above) AND submitted together with all supporting documents in one submission. Otherwise, the submission will be returned. We also enforce a 15-page limit for submissions.

Every submitted form is checked for:

• Jurisdiction – is it something the OIPC can do under one of the Acts?
• Whether it was received by the OIPC within the required time limits
• Whether there is evidence that substantiates the request for review or complaint

Any person who submits a form for making a review or complaint will be contacted at the intake stage to discuss their submission and obtain clarification. They must be available to participate in our process and respond to requests in a timely manner, usually by phone and/or email. Otherwise, a file may not be opened. Any person who cannot meet this requirement, may name an agent to represent them.

The responding public body may also be contacted at this stage, as required.

Please note our refer-back process for privacy complaints and adequacy of search reviews.

Refer-back for privacy complaints

For complaints regarding the collection, use or disclosure of personal or health information, it is a requirement under OIPC processes to make the complaint first to the public body, custodian or organization, if the complainant has not already given the entity an opportunity to resolve the complaint.

Refer-back for adequacy of search reviews 

For reviews where the only concern is that an applicant believes the public body, organization or custodian holds more responsive records than what were processed in the request (an ‘adequate search concern’), the applicant must first submit the concern directly to the entity, along with supporting evidence as to why they believe additional records exist.

We require that the entity be given at least 30 business days to respond.  After attempting to resolve the matter directly with the entity, if the applicant still has reason to believe the response does not comply with the relevant law they can bring the concern back to our office. At that point, our office will consider whether further investigation by the OIPC is warranted.

Issue identification

Working with the applicant/complainant, the OIPC will identify the review or complaint issues at the intake phase. Only those issues that (a) have enough evidence; and, (b) are within our jurisdiction will move forward. Those issues will be communicated to the applicant/complainant to confirm their understanding and, if applicable, to advise on the limits of our jurisdiction.

If the OIPC proceeds with a review or investigation, a file is opened, and an acknowledgment letter (containing the confirmed issues) is issued to the applicant/complainant and the public body/custodian/organization. A copy of the request for review form and any attachments to the request are included with the letter. General privacy complaint forms or related materials will not generally be provided to an organization.

In the letter to the public body/custodian/organization, it will be asked to provide a contact person who will be responsible for working with the assigned investigator to settle the matter. The contact person must have the ability to settle the issues. This means that they must have timely access to the decision-maker or directly involve the decision-maker in the conversations.

New records requirements and timelines 

For access request reviews, the public body/custodian/organization will also be asked to provide a copy of the records to the OIPC with the inclusion of a records index, within 7 business days of a notification letter, in accordance with the Practice Note – Preparing Records at Issue and Index of Records.  It may also be asked to provide the OIPC with a copy of the access request and any correspondence concerning the request with the applicant.  The OIPC will provide a link to securely send records and any other sensitive documentation to the OIPC.

The requirement to provide records or information at issue does not apply to records or information over which solicitor-client privilege, litigation privilege, or informer privilege is being claimed.  The Practice Note – Providing Affidavits and other Evidence provides an explanation as to the expected content of the submission, even though it is not usually in affidavit form at the settlement stage.

 

Request for Review Forms and Attachments Are Disclosed

A copy of any request for review form and any attachments submitted along with the form must be disclosed to the public body, custodian or organization.  This is a requirement in these Acts.  As a result, any person submitting a request for review form under any of these Acts should specify to the OIPC if there is information in the form or accompanying attachments that they want the Commissioner to consider removing before sharing with the public body, custodian or organization.  In considering these requests, consideration will be given to whether the information should be disclosed for fairness purposes or if it is necessary to conduct the review.

Address for Service

Each party must provide an address for service to which all official communications will be sent for the purposes of the review/investigation.

As noted above, we must have an effective and timely means of communication with the parties. As such, each party is to provide us with an email address for this purpose. We also require a mailing address which may be used to deliver certain correspondence related to the file. We will use secure email or other forms of secure electronic transmission to send communications containing sensitive information.

Applicant/Complainant

The address for service is to be identified on the applicable form (see “Making a Request for Review or Complaint to the Commissioner” above).

Public Body/Custodian/Organization

The address for service of the public body/custodian/organization will be identified in the acknowledgement letter that the OIPC sends to each party as part of the initial notification process.

Changes or Updates

A party must use the Change of Contact and/or Address for Service Form on the OIPC website to update contact information or the address for service at any time during the review/investigation.

The address for service of each party will be circulated to all other parties.

Review and Investigation

An OIPC investigator, known as a Senior Information and Privacy Manager (SIPM) will be assigned to try to settle your request for review or privacy complaint.

The office receives a high volume of requests for reviews and complaints. As such, your file may be inactive until the SIPM has the capacity to begin to work on it. The parties will be notified when the SIPM starts actively working on the file. While the parties wait to hear from the SIPM, we encourage the parties to try to resolve the matter directly with one another.

Our new case resolution process involves us trying to settle matters under review or investigation in as short a time as is possible. That is why we try to settle matters verbally over the phone. As such, once a file is activated, we must be able to reach the parties, usually by phone, in a timely manner in order to participate in our case resolution process. If we cannot reach the applicant/complainant, we may discontinue the review or investigation. If this occurs, the parties will be notified.

