Introduction

Purpose of this guidance

Public bodies[1] in Alberta are required to comply with the Protection of Privacy Act (POPA) and its associated regulations the Protection of Privacy (Ministerial) Regulation (M-Regulation) and the Protection of Privacy Regulation (Regulation). POPA governs the collection, use, disclosure and management of personal information[2] in the custody or control of public bodies. They are also required to provide access to individuals who request access to their own personal information in accordance with the Access to Information Act.

This guidance is designed to help public bodies meet their obligations under POPA and ATIA, as described, when engaging the services of a service provider to perform services on behalf of the public body that involves the service provider collecting, using, disclosing or managing personal information on the public body’s behalf. For example, a public body may want to use a new application to support one of their programs and the program involves the collection, use or disclosure of personal information. This could involve contracting an information technology service provider to provide support for the application, hosting the application remotely and providing back-up services for the records. Another example would be a public body hiring a records management company to store paper records containing personal information at an off-site storage facility with support services until the end of the records retention period.

Any service provider that is, or may be, planning to provide services to public bodies will also benefit from this guidance as it will have a better understanding about public bodies’ duties under these laws.

This guidance is not intended for public bodies who are entering into contracts with other public bodies in the development of a common or integrated program or service.

What is a “service provider”?

A service provider is any organization or body that is external to the public body and that provides services to the public body under a contract.

Where, as part of providing services to the public body, the service provider will have access to or collect, use or disclose personal information on behalf of the public body under a contract, the service provider becomes an “employee” of the public body for the purposes of POPA and is bound as an employee to adhere to the public body’s requirements under POPA as they relate to these activities.

Similarly, ATIA also applies to public bodies. If a service provider under a contract for services is tasked with providing access to personal information on behalf of the public body, it will be an “employee” of that public body for that purpose and subject to the ATIA requirements regarding access to the personal information. For most service provider contracts, the service provider’s only task in regard to access or correction requests under ATIA will be to cooperate with the public body in responding to these requests.

Why is it important to read this guidance?

The role of service providers has grown disproportionately in the past few decades due to the development of cloud services, software as a service and other mainly technology driven developments. According to a recent survey, 80% of organizations suffered a data breach in 2022 caused by a third party. In recognition that most organizations use service providers as part of their operations, many modern privacy laws contain obligations that hold service providers directly accountable for compliance under these laws including for breach reporting.

When public bodies enter into a contract with a service provider, they remain accountable for any collection, use or disclosure and management of information carried out on their behalf by the service provider. This guidance will assist public bodies to develop policies and procedures for contracting with service providers that align with their privacy obligations under POPA and, as applicable, under ATIA. This guidance should not be used in isolation but rather in conjunction with other policies and procedures (e.g., procurement, information classification, cybersecurity).

Explanatory note

Any reference to “POPA” that follows includes the right of access under the ATIA to one’s own personal information, unless the service provider is providing access and correction services on behalf of the public body, which will be explained.

Back to top of the page

Public bodies’ governance and accountability

To meet the requirements of POPA, a public body must have a governance framework in place to facilitate compliance. This includes having appropriate policies and procedures in place when contracting service providers.

Roles and Responsibilities

The head of the Public Body holds ultimate responsibility for decisions and compliance. The head may delegate others to have the authority to make decisions on behalf of the head (e.g. Privacy Officer), including entering into contracts with service providers.

As indicated, a service provider under a contract relationship with a public body is defined as an employee under POPA s. 1(h):

“employee”, in relation to a public body, includes a person who performs a service for the public body as an appointee, volunteer or student or under a contract or agency relationship with the public body;

While a contracted service provider is not an employee in the labor relations sense, it is included in the POPA definition of employee. This ensures it is bound by the Act. Because the types of services will vary, the public body will need to look at each situation and be sure to clearly articulate which privacy requirements must be met. Public bodies must ensure they, and by extension their service providers, are complying with POPA.

Public bodies are accountable for any information handled on their behalf by their service providers. Therefore, they must ensure any collection, use and disclosure is legally authorized under POPA. Having a contract in place with the appropriate terms and conditions provides the public body with assurance that it is able to maintain control of the information. Roles and responsibilities should be clear, including what activities are authorized and which ones are prohibited. Public bodies will need to ensure they are able to meet their obligations under POPA.

Privacy Management Program and Service Providers

Public bodies are required to have a Privacy Management Program (PMP) inclusive of policies and procedures for service provider procurement, contracting, and management including oversight and auditing. Public bodies must develop their procurement processes to meet POPA. The processes must ensure the public body is choosing a service provider who will be able to support the public body’s legal obligations under POPA. For more information on PMPs please see the OIPC’s Guidance for Public Bodies in Developing Privacy Management Programs.

Back to top of the page

Pre-contract/Planning Phase

Public bodies should plan out their procurement strategy including spending some time thinking about what services are needed and how they will align with business needs, including compliance with POPA. This up-front planning will most likely save public bodies money in the long run and may even prevent the public body from experiencing a privacy or security breach.

Determining Scope of Services Involving Personal Information

Public bodies should identify:

• the business purpose for the activity and what service the public body is looking for.
• how the service fits into public body’s operations.
• the personal information that the service provider will collect, use or disclose on behalf of the public body to perform the service.
• its legal authority for this collection, use or disclosure of the personal information.

Determining Service Level Expectations

Determine the classification of personal information that the service provider will collect, use or disclose on behalf of the public body. This is necessary to establish the measures the service provider will need to implement to carry out the service for the public body in compliance with POPA.

Assessing the Privacy Posture of a Potential Service Provider

Before engaging a service provider, a public body may wish to examine the privacy posture of a potential service provider to assess whether it has in place privacy practices that will support the public body’s duties under POPA if the public body were to contract with the service provider for the services. The following are some areas a public body may wish to examine prior to considering whether to retain the services of a particular service provider (where this is permitted). Note that these considerations are not exhaustive but rather some key considerations.

• Does the service provider have a privacy policy? Often service providers will have a privacy policy on their website or in their marketing material. Public bodies can review these to see if at first glance they appear to have operationalized privacy practices in what appears to be a reasonable manner as part of their business, and references a privacy law to which they are subject. Service providers with transparent privacy policies that are easy to understand may enhance trust in their ability to protect the personal information that they will have access to in performing the services.
• Does the service provider have a privacy officer listed? Public bodies can contact the privacy officer with privacy questions they might have regarding the services and their privacy practices.
• Does the website:
  • describe what personal information is collected, used or disclosed for the service and does this appear reasonable based on the service provided;
  • describe any secondary uses of personal information, such as for improving products or services or marketing, or training artificial intelligence, which may not be permitted in some circumstances;
  • mention selling personal information, which is prohibited under POPA but may be permitted under other privacy laws;
  • mention the use of other third parties that help them provide the service (e.g. cloud providers, apps that link to the main service), which can create risks when subcontractors are part of the service.
• Does the service provider express a commitment concerning protecting the confidentiality, availability, and integrity of personal information in its custody or control? Does it provide any details as to how it does this?
• Does the service provider describe having security certifications?
• Does the service provider indicate where the personal information used in its services is processed and stored? Data stored in other jurisdictions may be subject to laws in those jurisdictions. In certain jurisdictions, access to information, including personal information, may be accessible by government or law enforcement in these jurisdictions.
• Has the service provider suffered a breach or been involved in court cases concerning its personal information processing or handling practices?

Conducting a Privacy Impact Assessment (PIA)

Before contracting with a service provider, public bodies should assess whether in contracting with a particular service provider, they will be in compliance with POPA. Completing a PIA is a useful tool to assist in assessing compliance.

POPA requires public bodies to complete PIAs in certain circumstances. The OIPC has developed a tool to help public bodies determine if they are required to prepare a PIA and if the PIA must be submitted to the OIPC for review (see POPA Privacy Impact Assessment Submission Assessment Tool). Whenever a public body submits a PIA to the OIPC, it must do so using the OIPC PIA template. Even if a PIA is not required to be prepared, when contracting with a service provider, a PIA will help a public body determine whether, in contracting the service, it will be compliance with POPA.

Completing a PIA will give public bodies confidence that when entering into a service provider relationship, they will be positioned to meet their obligations under POPA by identifying and mitigating any risks to privacy determined through the PIA process.

The public body may already have a PIA on a similar service. If so, consider reviewing that PIA to see what safeguards were put in place for the initiative. This may help with the writing of the new PIA. Be aware that PIAs are a point-in-time document and as technology evolves, the risks change too. Therefore, what was appropriate a few years ago may not be adequate today due to changes to legislation, products or services offered by service providers, technological risks, or other factors.

Complying with the Tendering Process

Depending on the size and complexity of a project, as well as the contract value, public bodies may be required to solicit proposals for services (open competition, selective tendering, limited tendering). Public bodies should Include requirements that will support POPA compliance in the Request for Proposal (RFP) and in the evaluation criteria used to choose the preferred service provider. It will be important to identify any mandatory requirements that must be met and to mitigate any risks to an acceptable level. Prepare to have individuals on the evaluation committee who have sufficient knowledge of access to information, privacy and security.

Back to top of the page

Contract

Once the public body has gathered information on the service and the service provider, the applicable privacy assessment has been completed, and the tendering process is complete if applicable, the public body will need to draft the contract for the service provider that will incorporate the requirements of POPA that the service provider will need to comply with for delivery of the service. The key areas that need to be addressed in any contract with a service provider wherein the service provider will collect, use, disclose, manage or have access to personal information are as follows.

Control and Accountability

Maintaining control means stipulating in the contract that the public body at all times retains “control” over the information that will be in the custody of the service provider for the services. This is essential to ensuring that the personal information remains subject to POPA and that the public body is able to exercise its control over how this information is used and managed by the service provider.

The contract must set out the roles and responsibilities of the parties as it relates to the personal information while in the custody of the service provider. The public body must ensure these roles and responsibilities support its ability to meet POPA requirements. There are risks to storing data outside of Canada, or with service providers from certain countries, due to other countries having laws that may permit access for government activities, such as national defence, or for law enforcement. The contract should clarify how the service provider would notify the public body of any requests it receives to produce personal information it has in its custody.

Last, the contract should specify how the public body will maintain oversight of the service provider’s duties to ensure it complies with both contractual requirements and POPA and include the right of the public body to audit for compliance.