The SIPM begins the review or investigation by examining the confirmed issues, the submission of the applicant/complainant and, in the case of a review of an access request, the records provided by the public body/custodian/organization. The SIPM also reviews the relevant law and any past cases that have interpreted the law against the issues to be determined.

The SIPM will contact the public body/custodian/organization (Respondent) to gather any relevant evidence necessary to form an opinion about whether the law was complied with by the respondent.

The SIPM may also need to contact the applicant/complainant for additional information. Please note that we will not accept documented evidence from an applicant/complainant unless it is requested by the SIPM. Any unsolicited evidence will be returned or deleted.

The SIPM will form an opinion about whether the Respondent has complied with the law as it relates to the issues under review or investigation. The SIPM will discuss the opinion with the parties in an effort to settle the issues. The Respondent may agree to take certain actions in order to remedy any non-compliance.

Any resolution reached will be documented in writing and sent to the parties. As applicable, the SIPM will ensure that any agreed-upon terms are followed by the Respondent.

Inquiries

If any or all of the issues are not settled and the applicant/complainant wants to proceed further in our process, the SIPM will work with the parties to determine any agreed-upon facts. The file will then be brought to the Commissioner to determine whether an inquiry will proceed, only on those unsettled issues.

Once the file is transferred to the Commissioner, the SIPM will close the file at the settlement stage.

Inquiries are formal adjudicative proceedings. The inquiry process is not an examination of the process or an evaluation of the findings and recommendations made during the review and investigation process. The inquiry gives the parties an opportunity to present their evidence “de novo” (from the beginning) and to rebut or support evidence presented by the other party.

The Commissioner may refuse to conduct an inquiry in certain circumstances:

• The subject matter has been dealt with, in an order or investigation report of the Commissioner
• The circumstances warrant refusing to conduct an inquiry (for instance, if there is no meaningful remedy)

A decision to refuse to conduct an inquiry will be issued to the parties in writing.

If any unsettled issues proceed to inquiry, a Confirmation of Inquiry letter will be issued to the parties, which will confirm the issues for the inquiry. A Notice of Inquiry will be issued at a later date which includes a copy of the Request for Review/Complaint Form and attachments and sets out a schedule of dates for the written submissions of the parties.

Affected Parties and Intervenors

Some inquiries may include “affected parties”. An affected party is any other party who, in the opinion of the Commissioner, is affected by the request for review or complaint. A copy of the relevant form (see “Making a Request for Review or Complaint to the Commissioner” above) and attachments may be provided to the affected party.

An affected party may make representation to the Commissioner at inquiry, but is not required to participate.

In certain cases, the Commissioner may give intervenor status to parties, if the Commissioner determines it is appropriate. An intervenor can be useful in bringing a broader perspective to issues than the parties involved.

Order

On completing an inquiry, the Commissioner or delegated adjudicator must issue an Order disposing of the matter.

An Order made by the Commissioner or delegated adjudicator is final. However, a party may apply to the Court of King’s Bench of Alberta for judicial review of an Order.

Timelines to complete a review

Under FOIP and HIA, the Commissioner is to complete a review within 90 days after the OIPC received the request for review or complaint unless that period is extended by the Commissioner.  PIPA allows the Commissioner to complete a review or investigation within one year from the day that the request for review/complaint was received by the OIPC. PIPA also allows the Commissioner to extend that period.

Parties will be notified as to the anticipated date for completion and any extensions to the anticipated date for completion.

For estimated timelines for the settlement phase of a review, see “How long will a review take” on the OIPC website at: https://oipc.ab.ca/information-access-review and https://oipc.ab.ca/privacy-correction-complaint

Back to top of the page

Definitions

• Applicant – a person who makes an access to information request or a request for correction of their personal or health information under the FOIP Act, HIA or PIPA
• Complainant – a person who believes their personal or health information has been collected, used or disclosed in contravention of one of the Acts
• Custodians – health care providers and other identified entities subject to HIA
• Organizations – private sector entities subject to PIPA
• Public Bodies – public sector entities subject to FOIP Act
• Senior Information and Privacy Manager (SIPM) – the person that the Commissioner has authorized to investigate and try to settle the confirmed issues at the settlement phase. May also be referred to as an investigator
• Settlement – a process authorized by the Commissioner to explore opportunities to settle issues with the parties. May also be referred to as a mediation or investigation
• Third Party – a person, a group of persons, or an organization other than an applicant or a Respondent (public body/custodian/organization)

If you have any questions with respect to the OIPC review/investigation process, please contact the OIPC.

Back to top of the page

June 2025

Preparing submissions

For inquiries relating to access requests under the FOIP Act, ATIA, PIPA and HIA, the respondent usually has the burden of proof, to show that the claimed exception applies. Where an applicant is requesting personal information about other individuals (third parties) under the FOIP Act or ATIA, the applicant has the burden of proof to show that the information ought to be provided to the applicant. Where third party organizations are objecting to the disclosure of their confidential business information under the FOIP Act or ATIA, the organization has the burden of proof. For additional guidance on preparing submissions for an inquiry into the application of exceptions to access, see Practice Note – Directions to Respondents When Making Submissions

For inquiries relating to privacy complaintsprivacy complaints includes complaints about the accuracy of an individual’s personal information and requests for reviews of decisions regarding a request to correct personal information under the FOIP Act, HIA, PIPA and POPA, the complainant has to provide some reason for the Commissioner to find that the event complained about occurred as alleged. The respondent must then show that it had authority to take the action it did.