Legal Authorities for Collection, Use or Disclosure

The contract must define what the service provider can and cannot do with the personal information. Any collection, use or disclosure the service provider carries out on behalf of the public body must be legally authorized under POPA[3]. The contract provisions must clarify what activity is authorized as it relates to the personal information and what activity is prohibited and specify measures that must be taken by the service provider to ensure downstream compliance by its employees or subcontractors. Public bodies may also decide to contractually restrict service providers’ ability to subcontract altogether. Public bodies must also ensure that the contract allows them to meet all of POPA’s requirements, including for accuracy and security (more on this below) and completion of PIAs as may be required by the public body.

Requests for Access or Correction

The contract must also address requests for access to (as set out in ATIA) or correction of personal information (as set out in POPA). If the contractor is involved in this activity (i.e., by providing access or correction services on behalf of the public body), the contract should specify this and ensure the access or correction process that the contractor must follow is laid out in the contract. Who will interact with the OIPC regarding any reviews of these requests must also be clarified in the contract. While it might seem preferable that a contractor undertake these activities, there are risks of non-compliance due to the rigor in the access and correction processes laid out in the Acts with oversight by the Commissioner. Given this, a public body should generally maintain responsibility for processing access and correction requests for personal information in the custody of a contractor. In most cases, the role of a service provider as it relates to this activity will be cooperation with the public body to facilitate the public body’s response to these requests, which should be set out in the contract as a duty of cooperation by the service provider.

Safeguards and Retention

The contract must set out the specific security requirements that the contractor must meet, which must, at minimum, align with those of the public body and the requirements in POPA and its regulations. In addition, the contract should include wording that requires the service provider to cooperate with the public body for the preparation of PIAs or STRAs, or if the public body is under investigation by a regulatory authority.

The contract must also specify what the public body expects the service provider to do whenever it experiences a breach of personal information it holds on behalf of the public body, including timelines. This helps to ensure the public body can meet its requirements concerning breaches including for notification as required by POPA and its regulations.

The contract must also establish retention periods for the information stored by the service provider and establish a process for the service provider to certify to the public body when personal information has been destroyed at the end of its retention.

Complaint Handling

The contract must also address how any complaints alleging unauthorized access, collection, use or disclosure by the contractor (or their employees or subcontractors) will be handled. For the same reason as indicated for access and correction requests, it is recommended that public bodies maintain responsibility for complaints management. Additionally, managing complaints provides insight into the personal information handling practices of the service provider and provides the public body with the opportunity to address any issues that arise through this process.

Termination

In addition to the foregoing, the contract must outline clear outcomes in the event the service provider ceases to operate or the contract terminates. Public bodies must be able to terminate the contract and retrieve the records from the service provider with assurance that no records are retained by the service provider. Additionally, the contract should address compatibility between the service provider’s system of storing personal information and that of the public body’s. This is important, since the public body must be able to import the personal information into a new information system, or to archive it as dictated by applicable retention periods. The contract must include clear expectations around data format, applicable timelines and security arrangements. This will ensure the data can be moved across different information systems with minimal integration issues and it will be readable by the public body.

For more specific details to consider in a contract, please see the Appendix – Service Provider Contract Privacy Checklist.

Back to top of the page

Oversight

The public body should develop processes that ensure their service providers are meeting the contractual obligations. The frequency of these reviews may be informed by policies of the public body, which may be part of the public body’s Privacy Management Program. When auditing a service provider to verify adherence to contract terms, the public body should have defined processes to ensure the details of the audit are clearly documented and retained and there are distinct steps on how to escalate issues of non-compliance. There may be similar processes for audits conducted on a reactive basis, such as when an incident occurs.

The OIPC may request information from a public body due to a complaint or a request for review under ATIA or POPA. The Commissioner may also conduct investigations. The public body and by extension, the service provider, may be required to provide information to the Commissioner to conduct the review or investigation. Where a service provider is involved, they will be part of the review or investigation and must cooperate. That said, as an employee of the public body, any non-compliance by a service provider with POPA is non-compliance by the public body. Investigations may result in Orders or in the event of an offence, charges and fines.

Back to top of the page

Conclusion

Public bodies collect, use and disclose personal information in order to provide public services to Albertans. When entering into a contract with a service provider, public bodies remain accountable for this information and must have appropriate policies and procedures to ensure, in the use of service providers, they will meet their obligations under POPA.

Public bodies must ensure that contracts entered into with service providers contain clauses that will ensure the service provider, and its employees or subcontractors, comply with the public body’s duties under POPA. Having an accountability framework such as a PMP with appropriate policies and procedures regarding contracting with service providers will help guide those who are part of the processes involved in retaining the services of a service provider, including for procurement, contracting and, managing contracts to ensure legal obligations are met.

This guidance is meant to support the public body in developing policies and procedures for acquiring and managing service providers that will facilitate compliance with POPA and in contracting and oversight.

We welcome any feedback concerning this guidance. Please send the same to generalinfo@oipc.ab.ca.

Appendix – Service Provider Contract Privacy Checklist

Public bodies can use this checklist whenever they seek to enter into a contract with a service provider who performs a service on behalf of the public body and in doing so has access to personal information subject to the Protection of Privacy Act:

Download the checklist here  [DOCX]  [PDF]

References

Ontario IPC Guidance: Privacy and Access in Public Sector Contracting with Third Party Service Providers

Treasury Board of Canada Secretariat Guidance Document: Taking Privacy into Account Before Making Contracting Decisions

Government of Alberta, Contractor’s Guide to the Freedom of Information and Protection of Privacy Act

Footnotes

[1] (t) “public body” means
(i) a department, branch or office of the Government of Alberta,
(ii) an agency, board, commission, corporation, office or other body designated as a public body in the regulations,
(iii) the Executive Council Office,
(iv) the office of a member of the Executive Council,
(v) the Legislative Assembly Office,
(vi) the office of the Auditor General, the Ombudsman, the Chief Electoral Officer, the Ethics Commissioner, the Information and Privacy Commissioner, the Child and Youth Advocate or the Public Interest Commissioner, or
(vii) a local public body,
but does not include
(viii) the office of the Speaker of the Legislative Assembly and the office of a Member of the Legislative Assembly, or
(ix) the Court of Appeal, the Court of King’s Bench or the Court of Justice;

The full definition of a public body can be found in the ATIA at Alberta King’s Printer.

[2] Bolded terms can be found in the Glossary.

[3] Often, service providers that provide services nationally or internationally reference legislation that does not apply to Alberta’s public sector, such as PIPEDA, the GDPR or the public sector privacy laws of other jurisdictions. These laws differ from POPA and compliance with these laws does not ensure compliance with POPA.

Back to top of the page

 

Glossary

Term	POPA Ref	Definition
Common or Integrated Program or Service	1(d)	(d) “common or integrated program or service”, in relation to a public body, means a program or service planned, administered, delivered, managed, monitored or evaluated by (i) the public body working collaboratively with one or more other public bodies, or (ii) another public body working on behalf of (A) the public body, or (B) the public body and one or more other public bodies;
Data derived from Personal Information	1(e)	“data derived from personal information” means data created by data matching, and that identifies any individual whose personal information was used in the data matching;
Employee	1(h)	“employee”, in relation to a public body, includes a person who performs a service for the public body as an appointee, volunteer or student or under a contract or agency relationship with the public body;
Head of the Public Body	1(i)	“head”, in relation to a public body, means a head as defined in the Access to Information Act
Information		for the purpose of this document, “information” is used to refer to any records in the control of the public body including personal information, data derived from personal information, non-personal information, and other business records.
Non-Personal Data	1(n)	“non personal data” means data, including data derived from personal information, that has been generated, modified or anonymized so that it does not identify any individual, and includes synthetic data and any other type of non personal data identified in the regulations;
Personal Information	1(q)	recorded information about an identifiable individual, including the individual’s name, home or business address, home or business telephone number, home or business email address, or other contact information, except where the individual has provided the information on behalf of the individual’s employer or principal in the individual’s capacity as an employee or agent, the individual’s race, national or ethnic origin, colour or religious or political beliefs or associations, the individual’s age, gender identity, sex, sexual orientation, marital status or family status, an identifying number, symbol or other particular assigned to the individual, the individual’s fingerprints, other biometric information, blood type, genetic information or inheritable characteristics, information about the individual’s health and health care history, including information about the individual’s physical or mental health, information about the individual’s educational, financial, employment or criminal history, including criminal records where a pardon has been given, anyone else’s opinions about the individual, and the individual’s personal views or opinions, except if they are about someone else;
Privacy Management Program	1(t)	“privacy management program” means a privacy management program established and implemented under section 25
Record	1(v)	“record” means a record as defined in the Access to Information Act;

April 2026

A. General Information about the public body or bodies, existing PIAs, and the project *

Questions in this section are asked as a legislative requirement and to enable the OIPC in processing the PIA file.

Question 1

Section 26 of POPA requires a public body to prepare a PIA in the circumstances listed in section 7 of the M-Regulation, when a project involves the collection, use or disclosure of personal information. If a public body is not collecting, using or disclosing personal information as part of its project, there is no requirement under POPA to submit a PIA to the Commissioner for the project.

Question 2

The legislation is clear on when a public body is required to prepare a PIA, and only in the prescribed circumstances as listed in the POPA PIA template is a public body required under POPA to submit a PIA to the OIPC. Please note that the list of highly sensitive information identified under section 1 of the M-Regulation is not an exhaustive list. Other personal information may be of high sensitivity.

In this question, if only the last checkbox (the loss of, unauthorized access to or unauthorized disclosure of the personal information could result in significant harm) is selected, the public body may not be required to submit a PIA to the Commissioner. Nonetheless, the OIPC recommends that public bodies use the POPA PIA template while preparing PIAs under section 7(1)(a) of the M-Regulation as the Commissioner may request copies of those PIAs under section 27(1)(j) of POPA. Using the template will ensure that the public bodies complete their PIAs in alignment with the PIA requirements under POPA and the M-Regulation of which the PIA template is based on.

Question 3
When submitting a PIA to the OIPC as required under section 26 of POPA, the OIPC needs to know certain information about the public body including who the head of the public body is at the time the PIA is submitted. This is because under POPA the head has specified duties including for protection of personal information (section 10(1)).

Question 4
Section 7(4)(b) of the M-Regulation allows for two or more public bodies to submit a PIA for a common or integrated program or service, hence the need to know if the PIA is for such a project.

Question 5
No additional explanation needed.

Question 6
No additional explanation needed.