The purpose of a submission is for the party to make their case as it relates to the issues in the inquiry. For example, in an inquiry relating to an access request, an applicant might explain why they believe an exception applied to information in a record does not apply. The Respondent must explain why the exception does apply. In an inquiry relating to a complaint about the collection, use, or disclosure of personal information, the complainant should show what collection, use, or disclosure of their personal information occurred, and explain why they believe the collection, use, or disclosure was not permitted. The Respondent explains how the collection, use or disclosure was authorized.

Unless otherwise specified in the Notice of Inquiry, where an applicant or complainant does not bear the burden of proof, the applicant or complainant can rely on their request for review an any attachments instead of providing a submission to the inquiry. The applicant or complainant must inform the Commissioner in writing that they are relying on these documents, following the instructions set out in the Notice of Inquiry.

Parties should ensure they address each issue set out in the Notice of Inquiry. Parties are also encouraged to review relevant Orders, case law, and OIPC Practice Notes. Orders and other OIPC decisions are available here and on CanLII.org. The parties may also review other Practice Notes that address specific issues, available on the OIPC website.

Information that may be useful for parties to provide to the Commissioner for an inquiry includes:

• Excerpts from relevant legislation or regulations that apply to the operations of the public body, custodian or organization, and that relate to the issues in the inquiry;
• Excerpts from policy manuals that set out relevant practices or policies of the public body, custodian or organization;
• Excerpts and pinpoint citations of relevant orders and relevant court decisions; and
• Excerpts and pinpoint citations of decisions made by Information and Privacy Commissioners in other jurisdictions that may be of assistance to the Commissioner when considering the issues.

It is important to identify how the above information relates to the issues set out for the inquiry.

Do not provide entire copies of statutes, regulations, court decisions or Orders.

Upon receipt of the parties’ submissions, the Commissioner may request additional information or arguments from one or more parties. Deadlines for responses will be provided.

Parties should be aware that submissions previously provided for the settlement phase are generally not carried forward to the inquiry. All materials provided to the Commissioner for the inquiry will be attached to the Notice of Inquiry; parties are responsible for ensuring that any additional information they want the Commissioner to consider in the inquiry is included in their inquiry submission.

 

Back to top of the page

Page limits for submissions

The maximum length for a submission is 20 pages. The Commissioner may decline to consider lengthy submissions. This limit does not include supporting evidence such as affidavits or excerpts of authorities.

Back to top of the page

Submissions are exchanged

Parties must provide a copy of their submissions and related documents to each of the other parties listed in the Notice of Inquiry. Submissions and other documents that are not exchanged with the other parties will not be provided to the adjudicator for the inquiry.

The exception is where a party has sought and received permission to provide a portion of their submission or other document in camera. Parties wanting to request that part of their submission be accepted in camera must make the request in accordance with the process set out in the Request to Provide an In Camera Submission form. Generally, the party must provide a proposed redacted version of the submission and provide detailed reasons for not exchanging the identified portions. Submissions will be accepted in camera only in specific circumstances set out in form.

Requests to provide part of a submission in camera may be rejected if they do not follow the process set out in the form.

Back to top of the page

Timelines for submissions

Each Act sets out specific time limits for completing inquiries under those Acts. While the OIPC considers these time limits to be directory – see Peters v East 3rd Street North Vancouver Limited Partnership, 2023 BCSC 879 (CanLII), at paragraph 27, or  Rahman v. Alberta College and Association of Respiratory Therapy, 2001 ABQB 222 (CanLII) – the inquiry process has been designed to meet those timelines in all possible cases.

Parties will be expected to provide their submissions and other requested information by the deadline provided in the Notice of Inquiry or correspondence from the adjudicator. A party may request a short time extension to provide a submission or response where necessary. Such requests must

• be made before the party’s deadline;
• be made in writing;
• include the additional time requested;
• include reasons for the request;
• be provided to the other parties listed in the Notice of Inquiry.

Decisions to grant extensions are at the discretion of the Commissioner and may be constrained by the time limits for completing the inquiry.

Parties are encouraged to submit their extension requests using the Request to Extend the Submission Deadline form, available on the OIPC website.

Back to top of the page

Decision following completion of inquiry

Once the above inquiry process is complete, the Commissioner will review the submissions and other materials provided for the inquiry, and make a determination on the issues. The Commissioner’s decision will be provided to the parties in writing.

Back to top of the page

Address for Service/Contact information

Written inquiries are conducted by email or other electronic means as determined by the Commissioner. Parties are required to provide an email address for service to be used for the exchange of written inquiry submissions and other correspondence.

Parties unable to participate electronically may request permission to participate by mail. A formal request must be made to the adjudication team to participate by mail.

All parties must also provide written notice, as outlined above, of any changes to their address for service. The form for change of contact or address for service is available on this page.

If the applicant or complainant who asked for the inquiry fails to provide a current address for service or fails to give notice of changes to the address for service, the Commissioner may discontinue the inquiry.

Back to top of the page

Correspondence with the OIPC

All inquiry materials must be provided in writing. During an inquiry, parties are asked to send all correspondence to the Adjudication Case Manager or Registrar of Expedited Inquiries, as directed. Do not contact or send correspondence directly to the Commissioner or adjudicator.