Question 7
Sometimes, a new PIA is related to a PIA which has already been submitted to the OIPC and is still under review. In such cases, it is important that the OIPC is aware of this PIA to ensure the recent PIA is not reviewed in isolation from the related PIA. There are also times where information in an existing PIA is referenced in a new PIA. It is also important to know if such a PIA exists or has been previously reviewed by the OIPC.

Question 8

A PIA amendment addresses privacy and security risks associated with changes to an existing project that impacts the collection, use and/or disclosure of personal information. A PIA amendment focuses on areas that have changed in an existing project, and how the public body has identified and addressed privacy and security risks associated with the change. An amendment to a previously submitted PIA requires that the updated or new PIA is reviewed in consultation with the previously submitted PIA.

Question 9
Some public bodies have their own filing convention for their internal use. Providing this number ensures the OIPC, in addition to the OIPC’s file number, references this number in its communication with the public body.

Question 10

This informs the OIPC whether the project under consideration has been implemented or not.

Question 11
This question aims to inform the public body which sections of the appendices to the POPA PIA template are relevant to their project as well as relevant resource expertise needed to assist the public body in completing the technical aspect of the PIA. The question also informs the OIPC what to consider regarding legislative requirements during the PIA review process as different projects may have unique compliance privacy and security issues to consider.

For projects that involve automated systems, section 7(3) of the M-Regulation states that a PIA must provide a level of detail commensurate with the complexity of the practice, program, project or service the PIA relates to. As such, the public body is required to also complete an Algorithm Impact Assessment (AIA). AIA is a tool used for identifying and addressing the risks and impacts of automated decision-making systems. Typically comprising of a set of questionnaires, the tool can be used to determine the impact level of an automated decision-making system including biases, human rights violations, ethical violations, marginalization and accessibility issues. The OIPC is in the process of developing an AIA tool. Once completed, it will be published on the https://oipc.ab.ca and a link to it will be added to the POPA PIA Template and this document. In the interim, the OIPC recommends that where a project involves automated systems, public bodies consult industry standard algorithm impact assessment guidelines in preparing and submitting their AIAs with their PIAs.

Back to top of the page

B. Details About the Project*

Question 12
This information assists the OIPC in understanding the project, its business rationale and the purpose or objective it intends to achieve for the public body. This question also informs the OIPC on why the collection, use and/or disclosure of personal information is required by the public body to meet the needs of the project. It is imperative that the public body provides sufficient detail on the project. In addition, in this question, the public body is required to provide technical information about the project under consideration. For instance, if the public body is a police agency implementing a body worn camera (BWC), the public body is expected to describe each body worn camera unit, its associated features and IT infrastructure that operates the BWC. Also, information on BWC storage media, how information is transferred from the camera to the IT network, where information is stored and who is responsible for managing the information, etc. must be provided. In other words, the entire lifecycle of the personal information involved must be addressed in all aspects of the project. The public body should also consider attaching technical details of the project as necessary.

Question 13

An electronic information system has specific technical requirements, such as logging and auditing, access controls, that need to be considered and assessed to ensure the access and privacy rights of Albertans are upheld, which is why we need this information.

Question 14

Other stakeholders’ involvement in a project may determine who is collecting, using or disclosing personal information in the project and as a result shed some light on how the public body ought to consider the legal authority for each stakeholder to collect, use and/or disclose personal information involved in the project.

Back to top of the page

C. Information About Your Privacy Management Program (PMP)*

Question 15

Section 25(1) of POPA requires a public body to establish and implement a PMP and make it public or provide a copy of the PMP upon request pursuant to section 25(5). These requirements will come into effect on June 11, 2026. The public body’s policies and procedures must comply with the requirements of POPA and its regulations. The OIPC has developed guidance to assist public bodies in meeting their PMP obligations under POPA.

Not having a PMP leaves a gap in the completion of the PIA. This could potentially lead to non-compliance. It is important to provide the OIPC PMP file number of the public body’s most current PMP where applicable, as doing so saves the public body time and effort by referencing the already submitted PMP and avoids duplication. Also from a PIA review standpoint, it is relevant to review the PIA to assess the public body’s compliance with applicable legislation.

For more information on PMPs please see the OIPC’s Guidance for Public Bodies in Developing Privacy Management Programs.

Back to top of the page

D. Identify Personal Information Involved and your Authority to Collect, Use or Disclose the Information*

Question 16

This question ensures that the public body identifies the personal information that it intends to collect, use or disclose in the project. In doing so, the public body would have to start thinking about its legal authority to collect, use or disclose personal information and whether those authorities align with sections 4, 12 and 13 of POPA, respectively. In addition, the public body is required to consider the limitation principle under sections 12(4) and 13(4) of POPA. Under section 12(4) the public body needs to explain how the use of personal information in the project is only to the extent necessary to enable the public body to carry out its identified purposes in a reasonable manner. Similarly, under section 13(4) of POPA, the public body needs to explain how the public body public disclosure of personal information is only to the extent necessary to enable the public body to carry out its identified purposes in a reasonable manner. Personal information means recorded information about an identifiable individual. Some examples of personal information include an individual’s name, home or business address, home or business email address, race, gender identity, fingerprints and financial history. For a complete listing of what is considered personal information, please see section 1(q) of POPA.

Question 17
Section 5 of POPA provides for the manner of collection of personal information. It is important that the collection of personal information for this project meets the requirements of section 5 of POPA. In this question, the public body needs to consider and explain how section 5(2) of POPA is complied with in this project if personal information is collected directly from the individuals who are the subjects of the information, including when and how a collection notice is provided to those individuals. In particular, the public body needs to explain whether section 5(2) of POPA applies to its project and how the public body complies with it.

Question 18
While there are legal authorities for public bodies in POPA to use or disclose personal information, there are situations where a public body may rely on individuals’ consent to use or disclose their personal information. Such consent must meet the prescribed requirements of section 2 of the Protection of Privacy Regulation (“the Regulation”). That is, the consent process for the project needs to clearly explain whether consent is obtained electronically or manually. Where consent is collected electronically, the public body should state how individuals give their consent. While a consent form is the implementation of the above consent requirements, public bodies need to have policies and procedures in place to collect and manage consent.

Question 19
There are circumstances where personal information can be collected indirectly, which means the collection comes from a source that is not the person whom the information is about. If that is the case in this project, this question gives the public body the opportunity to describe why, and how personal information is collected indirectly.

Question 20 – An information flow diagram is not the same as a business flow or a network diagram. An information flow diagram identifies the flow of specific pieces of information from one entity to another and when the entities involved are collecting, using or disclosing the information in question. It has arrows indicating the direction of flow of information between the entities. In some cases, information flow could be bi-directional between two entities. The information flows help in identifying the legal authority for collecting, using or disclosing personal information by each entity involved in the flow of the information. A network diagram depicts an IT network infrastructure or network segment and its associated components which may include, servers, routers, firewalls, databases, etc. A business flow diagram is a step-by-step process on how a specific business task is accomplished.

Question 21
No additional explanation needed.

Back to top of the page

E. Access, Correction, Accuracy, Retention, Disposition*

Question 22

This question is asked to remind a public body to ensure it takes steps to make individuals aware of their rights to request access to their personal information that is in the custody or under the control of the public body. Usually, public bodies should be transparent by making their access to information request processes public, with specific contact information of a person or business unit that handles access to information requests. In certain circumstances, public bodies should make proactive disclosure to minimize the number of access requests they get.

Question 23
While this may be addressed as part of the PMP, public bodies are required to have access request policies in place to ensure that Albertans can exercise their rights to access their information. Such a policy governs how a public body implements its access to personal information processes to ensure consistency in processing such requests.

Question 24

This question is asked to ensure a public body has established a process to make individuals aware of their right to request correction to their personal information involved in the project. Usually, public bodies should be transparent by making their correction to personal information request processes public with specific contact information of a person or business unit that handles correction requests.

Question 25

While this may be addressed as part of the PMP, public bodies are required to have correction request policies in place that govern how Albertans can exercise their rights to correct their personal information and to ensure consistency in processing such requests.

Question 26

Public bodies have an obligation to make every reasonable effort to ensure that information about individuals that the public body relies on to make decisions that affect those individuals is accurate and complete.

Question 27

It is important to understand how the public body complies with section 6(b) of POPA for this project by ensuring that there exists a retention and disposition policy for information used in this project to govern how long personal information must be retained.

Question 28

Implementing record retention and disposition policies into information systems ensures that information that has reached its retention period is automatically flagged by the system for disposition instead of it being a manual process that is prone to inconsistencies and human errors resulting in information being retained past its retention period. Information held longer than its retention period poses a risk of loss, unauthorized access, or unauthorized disclosure.

Back to top of the page

F. Protection of Information*

Question 29
Information security classification means assigning security levels to information that are based on the sensitivity of the information in question. Classifying the information based on the public body’s information classification standard assists the public body to protect the information by implementing security controls that are proportionate to the classification levels of the information. Each public body is required to implement an information security classification system to assist the public body to classify information that it collects, uses or discloses as required under section 2(1) of the M-Regulation. Public bodies must meet this requirement before submitting their PIAs to the Commissioner for review.

Question 30
The “reasonable security arrangements” standard set out in section 10(1) of POPA are determined by the security classification of the personal information involved in the project. If the security classification is high, then the security measures, i.e., the administrative, technical and physical safeguards, must be correspondingly high. Whereas, if the security classification is low, then fewer measures may suffice to meet the standard. Section 6(2(b) of the M-Regulation requires public bodies having custody or control of a high volume of personal information or highly sensitive personal information to have documented safeguards. POPA does not stipulate a threshold for “high volume” or “significant percentage of the population”. The interpretation of this section of the M-Regulation is contextual in relation to the project. Although Section 1 of the M-Regulation deems certain personal information to be highly sensitive (biometric and financial information, and personal information of minors and seniors), this list is not an exhaustive or exclusive list. Other types of personal information may be deemed to be highly sensitive in specific contexts.

1. Administrative safeguards govern the implementation of other protective measures and ensures that such measures are implemented consistently during the life cycle of the project. Consistent implementation of protective measures reduces vulnerabilities usually caused by lack of good security governance.
2. No additional explanation needed.
3. The technical safeguards should directly protect the information involved in the project, not just the general technical safeguards implemented by the public body. For instance, access controls should be specific for the project and describe how such controls ensure only authorized individuals have the right level of access to information involved in the project. In addition, any security assessments results such as vulnerability assessment and penetration tests conducted specific to the project should be included as part of the public body’s PIA submission, as such results provide additional information on risks that were identified and how they were resolved as part of the project implementation.

Question 31
Continuous assessment and monitoring of safeguards assists the public body in ensuring that the safeguards are working as expected. For instance, employees should be required to take refresher trainings on privacy and security. Also, monitoring controls such as intrusion detection and prevention systems should be implemented.

Question 32
Section 6(1)(b) of the M-Regulation requires public bodies to establish policies and procedures that ensures they comply with the public body’s obligations under POPA such as responding to incidents (unauthorized access to, unauthorized disclosure of or loss of personal information). Section 6(1)(d) of the M-Regulation also requires public bodies to train their employees about the employee’s obligations under POPA. As part of that training, public bodies should make their employees aware of their obligations under POPA, which includes notifying the public body of incidents under section 10(2) of POPA.

Question 33
Access control policies ensure that access to the Electronic Information System (EIS) is consistently managed, including requests to access the EIS, account provisioning and revocation of account when an employee no longer needs access to the EIS. Through enforceable access control policies, a public body will be able to ensure that an employee only gains access to the information they require to perform their job functions.

If the project involves a high volume of personal information or highly sensitive personal information, a documented access control policy must be attached to the PIA submission. POPA does not stipulate a threshold for “high volume” or “significant percentage of the population”. The interpretation of this section of the M-Regulation is contextual in relation to the project. Although Section 1 of the M-Regulation deems certain personal information to be highly sensitive (biometric and financial information, and personal information of minors and seniors), this list is not an exhaustive or exclusive list. Other types of personal information may be deemed to be highly sensitive in specific contexts.

Question 34
Having an access requests process for the EIS ensures access requests are submitted by appropriate business heads for approval by the appropriate authority prior to processing and account provisioning. Each request should identify the permission level for employees requiring access and ensure the permission level gives the employee only the right access required for the specific job tasks.

Question 35
All access requests to the EIS must be approved by the appropriate level of management, to ensure that employees who access the EIS are authorized to do so.

Question 36
It is important to ensure that access to the EIS is revoked in a timely manner when employees no longer need such access, to prevent potential unauthorized access to personal information. It is also to ensure dormant accounts are removed from the system, as such accounts pose security risks.

Question 37
The access control table provides clarification on the access privileges of the users of the system including the kind of actions each user can take and what information the user can access, and how the permission limits users only to the information they need to perform their job tasks or functions. The public body’s information technology (IT) department plays a significant role in implementing access controls in systems and will be a good resource for assisting in completing this table.

Question 38
Logging and auditing policies ensure that information systems are built and implemented to capture audit logs of activities that are occurring within the system, including unauthorized activities listed under section 10(2) of POPA. Such a policy also ensures proactive auditing of information systems to detect and manage incidents defined under section 10(2) of POPA.

If the project involves a high volume of personal information or highly sensitive personal information, a documented auditing and logging policy must be attached to the PIA submission. POPA does not stipulate a threshold for “high volume” or “significant percentage of the population”. The interpretation of this section of the M-Regulation is contextual in relation to the project. Although Section 1 of the M-Regulation deems certain personal information to be highly sensitive (biometric and financial information, and personal information of minors and seniors), this list is not an exhaustive or exclusive list. Other types of personal information may be deemed to be highly sensitive in specific contexts.

Question 39
Being able to capture and maintain audit logs of personal information means that the public body can identify and investigate unauthorized access to, unauthorized disclosure of, or loss of personal information in order to meet its obligations under section 10(2) and (3) of POPA and sections 4(3), (4) and (5) of the M-Regulation.

Question 40
Proactive auditing is a way of monitoring access to an EIS to detect and respond to potential unauthorized access to, unauthorized disclosure of, or loss of personal information.

Question 41
No additional explanation needed.

Back to top of the page

G. Service Providers*

Question 42
Given that service providers, which includes corporations, are considered employees under section 1(h) of POPA, a public body is accountable for the service provider’s compliance with POPA. Therefore, it is important for the public body to consider privacy issues that may involve the service provider’s role in relation to any personal information it may collect, use, disclose or access as an “employee” of the public body.

Question 43
If a service provider will have access to personal information as part of providing its services to the public body or if it will collect, use or disclose personal information on behalf of the public body, the public body must ensure it complies with POPA as it relates to these activities. Therefore, the contract with the public body must address all related compliance issues such that through the implementation of the terms of the contract agreed to between the public body and the service provider, the public body has confidence that the service provider will comply with POPA in providing its services concerning any personal information involved in service delivery. A service provider must also protect the personal information it has in its custody, or that it is otherwise responsible for, according to the terms of the contract which must ensure compliance with section 10(1) of POPA, i.e., the security of the personal information must at minimum align with the public body’s security safeguards for this type of information. The agreement must also set out how the service provider interacts with the public body’s privacy management program. Without an agreement that addresses all these compliance related issues, there is a risk of non-compliance by the public body as a result of the activities of its service provider. Consequently, as part of the PIA review, any agreement entered into with a service provider must be reviewed by our office as part of the PIA review process. This is because the service provider agreement plays a central role in determining whether the service provider-employee is positioned within the terms of the contract to comply with POPA. Submitting a copy of the agreement with your PIA is a mandatory requirement.

Section 7(6) of the M-Regulation provides that where a public body is required under POPA or the Regulation, to enter into an agreement relating to the practice, program, project or service the PIA relates to, the portions of the agreement relating to the protection of privacy must be submitted to the Commissioner together with the PIA. Under section 1(1)(h) of POPA, an “employee” includes those providing a service to the public body “under contract.” The contract with the service provider would demonstrate the public body’s authority under POPA to share personal information with the service provider or otherwise permit it to collect, use or disclose personal information on its behalf. Therefore, it is an essential part of the PIA submission.

Question 44
A public body may delegate responding to access to information request responsibility to its service provider. However, the public body must ensure that its contractual agreement with the service provider adequately addresses access to information request processing and describe how the service will be provided to the public body.

Question 45
To ensure the public body is able to meet its obligations under POPA the public body must ensure it maintains control of the personal information involved in the project where this information is collected or accessible by the service provider. This is required to ensure the personal information remains subject to POPA and the Access to Information Act (ATIA) to preserve the rights of individuals concerning their personal information under these Acts. Failure to retain control of the personal information amounts to a disclosure, which is prohibited under POPA without authority for said disclosure. This means, that there is a high likelihood of a breach if a public body fails to retain control of personal information in an agreement and provides personal information to the service provider for the services. For this question, if the public body’s answer is yes, the public body must identify specific sections of its contract with the service provider that ensures the public body maintains control of the information for the project. Public bodies must meet this requirement before submitting their PIAs to the Commissioner for review.

Question 46
For this question, refer to the information set out in the commentary above for Question 43.

Question 47
Service providers are considered employees of the public body and should have appropriate training prior to accessing personal information and continue to have refresher training for the duration of their contract. Section 6(1)(d) of the M-Regulation.

Back to top of the page

H. Project Risk Assessment and Mitigation*

This section of the PIA template requires public bodies to identify the project’s privacy and security risks and associated administrative, technical and physical safeguards that address these risks. This completion guide provides some example descriptions of the types of risks identified in the POPA PIA Template risk table.

Question 48
Conducting security vulnerability assessments (VA) during the implementation of an information system that processes identifying information ensures exploitable security vulnerabilities or weaknesses are identified, prioritized and addressed in a timely manner. A penetration test (pentest) is performed to test if security controls are working as expected. VA and pentest are part of an overall risk management strategy and should be conducted periodically. Other security assessments can also be conducted and included in the PIA. Providing copies of these assessments with your PIA goes on to demonstrate the public body’s commitment to protect personal information pursuant to section 10 of POPA.

H1. General Risks (to be completed for all PIA submissions) *

Risk 1
E.g., personal information is collected by the public body and/or the information system is configured to accept personal information that does not relate directly to and is necessary for the project. Systems built for the global market have default configurations that allow for the collection of vast amounts of personal information. Such systems should be hardened by disabling data fields that are not required for specific project implementations to manage the risk of over collection.

Risk 2
E.g., information that was collected for this project is used for a purpose not directly related to the project, contrary to section 12 of POPA.

Risk 3
E.g., information that was collected for this project is disclosed contrary to section 13 of POPA. Personal information could be intercepted while in transit due to lack of appropriate security control, leading to unauthorized disclosure. There are also situations where the public body or its employees disclose personal information for secondary purposes without legal authority. Unauthorized disclosure could also be via insecure disposal of information processing media.

Risk 4
E.g., information collected for this project is accessed by unauthorized users or malicious software due to lack of reasonable safeguards, contrary to section 10(1) of POPA.

Risk 5
E.g., information collected for this project is lost as a result of human error or malicious software attacks, such as ransomware, which renders information inaccessible. This may lead to the inability of the public body to perform its business functions or respond to requests from individuals to access their information. Disgruntled employees can also deliberately destroy personal information. Also, changes to IT systems without proper IT change management process and lack of disaster recovery strategy could lead to loss of information.

Risk 6
E.g., A public body loses control of electronic and/or paper-based information as a result of insufficient or absence of contractual agreements with a third-party service provider. Loss of custody may involve the theft of paper records or a server that contains personal information in the public body’s premises.

Risk 7
E.g., information collected for this project is inadvertently or maliciously destroyed contrary to POPA and the policies of the public body, such that the public body is unable to respond to access to information requests or carry out its business functions. Lack of an enforceable record retention and disposition policy could also lead to unauthorized destruction.

Risk 8
E.g., information collected for this project is rendered inaccurate, or incomplete, contrary to section 6(a) of POPA. This may occur if employees are not adequately trained on good data entry practices or if system changes do not follow industry standard change management processes or information is not reasonably protected from unauthorized modification.

Risk 9
E.g., personal information collected for this project is retained contrary to section 6(b) of POPA or the project retention procedures as established by the public body (section 7(2)(f) of the M-Regulation). In some cases, this may be a consequence of the absence of a record retention policy or lack of enforcement of an existing record retention policy.

Risk 10
E.g., individuals’ information is collected for this project without providing proper notice at the time of collection, contrary to section 5(2) of POPA. Notice fails to align with the manner of collection and the requirement of POPA such as collecting personal information directly from individuals by telephone but providing notice via the public body’s website.

Risk 11
E.g., the public body fails to make individuals aware of their rights to request access to or correction of their personal information, and how to make such requests.