Parties with questions about the inquiry process can call or email the Adjudication Case Manager or Registrar of Expedited Inquiries; contact information will be provided in the correspondence sent to parties.

Back to top of the page

Expedited Inquiries

In some circumstances, a request for a review may be streamlined to an expedited inquiry process. In general, the following requests for review may proceed to an expedited inquiry:

• a public body’s failure to respond to an access request under the ATIA;
• a public body’s decision to extend its time to respond;
• a public body’s decision to disregard a request; or
• a public body’s decision that a request was abandoned.

An organization’s or custodian’s failure to respond to an access request under PIPA or the HIA may be streamlined directly to an expedited inquiry process.

The expedited inquiry process generally involves condensing the usual inquiry process, including shortening submission schedules, and a strict adherence to timelines. Where available, respondents are encouraged to provide their submission using the relevant form, available on the OIPC website at https://oipc.ab.ca/forms/.

Back to top of the page

Glossary of Terms

Term	Definition
Adjudication	The team that manages the inquiry phase.
Adjudicator	The person that the Commissioner has delegated to be the decision-maker in the inquiry.
Affected parties	Individuals or other organizations that could be affected by the decision made in the inquiry. May also be referred to as third parties.
Applicant	The individual who formally requested access to information or requested correction of their personal or health information under the ATIA, FOIP Act, HIA or PIPA.
Arguments	The reasons why a party believes the evidence shows certain facts to be true, and why the Commissioner should interpret the law a certain way.
Case Resolution	The team that conducts the settlement phase of a review.
Complainant	The individual who made a formal complaint that personal information was collected, used or disclosed in contravention of the FOIP Act, HIA or PIPA.
Custodian	The health service provider, whether an individual or an organization, from which the information was requested or against which the complaint was made (also called “respondent”).
Evidence	Information/material that establishes the facts on which a party is relying.
In camera	A portion of a submission provided only to the Commissioner in an inquiry.
Inquiry	A formal adjudicative process, usually conducted in writing.
Interveners	Individuals or organizations whose opinions or specialized knowledge can provide a broader understanding of the issues at inquiry.
Mediation/investigation	A process authorized by the Commissioner to explore opportunities to settle issues with the parties. May also be referred to as the settlement phase.
Notice of Inquiry	Identifies the parties involved in the inquiry and their contact information, the issues that will be addressed, and a schedule for submissions.
Organization	The business, corporation, union or partnership from which the information was requested or against which the complaint was made (also called “respondent”).
Parties	The respondent (public body, custodian or organization), applicant/complainant, or other affected parties who are part of the inquiry.
Public body	The government department or other public entity from which the information was requested or against which the complaint was made (also called “respondent”).
Respondent	The public body, custodian or organization that has duties under the legislation.
Senior Information and Privacy Manager	The person that the Commissioner has authorized to investigate and try to settle the confirmed issues at the Case Resolution phase. May also be referred to as an investigator.
Settlement	A process authorized by the Commissioner to explore opportunities to settle issues with the parties. May also be referred to as a mediation or investigation.
Submissions	Informs the Commissioner and the other parties about what a party thinks are the central issues in a case, and provides evidence and makes arguments about how those issues should be decided.
Third Parties	Parties, other than the respondent or applicant/complainant, who are part of the inquiry. For example, organizations and individuals whose information is the subject of an applicant’s access request. May also be referred to as affected parties.

Back to top of the page

Arguments and information about the law

Arguments and information about the law include citing the applicable tests for applying an exception, as set out in past Orders and court decisions. This part of the submission may be brief for each exception applied, especially where the interpretation of the exception and tests to be applied are settled.

Where an exception has not been considered in past Orders or court decisions, the respondent should explain how it believes the exception applies. Similarly, if a respondent disagrees with how an exception has been applied in past Orders, the respondent should explain how it believes the exception should be applied and why. Respondent should provide support for such arguments, such as case law.

Back to top of the page

Arguments and information about the factual context of the records

Arguments and information about the factual context of the records includes information that shows why an exception applies to the particular information at issue.

Many exceptions to access can be applied only in particular circumstances. For example,

• Under the FOIP Act and the ATIA, some exceptions to access apply only where the relevant information is created by or for individuals holding specific positions or is in correspondence between individuals holding specific positions[1].
• Under PIPA, some exceptions apply to personal information that was collected in specific circumstances, such as for an investigation[2] or information collected by mediators in the course of conducting a mediation[3].
• Under the FOIP Act, ATIA, HIA, and PIPA, several exceptions apply where the disclosure of the relevant information could reasonably be expected to result in a specified outcome[4]. The Supreme Court of Canada has set out the evidentiary standard to be used in access-to-information legislation wherever the phrase “could reasonably be expected to” appears: there must be a reasonable expectation of probable harm, and the party claiming the exception must provide sufficient evidence to show that the likelihood of the specified outcome is considerably above a mere possibility[5].

It is important for respondents to provide sufficient factual information to show that the circumstances set out in each exception being applied are present in each case. Relevant information may include the position titles and responsibilities of individuals involved in creating and receiving the information, and details of the circumstance in which the records were created.

Respondents applying exceptions that include the phrase “could reasonably be expected to” must provide sufficient evidence to meet this evidentiary standard. Respondents should clearly explain how the information being withheld could lead to the stated outcome; merely assertions are generally insufficient.