Risk 12
E.g., lack of or inadequate privacy breach management means that privacy breaches will not be consistently detected and managed. In addition, affected individuals of privacy breaches/incidents, the Commissioner and the Minister will not be notified in a timely manner as required under section 10(2) of POPA.

Risk 13
E.g. without assessing third parties’ controls, the public body is unable to attest whether the third party reasonably protects personal information in respect of the services provided to the public body in compliance with POPA and its regulations. As a result, the public body could fail to meet its obligations to protect personal information under section 10 of POPA.

Risk 14
E.g. personal information collected for this project for purposes under section 12 of POPA is being used for secondary purposes (e.g. to train artificial intelligence (AI) or by the third party for quality improvement purposes) without authority.

Risk 15
E.g., inadequate or absence of logging capabilities of systems limits the ability of the public body to identify and manage privacy breaches of personal information. In addition, it limits the Commissioner’s ability to investigate access to personal information violations including investigating potential offences under section 60 of POPA.

Risk 16
E.g., failure to have human oversight and validation measures for information systems could potentially lead to data accuracy and reliability issues.

Risk 17
Failing to conduct a security vulnerability assessment means that the public body may not be aware of exploitable security vulnerabilities that exists in its environment and as a result, would not take steps to address those security vulnerabilities in a timely manner thereby exposing personal information to potential compromise.

H2. Risks Associated with Cloud Computing

Risk 1
E.g. In a multitenant cloud environment, compromise of one environment could lead to the compromise of other environments due to inappropriate segregation and isolation of cloud resources. In addition, there could potentially be information leakage between environments leading to unauthorized disclosure of personal information.

Risk 2
E.g., lack of formalized contractual arrangements that specifically consider POPA requirements could lead to loss of custody and/or control of personal information stored in the cloud environment as well as gaps in security management and non-compliance with POPA.

Risk 3
E.g. the absence of clear and good governance on privacy and security of personal information could result in gaps in privacy and security management leading to non-compliance with POPA.

Risk 4
E.g., POPA requirements including privacy breach management is not addressed in the contractual agreement between the public body and the cloud provider, which could lead to non-compliance with section 10(2) of POPA.

Risk 5
E.g. a cloud provider goes out of business or declares bankruptcy, making it impossible for the public body to access personal information in the provider’s environment.

Risk 6
E.g., a cloud provider uses proprietary technologies, making it difficult for the public body to migrate services to another provider, locking-in the public body. A public body may want to change provider if the existing provider suffers multiple security incidents that have caused privacy breaches.

Risk 7
E.g., the USA PATRIOT Act and Cloud Act allow the US government to access personal information held by US-based companies in the US (USA PATRIOT Act) and anywhere in the world (Cloud Act).

Risk 8
E.g., a cloud provider uses personal information for their own purposes, such as de-identifying personal information and/or using the personal information for training their AI models.

Risk 9
E.g., the cloud provider sells personal information or fails to securely sanitize information processing media prior to re-use or disposition leading to unauthorized disclosure of the personal information.

Risk 10
E.g. lack of reasonable authentication and authorization controls such as failures to implement and enforce multifactor authentication could potentially lead to unauthorized access to personal information.

Risk 11
E.g. weak or lack of encryption could lead to unauthorized access to and disclosure of personal information in transit and at rest.

H3. Risks Associated with Research

Risk 1
E.g., the public body fails to assess whether non-identifying data can be used to accomplish the research purpose prior to disclosing individually identifying personal information or has not obtained the Commissioner’s approval for such disclosure as required under section 15(a) of POPA.

Risk 2
E.g., the public body fails to perform a public interest analysis prior to disclosing personal information for research or statistical purposes where the information is involved in data matching.

Risk 3
E.g. the public body fails to conduct an assessment of risk of harm prior to disclosing personal information for research or statistical purposes where the information is involved in data matching.

Risk 4
E.g., the public body has not approved conditions relating to security and confidentiality, the removal or destruction of individual identifiers and prohibition of subsequent use or disclosure of the information without express authorization of the public body.

Risk 5
E.g., a research agreement has not been signed prior to the public body disclosing personal information or the research agreement in place does not meet the requirements of section 15(d) of POPA and section 4 of the Regulation.

Back to top of the page

Appendix A. Data Matching

Only complete this section if the project involves data matching as defined under section 1(f) of POPA.

Question 1
No additional explanation needed.

Question 2
There are specific circumstances in which a public body may carry out data matching as listed in section 17(1) of POPA. Any prescribed purposes will be found in the regulation otherwise such a purpose does not exist.

Question 3
No additional explanation needed.

Question 4
Prior to collecting personal information from another public body for the purpose of data matching, a public body must first create a governance structure that clearly identifies the responsibilities and accountability of each public body involved in carrying out the data matching to ensure access and privacy rights of Albertans are protected. The governance structure must clearly identify the responsibilities and accountability of each public body as it relates to:

1. the custody and control of personal information,
2. the correction of errors or omissions in an individual’s personal information,
3. breach notifications, and
4. other duties imposed by the Act.

Public bodies must meet this requirement before submitting their PIAs to the Commissioner for review.

Question 5 – The data matching agreement is required to ensure clarity regarding the roles and responsibilities of each public body involved in the data matching project as well as legislative compliance. The minimum requirements of the agreement are as follows:

the agreement must:

1. identify

(i) the authority under which the public body will carry out data matching, and

(ii) the purpose for which the public body will carry out data matching,

1. identify each public body’s role and how each public body’s role relates to the purpose of the data matching to which the addendum relates,
2. describe how the personal information will be securely transmitted, matched or linked by the public bodies,
3. identify whether the data derived from the personal information used for data matching will be disclosed to the public body from whom the personal information was collected,
4. identify each public body’s responsibilities respecting reasonable security arrangements, including respecting administrative safeguards, physical safeguards and technical safeguards, for the protection of personal information against such risks as unauthorized access, collection, use, disclosure or destruction, and
5. establish a clear governance structure respecting the responsibilities and accountability of each public body.

Question 6

This question requires that a public body participating in data matching identifies collections, uses or disclosures of personal information that only apply to that public body. In doing so, the public body is required, by law, to have an addendum for the unique collections, uses or disclosures to accompany the join PIA submitted for the project.

Question 7
No additional explanation needed.

Question 8

Risk Assessment and Mitigation – Risks Associated with Data Matching.

This Completion Guide will provide some examples of the description of the types of risks identified in the Risk Assessment and Mitigation table for risks related to data matching.

Risk 1

E.g. section 7(2)(g) of the M-Regulation requires the establishment of a clear governance structure respecting the responsibilities and accountability of two public bodies involved in data matching if one public body is collecting personal information from another public body for the purpose of data matching.

Risk 2

E.g., this risk assessment is to ensure that section 17 of POPA is complied with, given that this section prohibits public bodies, except for the Office of Statistics and Information, from collecting personal information directly from an individual for the purpose of data matching.

Risk 3
E.g., section 6 of POPA requires a public body to make every reasonable effort to ensure that an individual’s personal information is accurate and complete before using such information to make a decision that directly affects that individual.

Risk 4
E.g., as required by section 6 of POPA, the quality of the source data will play a significant part in the quality of the resulting data from data matching, so it is important for public bodies to ensure that the quality of the source is validated prior to conducting the data matching.

Risk 5
E.g., data matching activities normally take place in a test environment. The resulting data is then migrated to the production environment. Therefore, the test environment security controls should be proportionate to the security classification of the data involved in data matching. Failure to implement reasonable and proportionate security arrangements to protect personal information within the public body’s data matching environment, exposes it to potential incidents under section 10 (2) of POPA especially given that a single test environment may be used for multiple projects and thus accessed by various users.

Risk 6
E.g. this is about validating the final product. The public body should ensure that the final product is the desired outcome, and that no data errors are in the resulting data set, or if errors are identified, that they are addressed. (section 6 of POPA).

Risk 7
E.g., this is about securely cleaning the test environment that was used for data matching by securely deleting personal information from that environment before it is used for other purposes or used by other users to prevent potential unauthorized access to personal information.

Back to top of the page

Appendix B. Common or Integrated Program or Service

Question 1
A common or integrated program or service must comply with specific requirements under POPA and the M-Regulation. It is therefore important for the public body to carefully consider those requirements prior to implementing new common or integrated program or service or making changes to an existing common or integrated program or service.

Question 2

Since common or integrated program or services requires each public body to identify its responsibilities and accountabilities identifying each public body assist in determining the areas of responsibility and accountability for each public body.

For question 2c, if the PIA is for a change in an existing common or integrated program or service, providing an existing PIA file number assists the OIPC in making reference to relevant information in that file during the review of the current PIA as the public body focuses on addressing privacy and security risks associated with the change. The public body may also choose to use the existing Microsoft Word copy of the existing PIA to identify areas that have changed by striking the outdated information and entering updated or new information in a different-colour text.

Question 3

This question is about making sure that there is a governance structure in place for the common or integrated program or services. This governance structure (a documented set of rules and processes that identify the roles, responsibilities and accountability for each public body participating in the integrated program or service), that clearly identifies responsibilities and accountabilities must be in place prior to the PIA being submitted to the Commissioner for review.

The governance structure must clearly identify the responsibilities and accountability of each public body as it relates to:

1. the custody and control of personal information,
2. the correction of errors or omissions in an individual’s personal information,
3. breach notifications, and
4. other duties imposed by the Act.

Question 4

This agreement is required to ensure each public body involved in a common or integrated program or service independently comply with POPA. The minimum requirements for such an agreement include:

1. identify the purpose of the common or integrated program or service,
2. identify each public body’s roles and responsibilities respecting the common or integrated program or service and how the roles and responsibilities of each public body relate to the purpose of the common or integrated program or service, identify each public body’s responsibilities under the Act,
3. establish rules respecting reasonable security arrangements, including respecting administrative safeguards, physical safeguards and technical safeguards, for the protection of personal information against such risks as unauthorized access, collection, use, disclosure or destruction, and
4. establish a clear governance structure respecting the responsibilities and accountability of each public body.

Question 5

This question requires that a public body participating in a common or integrated program or service identifies collections, uses or disclosures of personal information that only apply to that public body. In doing so, the public body is required, by law, to have an addendum PIA for the unique collections, uses or disclosures to accompany the joint PIA submitted for the project.