Parties may not succeed in an inquiry if they do not provide evidence to support their arguments. It is not sufficient to provide the Commissioner with records and leave it up to the Commissioner to try to draw from the records the facts on which the decisions will be based. The Commissioner requires that persons representing the public body, custodian or organization provide evidence speaking to the contents of the records, for example by explaining how each part of a record for which an exception to disclosure is claimed falls within the exception.

If the success of an argument depends on underlying facts, providing the argument alone is not sufficient. The underlying facts must be established by evidence. As well, evidence should not be provided in the form of unattributed assertions made in the context of an argument. If a fact is being put forward, it must be shown how this fact is known to be true (e.g., by way of a statement, preferably sworn, of someone who knows the fact, or by other objective evidence, such as documents).

Back to top of the page

Points to address in drafting a submission

• Clearly identify each part of a record that has been withheld from disclosure and address each exception applied.
• Review previous Orders [or relevant Interpretation Bulletins] to determine how the exceptions have been applied, and how those interpretations apply to the information being withheld.
• Clearly state how each provision, and the relevant tests for each provision, apply to the information being withheld.
  • This should be done on a record-by-record, page-by-page, or line-by-line basis, as appropriate.
  • Respondents may identify and group similar information in the pages in their arguments.
• Where the exception applied is a discretionary exception, the respondent should include a discussion of the exercise of discretion in applying that exception to withhold information.
  • The exercise of discretion should be addressed on a record-by-record, page-by-page, or line-by-line basis, as appropriate.
  • The respondent should ensure it addresses all relevant factors, and explain why they do or do not apply in the specific circumstances of the information/record.
• Where the exception applied requires proof that a record was created for a particular purpose, or was created by or for particular positions, provide the relevant facts to support the application of that exception.
• Where the respondent is providing an affidavit in support of its factual or legal claims, ensure that the affidavit includes the requirements set out in Practice Note: Providing Affidavits and Other Evidence.
• Ensure each issue set out in the Notice of Inquiry is addressed.

Back to top of the page

[1] For example, sections 27(1)(b) and (c) of the FOIP Act and 32(1)(b) and (c) of the ATIA
[2] For example, section 24(2)(c)
[3] For example, section 24(2)(e)
[4] For example, sections 20(1) of the FOIP Act and 21(1) of the ATIA; section 11(1)(a) of the HIA; section 24(3)(a) of PIPA
[5] Merck Frosst Canada Ltd. v. Canada (Health), 2012 SCC 3 (CanLII), [2012] 1 SCR 23

General Guidelines when providing affidavits

In an inquiry, affidavits are to be exchanged with the other parties to the inquiry.

An affidavit must contain information about the person swearing the affidavit, including the individual’s name and an explanation of how they have knowledge of the evidence being presented in the affidavit.

An affidavit should, wherever possible, be sworn by a person having personal knowledge of the facts being sworn to.

Affidavit evidence should be sufficiently detailed to allow the Commissioner and parties to an inquiry to fully understand its contents, and should, wherever possible, be confined to facts within the personal knowledge of the person swearing the affidavit.

Parties shall ensure that all affidavits provided to the Commissioner are truthful, complete, and accurate.

It is an offence under the Acts for anyone to willfully make a false statement to, mislead, or attempt to mislead the Commissioner in the performance of their functions.

Back to top of the page

Affidavits in support of a Respondent’s search for records

The duty to assist under section 10 of the FOIP Act, section 12 of the ATIA, section 27 of PIPA and section 10 of the HIA includes a duty to conduct an adequate search for records.  The respondent has the burden of proving that it conducted an adequate search for records responsive to an access request.

In an inquiry addressing a respondent’s search for records, it is helpful for the respondent to provide the Commissioner with an affidavit regarding the search conducted for records responsive to the applicant’s access request. In addition to the elements set out in the general guidelines above, the respondent may wish to consider addressing the following:

 The specific steps taken by the respondent to identify and locate records responsive to the applicant’s access request.

• The scope of the search conducted, such as physical sites, program areas, specific databases, off-site storage areas, etc.
• The steps taken to identify and locate all possible repositories where there may be records relevant to the access request: keyword searches, records retention and disposition schedules, etc.
• Who did the search? (Note:  that person or persons is the best person to provide the direct evidence).
• Why the respondent believes no more responsive records exist other than what has been found or produced.
• Any other relevant information.

Back to top of the page

Affidavits in support of an application of sections 4(1)(a), (s), (t), or (w) of the ATIA

Where a public body has refused access to records or information for the reason that the records or information are excluded from the scope of the ATIA under sections 4(1)(a), (s), (t), or (w) of that Act, the public body has the burden of proving that there is no right of access (section 63(1)).

In an inquiry addressing a public body’s claim that section 4(1)(a), (s), (t), or (w) of the ATIA applies, it is helpful for the respondent to provide the Commissioner with an affidavit setting out the relevant facts. In addition to the elements set out in the general guidelines above, the affidavit should include a schedule in which the public body lists the records to which it has applied sections 4(1)(a), (s), (t), or (w) of the ATIA, along with the description for each record. The description for each record should include sufficient detail to satisfy the public body’s burden of proof. Certain subsections may require specific information, for example:

• whether the public body has custody or control of the record and if not, why not (sections 4(1)(a), (s));
• who created the record (section 4(1)(t), (w));
• the position titles of the individuals involved in the communications (section 4(1)(w));
• Any other information relevant to the particular exclusion being claimed.

If the public body wishes to provide additional information regarding its application of these provisions in camera, it may request permission to do so following the process set out in Request to Provide an In Camera Submission form.

A public body is not precluded from providing the relevant records to the Commissioner as evidence.

Back to top of the page

Affidavits and other evidence in support of a claim of cabinet confidences under section 27 of the ATIA

Where a public body withholds information under section 27 of the ATIA in response to an access request, the public body has the burden of proving that there is no right of access (section 63(1)).

If a public body does not provide records or information to the Commissioner on the basis that section 27 applies to that record or information, the Commissioner may require the public body to attest that this provision applies to the information or record over which it is claimed (section 50(7)). Section 11 of the ATIA Regulation states that a public body may provide this attestation by way of a letter:

• signed or approved by the head of the public body; and
• containing a description of the record or information explaining how section 27 applies to the record or information.

A description must be provided for each record containing information to which section 27 is applied. Therefore, an attestation should include a schedule in which the public body lists the records to which it has applied sections 27(1)( or (2) of the ATIA, along with the description for each record. The description for each record should include sufficient detail to satisfy the public body’s burden of proof. The public body should address the particular elements set out in the subsection being claimed.

As the public body bears the burden of proof, a public body may also consider providing an affidavit in support of its claim.

If the public body wishes to provide additional information regarding its application of section 27 in camera, it may request permission to do so following the process set out in the Request to Provide an In Camera Submission form.

A public body is not precluded from providing the relevant records to the Commissioner as evidence.

Back to top of the page

Affidavits in support of a claim of legal privilege

A respondent is not required to provide the Commissioner with records or information over which solicitor-client privilege, litigation privilege, or informer privilege is being claimed under the FOIP Act or PIPA, or to which section 32(1)(a) or (2) of the ATIA has been applied[1]. This part of the Practice Note applies to legal privilege under the ATIA, and solicitor-client, litigation and informer privilege under the FOIP Act and PIPA.

Where a respondent withholds information in response to an access request claiming a relevant privilege, the respondent has the burden of proving that there is no right of access[2]. The respondent is not precluded from providing the relevant records to the Commissioner as evidence.

As stated in Edmonton (City) Police Service v Alberta (Information and Privacy Commissioner, 2020 ABQB 10 (EPS), when a respondent does not provide records that it asserts are subject to privilege for review, it is required to establish its claim by meeting the civil litigation standard for refusing to produce such records, set out in Canadian Natural Resources Ltd v ShawCor Ltd, 2014 ABCA 289 (CanLII), 580 A.R. 265 (ShawCor).

Following Alberta (Information and Privacy Commissioner) v. University of Calgary, 2016 SCC 53 (CanLII) and ShawCor, affidavits of records provided in support of claims of legal privilege must comply with Rules 5.7 and 5.8 of the Alberta Rules of Court (producible records, and records for which there is an objection to produce). In ShawCor, the Alberta Court of Appeal discussed the application of Rules 5.7 and 5.8 of the Rules of Court (producible records, and records for which there is an objection to produce). The Court stated (at para. 42-43):

… Therefore, in explaining the grounds for claiming privilege over a specific record, a party will necessarily need to provide sufficient information about that record that, short of disclosing privileged information, shows why the claimed privilege is applicable to it. Depending on the circumstances, this may require more or less than the “brief description” contemplated under Rule 5.7(1)(b) although we expect that oftentimes the brief description will suffice.

Accordingly, under either interpretation of the relevant Rules, a party must provide a sufficient description of a record claimed to be privileged to assist other parties in assessing the validity of that claim. From this, it follows that all relevant and material records must be numbered and, at a minimum, briefly described, including those records for which privilege is claimed. As noted, though, this is subject to the proviso that the description need not reveal any information that is privileged.

In addition to the elements set out in the general guidelines above, the affidavit should include a schedule in which the respondent lists the records (or bundle of records) for which privilege is claimed, along with the description for each record or bundle. A group of records may be numbered and treated as a single record if the records are all of the same nature, and the bundle is described in sufficient detail to enable the Commissioner to understand what it contains. The description for each record (or each bundle) must be sufficient to meet that test, without revealing the privileged information.

For claims of solicitor-client privilege, the Respondent should provide:

• Information about the relationship between the Respondent and the lawyer in the context of the relevant communication
• Information about the circumstances to establish that the record was created in the course of requesting or providing legal advice or is a record revealing such a request or advice
• Information about the confidentiality of the communication

For claims of litigation privilege, the Respondent should provide:

• Information establishing that the record was created for the dominant purpose of litigation
• Information establishing that the litigation has not ended

In Pritchard v. Ontario (Human Rights Commission) [2004] 1 SCR 809, the SCC determined that more evidence to support the application of solicitor-client privilege is required when advice sought from or given by an in-house or government lawyer is at issue. This is because such lawyers may be called upon to give policy advice, which is not legal advice. The Court said:

Owing to the nature of the work of in-house counsel, often having both legal and non-legal responsibilities, each situation must be assessed on a case-by-case basis to determine if the circumstances were such that the privilege arose. Whether or not the privilege will attach depends on the nature of the relationship, the subject matter of the advice, and the circumstances in which it is sought and rendered.