Question 6

Risk Assessment and Mitigation – Common or Integrated Program or Service Risks

This completion guide will provide some examples of the description of the types of risks identified in the Risk Assessment and Mitigation table for common or integrated program or service risks

Risk 1
E.g., governance structure including policies are not in place or are inadequate leading to inconsistencies in the management of the program that creates exploitable privacy and security vulnerabilities.

Risk 2
E.g., policies are not in place or are not clear on accountability for different aspects of the program including accountability for privacy.

Risk 3

E.g., the responsibilities of each public body involved in the common or integrated program including for privacy management are not clearly defined.

Risk 4

E.g., the information security classification for one or more public bodies do not align with the sensitivity of information, leading to gaps in the protection of personal information.

Risk 5
E.g., the public bodies involved fail to make individuals aware of how they can exercise their access and privacy rights under applicable POPA and ATIA.

Back to top of the page

Appendix C. Use of Automated Systems or Other Forms of Innovative Technology

Question 1

An Algorithm Impact Assessment (AIA), is a risk assessment or evaluation process that determines the impact of an automated system on individuals whose personal information is collected, used or disclosed in the use of automated systems such as artificial intelligence or other forms of innovative technology. Section 7(3) of the M-Regulation requires that a PIA contains a level of detail commensurate with the complexity of the practice, program, project or service the PIA relates to. As such, the public body is required to also complete an AIA. The OIPC is in the process of developing an AIA tool, which will be published on the OIPC website and a link included in the POPA PIA template and this document. In the interim, the OIPC recommends that where a project involves automated systems, public bodies consult industry standard algorithm impact assessment guidelines in preparing and submitting their AIAs with their PIAs.

Question 2

Risks Associated with the use of Automated Systems or other forms of innovative technology.

Risk 1
E.g. failure to maintain custody or control of personal information ingested by an automated system due to lack of controls to securely and automatically delete information from the automated system.

Risk 2
E.g. lack of or insufficient automated systems governance policies and procedures leads to inconsistent implementation and use of automated systems, resulting in automated systems-related vulnerabilities and privacy compliance issues.

Risk 3
E.g. automated systems such as artificial intelligence, are known to hallucinate by fabricating results or outputs. Lack of monitoring including lack of oversight of AI systems leads to failures to detect and address hallucination issues.

Risk 4
E.g. Using poor quality and unreliable training data leads to issues with automated systems results including hallucination. In addition, using training data that is not an accurate representation of the population where the automated systems will be deployed could potentially lead to inaccurate results and bias.

Risk 5
E.g. if inputs in automated systems are not validated and protected, such inputs can be manipulated prior to processing by the automated system. This makes input vulnerable to tampering and the automated system vulnerable to faulty results.

Risk 6
E.g., understanding whether the automated system model is static or dynamic, it may be difficult to implement the right monitoring mechanism for the models. For instance, while dynamic models continuously learn from new data sets in process, a static model is as good as its last update.

Risk 7
E.g., Underfitting an automated system model with its training data means that the automated system model is trained to be too broad in its generalization making the model prone to false positives when processing new data.

Risk 8
E.g., Overfitting an automated system model with its training data means that the automated system model is trained too closely aligned with its training data, leading to lack of generalization by the model and making the model prone to false negatives when it processes new data.

Risk 9
E.g., misconfiguration of an automated system is a security vulnerability that could be exploitable, leading potential to unauthorized access to or disclosure of personal information.

Risk 10
E.g., lack of processes for individuals to be made aware of and appeal decisions made by automated systems could infringe on individuals’ access and privacy rights.

Risk 11 – E.g., insufficient logging and auditing means that the activities of the automated system cannot be reasonably monitored to ensure it is working as expected or to detect potential compromise of the system.

Risk 12
E.g., lack of monitoring of the automated system based on established policies and processes means that issues with the functioning of the automated system cannot be detected and addressed in a timely manner.

Risk 13
E.g., without conducting a vulnerability assessment means that exploitable vulnerabilities associated with an automated system cannot be identified and addressed. A copy of the results of the assessment should form part of the PIA to demonstrate the public body’s commitment to protect personal information pursuant to section 10 of POPA.

Back to top of the page

Appendix D. PIA Cover Letter *

While the head of a public body may assign privacy responsibilities to other individuals within the public body, the head of the public body is ultimately accountable for meeting the public body’s obligations under POPA. To this end, the PIA must include a cover letter signed by the head of the public body.

Back to top of the page

Appendix E. PIA Submission Checklist *

This checklist is there to ensure the public body reviews its PIA and ensures all sections of the PIA have been considered, relevant sections completed, and all supporting document included in the PIA submission.

Back to top of the page

March 2026

Public Sector Privacy Law (applies to public bodies)

Protection of Privacy Act

The Protection of Privacy Act (POPA or Act) applies to public bodies in Alberta. Public bodies include government ministries or departments, government agencies, boards and commissions, school boards and charter schools, universities and colleges, municipalities, and police.

POPA went into force in June of 2025. It replaced the privacy part of Freedom of Information and Protection of Privacy Act (FOIP Act). The FOIP Act is no longer in force in Alberta and has been repealed.

POPA protects privacy by controlling the ways a public body may collect, use or disclose personal information. No personal information may be collected by or for a public body unless the collection is:

• Authorized by another law or enactment
• For purposes of law enforcement
• Information that relates to and is necessary for an operating program or activity of the public body including a common or integrated program or activity

Your personal information must be collected directly from you subject to certain exceptions and when collected in this manner, you must be notified about the purpose of collection. Once collected, your personal information may be used or disclosed for the intended purpose of collection. Your personal information may be used or disclosed for other purposes in some situations, such as when you consent. A public body must also protect your personal information from loss or unauthorized access or disclosure and must notify you about a breach involving your personal information if there is a real risk of significant harm to you as a result of the breach.

You have rights under POPA as it relates to your personal information, including that information collected about you must be reasonably accurate, you have the right to access your personal information, and you can make a complaint if you believe that your personal information is being collected, used or disclosed contrary to the Act.

Under POPA, public bodies are permitted to data match personal information to create additional personal information. This is called “derived data” under POPA. Public bodies are also permitted to modify personal information so that it can no longer identify an individual. This is referred to in the Act as “non-personal data”. Derived data and non-personal data are subject to the Act, meaning that the Information and Privacy Commissioner has oversight of this data. If you believe that the process used to create derived data or non-personal data is not in accordance with the Act, you can make a complaint to the Commissioner.

It is an offence for a person to collect, use or disclose personal information contrary to the Act, to perform data matching contrary to the Act, and to reidentify or attempt to reidentify personal information from non-personal data.

See below for more information about exercising your privacy rights under POPA.

For more information on submitting a privacy complaint, click here.

Back to top of the page

Health Sector Privacy Law (applies to custodians)

Health Information Act

The Health Information Act (HIA or Act) applies to “custodians”,  such as government departments responsible for health services in Alberta, provincial health agencies (Recovery Alberta, Assisted Living Alberta, Acute Care Alberta, Primary Care Alberta), hospital services (Alberta Health Services, Covenant Health, Lamont Health Care Centre), pharmacies and pharmacists, physicians, optometrists, registered nurses, dentists, and their health service providers or employees.

HIA protects privacy by controlling the ways a health custodian may collect, use or disclose health information, including diagnostic, treatment, care and registration information. Custodians are prohibited from collecting, using, or disclosing health information unless permitted by the Act.

Your health information may be used and disclosed by custodian for the purposes of providing you with health care including to other health care providers or other persons who may be involved in your health care. Your health information may also be used or disclosed for the purposes of managing the public health care system in Alberta and for making certain of your health information accessible electronically to those authorized to have this access. The electronic health care record in Alberta is called “Netcare”.

Custodians must consider your expressed wishes when deciding how much information to disclose to others and for making it accessible through Netcare. What this means is that if you inform your health care provider that you don’t want all of your health information, or certain kinds of information, such as highly sensitive health information, accessible by others, you can express this wish to a custodian and they must consider it before making the specified health information accessible.

If you were to express your wish to a custodian that you do not want your health information accessible through Netcare, the custodian could “mask” this information so that other care providers cannot access this information unless they “break the glass”, which means they may unmask it. Generally, this would only occur with your consent or in circumstances where you cannot give your consent due to your medical condition.

Your health information may also be disclosed with your consent. If disclosure of your health information is authorized without your consent, you have the right to ask about it. You also have the right to request a record – also known as an “audit log”. Requesting an audit log of Netcare accesses will show you who has accessed your health information in Netcare.

A custodian is required to protect your health information from loss, unauthorized access or disclosure and must notify you if your health information is involved in a breach and you are at risk of significant harm as a result of the breach.

In addition to the rights mentioned, you have the right under the HIA to request a correction of health information (not opinions), you have the right to access your health information and you can make a complaint if you believe that your health information has been collected, used, accessed or disclose contrary to the HIA.

It is an offence in the HIA to collect, use, access or disclose health information contrary to the HIA and to fail to protect health information as required by the Act.

See below for more information about exercising your privacy rights under HIA.

For more information on submitting a privacy complaint, click here.

Back to top of the page

Private Sector Privacy Law (applies to private organizations)

Personal Information Protection Act

The Personal Information Protection Act (PIPA or Act) applies to private organizations, such as businesses, employees, partnerships, trade unions and professional regulatory bodies.

PIPA protects privacy by controlling the ways a private organization may collect, use or disclose personal information and personal employee information.

Private sector organizations must have your consent to collect, use or disclose your personal information. Collection, use or disclosure without consent is authorized in some situations under PIPA. In addition to having consent, an organization must also have a reasonable purpose for this activity. The Act specifies that what is reasonable is what a reasonable person would consider appropriate in the circumstances.

If you are an employee, consent is not required for the collection, use or disclosure of personal employee information by the employer that is reasonably required for the  work relationship.

A private sector organization is required to protect your personal information from loss, unauthorized access and use or disclosure and must notify you about a breach of your personal information if you face a real risk of significant harm from the breach.

You have rights under PIPA, including the right to request access to your own personal information. You may make a complaint to the Information and Privacy Commissioner if you believe that your personal information has been collected, used, disclosed, accessed inappropriately or breached. You may also make a complaint to the Commissioner if you believe that an organization’s practices are not in compliance with PIPA.

It is an offence under PIPA for an organization, to collect, use, disclose or attempt to gain access to your personal information contrary to the Act.

See below for more information about exercising your privacy rights under PIPA.

For more information on submitting a privacy complaint, click here.