Therefore, a respondent that is claiming solicitor-client privilege over the advice of an in-house or government lawyer must provide sufficient information about the relationship between the lawyer and the respondent and about the circumstances in which the advice is being requested and provided, to establish that the subject-matter is legal advice rather than policy or other advice.

If the respondent wishes to provide additional information regarding its claim of privilege in camera, it may request permission to do so following the process set out in the Request to Provide an In Camera Submission form.

Back to top of the page

Sample Affidavit

 

OIPC File Number  _____________________

Applicant  __________________________________________

Respondent Public Body/Organization/Custodian __________________________________________

Affidavit of (name and status) Sworn (or Affirmed) by _____________________ on _______________, 20__

 

I, ______________________ of (municipality, province), have personal knowledge of the following (or, where applicable, I am informed and do believe that):

I am an authorized representative of (name of Respondent).

I have reviewed the records.

The records listed in Schedule 1 are in the custody or under the control of (name of Respondent).

(Name of Respondent) objects to produce the records listed in Schedule 1 on the grounds of privilege identified in that Schedule.

 

SWORN (OR AFFIRMED) BEFORE ME

at ___________________________, Alberta, this _____ day of _______________, 20___.

Commissioner for Oaths in and for the Province of Alberta

____________________________________

(Signature of Representative)

_____________________________________

 

Schedule 1

Records in the custody or under the control of (name of Respondent) for which there is an objection to produce on the ground of [cite relevant exception or legal privilege]:

	Exception or Privilege Claimed	Description
1.
2.
3.

 

Back to top of the page

 

[1] Sections 27(1)(a) of the FOIP Act, 32(1)(a) and (2) of the ATIA, 24(2)(a) of PIPA

[2] Section 63(1) of ATIA, section 71(1) of the FOIP Act, and section 51 of PIPA

Records at Issue

When the Commissioner requests records at issue for a review, respondents must:

Document all redacting decisions made regarding the records.

If the respondent decides to release more information following the settlement phase, the records and information at issue will consist only of records and information still being withheld.

Provide a copy of the records in electronic format.

The Commissioner may specify the method and format respondents must use to provide the records.

Provide copies of the records at issue, not originals.

A respondent must keep its own set of records at issue so that it can make arguments or respond to questions.

Indicate the information that has been withheld or severed, and cite under what provision.

With respect to severed information, the preferred format is one copy of an unredacted version that identifies the severing decisions (e.g. by highlighting or outlining). Where this is not practicable, the Commissioner may accept both a severed and unredacted version of the records.

The section numbers of the applicable legislation (i.e. exceptions to disclosure) that are being relied on to withhold records or information are to be noted on the page adjacent to each redaction. Where multiple exceptions are applied to information in a page, it must be clear which exception applies to what information. For example, in some cases one exception is applied to only to one sentence in a paragraph, and another exception is applied to the whole paragraph. The records must clearly show which exception was applied to only the sentence and which sentence it was applied to, as well as which exception was applied to the whole paragraph.

Blank pages of records withheld in their entirety need not be provided where there are large numbers of such pages, or where all the records are withheld, but it must be made clear in an index

of records stating how many such records there are, and which section of the applicable legislation is being applied to each page.

If a respondent is proposing to disclose information but a third party objects to its disclosure, then this information should be labeled in the records as “third party objection”.

Document only those redaction decisions that have been or are being communicated in a response to an applicant.

If a respondent has made a decision to apply a particular provision (i.e. exception to disclosure) and has communicated this decision to the applicant, then the notation in the records as to which exception was applied should refer to only that provision.

The records should not refer to, or indicate, any severing decisions that are not current or that have not been communicated to the applicant.

Number the records, with the numbering also on records provided to third parties and the applicant.

The page numbers of the records provided to the Commissioner must be consistent with the page numbers of the records provided to the applicant and third parties. If severed or blank pages provided to a third party or applicant have different numbers than those provided to the Commissioner, it becomes difficult, and in some cases impossible, to identify the records to which the parties are referring in their submission.

If there are multiple packages of records, the page numbering must be consecutive from the first package to the last, unless this is not practicable. For example, with two binders of different documents, each one may already have pages numbered in sequence. In that case, the binders may be described as “Record A” and “Record B” and the pages do not need to be renumbered; identification such as “Record A, page 2” is sufficient. A loose collection of diverse records, however, should always be numbered in sequence.

Be legible.

The records should be reviewed to make sure that the copies can be read, to the fullest extent possible.

The deadline for providing the records to the Commissioner for the settlement phase is set out in the acknowledgement letter issued when a review is opened.

Back to top of the page

Additional requirements for records provided for an inquiry

Records provided for an inquiry must not contain notations or explanations other than to note the provision applied.

Respondents are to provide reasons for applying a provision in their submission to the inquiry and not in the records at issue (see Practice Note: Inquiry Procedures). Additional notations or explanations appearing in the records at issue are not properly before the Commissioner in an inquiry and will not be reviewed or relied on in the inquiry.

This limitation does not apply to the records provided for the settlement phase of the review.

Back to top of the page

Index of Records

When there are more than three (3) pages of records at issue, the respondent must provide an index of records to the Commissioner for the review. The index of records is to be provided in a table format. The index of records required for the review at the settlement phase must include the following:

• All of the pages numbered in sequence, unless this is not practical (see above).
• For withheld or severed pages, a column identifying the section number(s) of the applicable legislation under which the information has been withheld.