Back to top of the page

Exercising your Privacy Rights

Complaints about the collection, use or disclosure of your own personal information

If you believe your personal or health information has been collected, used, or disclosed improperly under POPA, HIA, or PIPA, you may submit a complaint in writing to the Office of the Information and Privacy Commissioner (OIPC). Before submitting your privacy complaint to the OIPC, you must first make your complaint to the public body, custodian or private organizations (as applicable).

Your written complaint must provide enough detail to support your belief that your personal or health information has been collected, used or disclosed in contravention of the law.

The Commissioner may assign a staff member to try and informally resolve your complaint (referred to as the settlement phase). If the matter is not resolved during the settlement phase, the Commissioner will decide if the matter will go inquiry. An inquiry is a formal hearing that results in an order being issued. An order made by the OIPC is final.

General complaints about non-compliance with privacy laws (not your own personal information)

You may also submit a general complaint under POPA in the following two circumstances: POPA Privacy/Correction Request form

1. You believe a public body created personal information from matching (or linking) two or more sources of personal information (this is referred to in POPA as data derived from data matching) contrary to the requirements for this activity as specified in POPA.
2. You believe there has been an actual or attempted reidentification of data by a person after personal information has been rendered as non-identifiable by a public body as required by POPA or its regulations.

You may also submit a general complaint under PIPA if you believe that an organization’s practices for protecting privacy as required by this Act are not in compliance. PIPA Request for Review/Complaint form

Back to top of the page

About the OIPC

The Information and Privacy Commissioner is responsible to monitor compliance with Alberta’s privacy laws to ensure their purposes are achieved. The work of the Commissioner is performed through the Office of the Information and Privacy Commissioner.

The Commissioner has broad authority under these laws to investigate allegations of non-compliance and to issue binding orders to enforce compliance. The Commissioner also has a number of additional responsibilities under these laws including advocating for privacy rights of Albertans. The Commissioner is an officer of the Legislature and in this capacity operates independently from government ministers and departments.

Disclaimer This document is not intended as, nor is it a substitute for, legal advice, and is not binding on the Information and Privacy Commissioner of Alberta. Responsibility for compliance with the law (and any applicable professional or trade standards or requirements) remains with each organization, custodian or public body. All examples used are provided as illustrations. The official versions of the laws the OIPC oversees and their associated regulations should be consulted for the exact wording and for all purposes of interpreting and applying the legislation. The Acts are available on the website of Alberta King's Printer.

Back to top of the page

What is a review?

Under ATIA, the Commissioner has authority to review any decision, act or failure to act by the head related to requests for access to information.  The Commissioner also has authority to review a decision by the head of a public body to give access to information of a third party.

Under POPA, the Commissioner has authority to review the collection, use or disclosure of an individual’s own personal information if the individual believes that the collection, use or disclosure was in contravention of POPA.  The Commissioner also has authority to review any decision, act or failure to act of the head related to a correction request.

Reviews generally have two phases.  A settlement phase, which involves the Case Resolution Team attempting to settle the matter under review, and an inquiry phase, which is a formal adjudicative hearing conducted by the Adjudication Team from which an order is issued.  An inquiry may occur if settlement is not achieved.

Reviews under ATIA and POPA are subject to specified time limits.

Back to top of the page

What is an investigation?

Under POPA, the Commissioner is authorized to investigate privacy complaints about the following:

• That personal information about any person has been collected, used or disclosed by a public body contrary to POPA
• That data derived from personal information or non-personal data has been created, used or disclosed by a public body contrary to POPA
• Respecting the actual or attempted re-identification by any person of non-personal data created under section 21(1) of POPA

Privacy complaints will generally try to be settled by the Case Resolution Team.  However, the Commissioner may decide to have the complaint formally investigated by the Investigation Team.  At the conclusion of a formal investigation, an order may be issued.

Investigations into complaints are not subject to specified time limits in POPA.

Back to top of the page

What is the settlement phase?

The settlement phase is the first phase of a review or complaint investigation.  It is a process authorized by the Commissioner to explore opportunities to settle issues with the parties.  It may also be referred to as a mediation or investigation.  The majority of files are resolved at the settlement phase.

Please note that our office made some adjustments to our settlement procedures in 2024 and 2025 in the interest of creating greater efficiencies in our work. This page has been updated to reflect those changes.

Forms referenced in this document are available on our office’s website at https://oipc.ab.ca/forms/.

Please note that some important definitions are provided at the bottom of this page.

Back to top of the page

Commissioner’s Mandate

The Commissioner is not a part of the Government of Alberta. The Commissioner is an independent Officer of the Legislature and reports directly to the Alberta Legislative Assembly.

The Commissioner, through the Office of the Information and Privacy Commissioner (OIPC), carries out the legislative and regulatory responsibilities related to Alberta public bodies set out in the following laws:

• Access to Information Act (ATIA) [in force June 2025]
• Protection of Privacy Act (POPA) [in force June 2025]
• Freedom of Information and Protection of Privacy Act [repealed June 2025] (FOIP Act)

 

Transition from FOIP to ATIA and POPA

Public bodies were subject to the FOIP Act until mid-June of 2025.  When ATIA and POPA are brought into force, these Acts will repeal the FOIP Act.  The ATIA applies to access to information requests.  POPA applies to review responses to correction requests made after POPA comes into force. It also applies to review complaints regarding the collection, use or disclosure of an individual’s own personal information by a public body where the individual first makes a complaint to the public body concerned.

The FOIP Act continues to apply to review responses to access or correction requests made or third parties notification decisions prior to June 2025. It also applies to complaints about the collection, use or disclosure of personal information by a public body which occurred prior to the repeal of the FOIP Act.   For more information, please see the Practice Note-Transitional- FOIP Act to ATIA and POPA.

Back to top of the page

What We Do…

• Review the decisions of public bodies in regard to requests for access to information or correction of personal information made under the Acts
• Review complaints regarding the collection, use or disclosure of personal information
• Under POPA, investigate complaints about whether an organization is in compliance with the Act, such as enquiries into an organization’s general practices
• Try and settle reviews and complaints
• Where settlement cannot be achieved or as instructed by the Commissioner, conduct inquiries and issue binding orders

Back to top of the page

What We Do Not Do…

• Act as an advocate on behalf of any party to a review or investigation
• Release records that are the subject of a review
• Store records on behalf of the Government of Alberta or any other party
• Impose fines or award damages
• Hear appeals of claims, benefits or decisions that do not fall under the Acts
• Discipline, terminate or reinstate employees
• Regulate the actions of individuals as private citizens
• Regulate the constituency offices of members of the legislative assembly (but we do regulate certain access and privacy issues involving actions of cabinet members and ministries)

Back to top of the page

Making a Request for Review or Complaint to the Commissioner

Under the Acts:

• Using the ATIA Request for Review form, an applicant may ask the Commissioner to review any decision, act or failure to act by the public body that relates to an applicant’s access to information request
• Using the ATIA Third-Party Request for Review form, a third party who has been notified by a public body under ATIA that its information will be given to an applicant may ask the Commissioner to review that decision
• Using the POPA Privacy/Correction Request form, an individual may ask the Commissioner to investigate if they believe that their own personal information has been collected, used or disclosed in contravention of POPA
• Any person may ask the Commissioner to investigate whether an organization or public body is in compliance with POPA, such as enquiries into an organization’s general practices.

Back to top of the page

Time Limits to Request a Review

A review may be requested by completing and submitting the applicable request for review form (see “Making a Request for Review or Complaint to the Commissioner” above) to the OIPC within the following timelines:

Note: for the interpretation of “business day” please see Practice Note – Business Day – ATIA and POPA

ATIA

For reviews of access requests, within 60 business days after an applicant is notified of the decision, act or failure to act that is the subject to the request.

POPA

For correction requests, within 60 business days after the individual is notified of the decision, act or failure to act that is the subject to the request.

For reviews concerning the collection, use or disclosure of one’s own personal information that may be contrary to POPA, no sooner than the expiry of the 30 business days that the public body has to respond to the privacy complaint AND within 60 business days after receiving a response to the privacy complaint from the public body – or in the case of non response, within 60 business days after the 30 business days the public body had to respond.

 

ATIA and Third Parties

For third party reviews, within 20 business days after being notified by a public body of its decision to give an applicant access to third party information. The Commissioner has no power to allow a third party a longer period to submit a request for review.

Note this important process change for public bodies and third parties: 

As of February 1, 2024, the OIPC no longer conducts courtesy searches on behalf of public bodies to determine if a third party request for review has been received by this office.  ATIA now requires that a third party deliver a written request to the Commissioner and the head of the Public Body.   

Back to top of the page

Overview of Proceedings

Intake

To initiate a review or make privacy complaint, the applicable form must be completed (see “Making a Request for Review or Complaint to the Commissioner” above) AND submitted together with all supporting documents in one submission. Otherwise, the submission will be returned. We also enforce a 15-page limit for submissions.

Every submitted form is checked for:

• Jurisdiction – is it something the OIPC can do under one of the Acts?
• Whether it was received by the OIPC within the required time limits
• Whether there is evidence that substantiates the request for review or complaint

Any person who submits a form for making a review or complaint will be contacted at the intake stage to discuss their submission and obtain clarification. They must be available to participate in our process and respond to requests in a timely manner, usually by phone and/or email. Otherwise, a file may not be opened. Any person who cannot meet this requirement, may name an agent to represent them.

The responding public body may also be contacted at this stage, as required.

Please note our refer-back process for privacy complaints and adequacy of search reviews.

Refer-back for privacy complaints

For complaints regarding the collection, use or disclosure of personal information under POPA about one’s own personal information, individuals must first make the complaint to the public body as required by POPA.

Refer-back for adequacy of search reviews 

For reviews under ATIA where the only concern is that an applicant believes the public body holds more responsive records than what were processed in the request (an ‘adequate search concern’), the applicant must first submit the concern directly to the public body, along with supporting evidence as to why they believe additional records exist.

We require that the public body be given at least 30 business days to respond.  After attempting to resolve the matter directly with the public body, if the applicant still has reason to believe the response does not comply with the relevant law they can bring the concern back to our office. At that point, our office will consider whether further investigation by the OIPC is warranted.

Issue identification

At the intake phase, the Intake Team will work with the person who submitted a form for making a request for review or privacy complaint to identify the issues for review or investigation.  Only those issues that (a) have enough evidence; and, (b) are within our jurisdiction will move forward. The identified issues will be communicated to the person to confirm their understanding and, if applicable, to advise on the limits of our jurisdiction.