Indexes of records provided at the settlement phase may also include a column containing a description of the nature of the records or information being withheld but is not required.

A deadline for providing the index of records for the settlement phase will be provided to the respondent in writing.

Indexes of records provided for an inquiry must also include a column containing a description of the nature of the records or information being withheld (e.g. “email”, “letter”, “briefing note”, “report”, etc.). It is helpful to include titles and dates of documents if that information is not at issue.

In an inquiry, a copy of the index of records must be provided to the applicant and/or third party with the respondent’s submission (see Practice Note: Inquiry Procedures)

The index of records is to be sent by the respondent to the Commissioner and all other parties named on the Notice of Inquiry with the respondent’s submission. It should be labelled “Index of Records (Provided to the Parties)”.

Because the index of records must be provided to the other parties in an inquiry, it should not itself reveal any information that the party preparing it seeks to withhold from the other parties.

Index of Records Example

The index of records should account for each of the withheld or redacted pages, and every section of the applicable legislation applied. As a result, the index of records should be comprised of two tables:

• Table 1 according to page numbers, with descriptions of the records or information if the index is provided for an inquiry.
• Table 2 according to the sections of the applicable legislation in which the descriptions need not be

The two tables ensure the person conducting the review can quickly identify and locate the information and exceptions at issue in the records.

Table 1 Example

Page Number	Description	Section(s) of the Act
1-17	Cabinet minutes	22(1)
18-19	Minister’s report to Cabinet	22(1), 16(1)(a)(ii),(b), (c)(i), 25(1)(c)
20-22	Third party report to Treasurer	22(1), 16(1)(a)(ii), (b), (c)(i)
23	Public Body X’s letter to Minister of Public Body Y re: development in City Y	21(1)(a)(ii), 25(1)(c)
24-30	Memo re: Policy Options for Public Body Y	Disclosed
Record A	Treasury’s financial analysis for Cabinet	22(1)
Record B	Third Party’s report to Public Body X	16(1)(a)(ii),(b),(c)(i)

Table 2 Example

Section(s) of the Act	Page Number(s)
Section 16(1)(a)(ii),(b), (c)(i)	18-19, 20-22; Record B
Section 21(1)(a)(ii)	23
Section 22(1)	1-17, 18-22; Record A: 1-5
Section 25(1)(c)	18-19, 23

Back to top of the page

Preparing Records at Issue Checklist

	Are the records numbered?
	Is the numbering consistent, such that the numbers on the records are the same as those on records provided previously to the applicant or a third party?
	Are the records legible? If the records are in electronic form, can they be opened?
	Are all redaction decisions current and clearly indicated on the records?
	Has the requestor been told about all the redaction decisions documented on the records?
	Has a set of records been kept for the respondent’s use in the inquiry?
	If the records are for an inquiry, have all extraneous comments been removed from the records?
	Should an index of records be provided? If so, has an index of records been prepared?

Back to top of the page

Glossary of Terms

Term	Definition
Adjudication	The team that manages the inquiry phase.
Adjudicator	The person that the Commissioner has delegated to be the decision-maker in the inquiry.
Affected parties	Individuals or other organizations that could be affected by the decision made in the inquiry. May also be referred to as third parties.
Applicant	The individual who formally requested access to information or requested correction of their personal or health information under the ATIA, FOIP Act, HIA or PIPA.
Arguments	The reasons why a party believes the evidence shows certain facts to be true, and why the Commissioner should interpret the law a certain way.
Case Resolution	The team that conducts the settlement phase of a review.
Complainant	The individual who made a formal complaint that personal information was collected, used or disclosed in contravention of the FOIP Act, HIA or PIPA.
Custodian	The health service provider, whether an individual or an organization, from which the information was requested or against which the complaint was made (also called “respondent”).
Evidence	Information/material that establishes the facts on which a party is relying.
In camera	A portion of a submission provided only to the Commissioner in an inquiry.
Inquiry	A formal adjudicative process, usually conducted in writing.
Interveners	Individuals or organizations whose opinions or specialized knowledge can provide a broader understanding of the issues at inquiry.
Mediation/investigation	A process authorized by the Commissioner to explore opportunities to settle issues with the parties. May also be referred to as the settlement phase.
Notice of Inquiry	Identifies the parties involved in the inquiry and their contact information, the issues that will be addressed, and a schedule for submissions.
Organization	The business, corporation, union or partnership from which the information was requested or against which the complaint was made (also called “respondent”).
Parties	The respondent (public body, custodian or organization), applicant/complainant, or other affected parties who are part of the inquiry.
Public body	The government department or other public entity from which the information was requested or against which the complaint was made (also called “respondent”).
Respondent	The public body, custodian or organization that has duties under the legislation.
Senior Information and Privacy Manager	The person that the Commissioner has authorized to investigate and try to settle the confirmed issues at the Case Resolution phase. May also be referred to as an investigator.
Settlement	A process authorized by the Commissioner to explore opportunities to settle issues with the parties. May also be referred to as a mediation or investigation.
Submissions	Informs the Commissioner and the other parties about what a party thinks are the central issues in a case, and provides evidence and makes arguments about how those issues should be decided.
Third Parties	Parties, other than the respondent or applicant/complainant, who are part of the inquiry. For example, organizations and individuals whose information is the subject of an applicant’s access request. May also be referred to as affected parties.

Back to top of the page