If the OIPC proceeds with a review or investigation, a file is opened, and an acknowledgment letter (containing the confirmed issues) is sent to the person and the public body. A copy of any request for review form submitted is included with the letter. Forms submitted containing general privacy complaints made under POPA are not provided to the public body.

In the letter to the public body, it will be asked to provide a contact person who will be responsible for working with the assigned investigator to settle the matter. The contact person must have the ability to settle the issues. This means that they must have timely access to the decision-maker or directly involve the decision-maker in the conversations.

New records requirements and timelines 

For access request reviews, the public body will also be asked to provide a copy of the records to the OIPC with the inclusion of a records index within 7 business days of a notification letter, in accordance with the Practice Note – Preparing Records at Issue and Index of Records.  It may also be asked to provide the OIPC with a copy of the access request and any correspondence concerning the request with the applicant.  The OIPC will provide a link to securely send records and any other sensitive documentation to the OIPC.

The requirement to provide records or information at issue does not apply to records or information over which solicitor-client privilege, litigation privilege, or informer privilege is being claimed, or information withheld under sections 4(1)(a), (s), (t), (w), 27, 32(1)(a) or 32(2) of the ATIA. Public bodies (Respondents) will be required to provide a submission that contains the page numbers and an explanation that supports the application of the sections to the records.  The Practice Note – Providing Affidavits and other Evidence provides an explanation as to the expected content of the submission, even though it is not usually in affidavit form at the settlement stage.

 

Request for Review Forms and Attachments Are Disclosed

A copy of any request for review form and any attachments submitted along with the form must be disclosed to the public body under section 60(1)(a) of ATIA and section 39(1)(a) of POPA As a result, any person submitting one of these forms should specify to the OIPC if there is information in the form or accompanying attachments that they want the Commissioner to consider removing before sharing with the public body.  In considering these requests, consideration will be given to whether the information should be disclosed for fairness purposes or if it is necessary to conduct the review.

Address for Service

Each party to a review or investigation must provide an address for service to which all official communications will be sent for the purposes of the review or investigation.

As noted above, we must have an effective and timely means of communication with the parties.  As such, each party is to provide us with an email address for this purpose.  We also require a mailing address which may be used to deliver certain correspondence related to the file.  We will use secure email or other forms of secure electronic transmission to send communications containing sensitive information.

Person making the request for review or complaint

The address for service is to be identified on the applicable form.

Public Body

The address for service of the public body will be identified in the acknowledgement letter that the OIPC sends to each party as part of the initial notification process.

Changes or Updates

A party must use the Change of Contact and/or Address for Service Form on the OIPC website to update contact information or the address for service at any time during the review/investigation.

The address for service of each party will be circulated to all other parties.

Back to top of the page

Review and Investigation

An OIPC investigator, known as a Senior Information and Privacy Manager (SIPM) will be assigned to try to settle your request for review or privacy complaint.

The office receives a high volume of requests for reviews and complaints. As such, your file may be inactive until the SIPM has the capacity to begin to work on it.  The parties will be notified when the SIPM starts actively working on the file.  While the parties wait to hear from the SIPM, we encourage the parties to try to resolve the matter directly with one another.

Our new case resolution process involves us trying to settle matters under review or investigation in as short a time as is possible.  That is why we try to settle matters verbally over the phone.  As such, once a file is activated, we must be able to reach the parties, usually by phone, in a timely manner in order to participate in our settlement process.  If we cannot reach the party who requested the review or made the complaint, we may discontinue the review or investigation.  If this occurs, the parties will be notified.

The OIPC has shorter timelines to complete reviews under ATIA and POPA.  Therefore, it is imperative that all parties to a review provide requested information and be available for discussions about the matter in a timely fashion.  Requests to extend deadlines for providing information or discussing settlement must be reasonable with consideration for the shortened timelines.

The SIPM begins the review or investigation by examining the confirmed issues, the submissions received, and in the case of a review of an access request the records provided by the public body.  The SIPM also reviews the relevant law and any past cases that have interpreted the law against the issues to be determined.

The SIPM will contact the Respondent to gather any relevant evidence necessary to form an opinion about whether the law was complied with by the Respondent.

The SIPM may also need to contact the person who made the request or complaint for additional information.  Please note that we will not accept documented evidence from any party unless it is requested by the SIPM.  Any unsolicited evidence will be returned or deleted.

The SIPM will form an opinion about whether the Respondent has complied with the law as it relates to the issues under review or investigation.  The SIPM will discuss the opinion with the parties in an effort to settle the issues.  The Respondent may agree to take certain actions in order to remedy any non-compliance.

Any resolution reached will be documented in writing and sent to the parties.  As applicable, the SIPM will ensure that any agreed-upon terms are followed by the Respondent.

New rules respecting late raising of discretionary exceptions to access reviews

The OIPC will not consider any late raising of discretionary exceptions under ATIA at the settlement phase after the acknowledgement letter is issued.  This is because, at that time, we have confirmed the issues with the applicant.

Back to top of the page

Inquiries

If any or all of the issues are not settled during the settlement phase of a review, and the person who made the request for review wants to proceed further in the review process to inquiry, the SIPM will work with the parties to determine any agreed-upon facts.  The file will then be brought to the Commissioner to determine whether an inquiry will proceed, only on those unsettled issues.

Once the file is transferred to the Commissioner, the SIPM will close the file at the settlement stage.

Inquiries are formal adjudicative proceedings.  The inquiry process is not an examination of the process or an evaluation of the findings and recommendations made during the settlement phase. The inquiry gives the parties an opportunity to present their evidence “de novo” (from the beginning) and to rebut or support evidence presented by the other party.

The Commissioner may refuse to conduct an inquiry in certain circumstances:

• The subject matter has been dealt with in an order or investigation report of the Commissioner
• The circumstances warrant refusing to conduct an inquiry (for instance, if there is no meaningful remedy)
• Under ATIA, the applicant has not attempted to resolve the matter directly with the public body concerned.  The Commissioner currently considers this factor in relation to single-issue adequacy of search concerns.
• Under POPA, a person who believes that their own personal information has been collected used or disclosed in contravention of the Act did not make a complaint to the public body concerned before delivering a request for review to the Commissioner

A decision by the Commissioner to refuse to conduct an inquiry will be issued to the parties in writing.

If any unsettled issues proceed to inquiry, a Confirmation of Inquiry letter will be issued to the parties, which will confirm the issues for the inquiry.  A Notice of Inquiry will be issued at a later date which includes a copy of the applicable request for review form and attachments and sets out a schedule of dates for the written submissions of the parties.

Note: Under POPA, only reviews of an allegation of collecting, using or disclosing one’s own personal information and related to correction requests may proceed to inquiry; general privacy complaints cannot.

Affected Parties and Intervenors

Some inquiries may include “affected parties”.  An affected party is any other party who, in the opinion of the Commissioner, is affected by the request for review.  A copy of the request for review form and attachments may be provided to the affected party.

An affected party may make representations to the Commissioner at inquiry, but is not required to participate.

In certain cases, the Commissioner may give intervenor status to parties, if the Commissioner determines it is appropriate.  An intervenor can be useful in bringing a broader perspective to issues than the parties involved.

Order

On completing an inquiry, the Commissioner or delegated adjudicator must issue an Order disposing of the matter.

An Order made by the Commissioner or delegated adjudicator is final.  However, a party may apply to the Court of King’s Bench of Alberta for judicial review of an Order.

Back to top of the page

Timelines to complete a review

ATIA and POPA set out 180 business days to complete a review and may extend up to another 180 business days if needed to complete an inquiry.  These timelines apply to the time taken when the Commissioner authorizes a staff member to try and settle the matter under review.  A maximum of 180 business days will be allotted to the settlement phase prior to inquiry.

How will the OIPC count the 180 business days timeline for completion under ATIA/POPA?

The OIPC considers a review to be “received” under section 60(1) of ATIA and section 39(1) of POPA and the 180 business days timeline starts once we have determined that:

• we have jurisdiction to conduct the review, and
• the OIPC has confirmed the issues for review in writing with the person who asked for the review.

Parties will be notified as to the anticipated date for completion and any extensions to the anticipated date for completion.

Back to top of the page

Definitions

• Applicant – a person who makes an access to information request under ATIA or a request for correction under POPA concerning their own personal information
• Complainant – a person who makes a general complaint about the privacy practices of a public body under POPA
• Public Bodies – public sector entities subject to ATIA and POPA
• Senior Information and Privacy Manager (SIPM) – the person that the Commissioner has authorized to investigate and try to settle the confirmed issues at the settlement phase.  May also be referred to as an investigator
• Settlement – a process authorized by the Commissioner to explore opportunities to settle issues with the parties.  May also be referred to as a mediation or investigation
• Third Party – a person, a group of persons, or an organization other than an applicant or other person who requests a review under POPA and the public body that is involved in the review

If you have any questions with respect to the OIPC review or investigation process, please contact the OIPC.

Back to top of the page

June 2025

Preparing submissions

For inquiries relating to access requests under the FOIP Act, ATIA, PIPA and HIA, the respondent usually has the burden of proof, to show that the claimed exception applies. Where an applicant is requesting personal information about other individuals (third parties) under the FOIP Act or ATIA, the applicant has the burden of proof to show that the information ought to be provided to the applicant. Where third party organizations are objecting to the disclosure of their confidential business information under the FOIP Act or ATIA, the organization has the burden of proof. For additional guidance on preparing submissions for an inquiry into the application of exceptions to access, see Practice Note – Directions to Respondents When Making Submissions

For inquiries relating to privacy complaintsprivacy complaints includes complaints about the accuracy of an individual’s personal information and requests for reviews of decisions regarding a request to correct personal information under the FOIP Act, HIA, PIPA and POPA, the complainant has to provide some reason for the Commissioner to find that the event complained about occurred as alleged. The respondent must then show that it had authority to take the action it did.

The purpose of a submission is for the party to make their case as it relates to the issues in the inquiry. For example, in an inquiry relating to an access request, an applicant might explain why they believe an exception applied to information in a record does not apply. The Respondent must explain why the exception does apply. In an inquiry relating to a complaint about the collection, use, or disclosure of personal information, the complainant should show what collection, use, or disclosure of their personal information occurred, and explain why they believe the collection, use, or disclosure was not permitted. The Respondent explains how the collection, use or disclosure was authorized.

Unless otherwise specified in the Notice of Inquiry, where an applicant or complainant does not bear the burden of proof, the applicant or complainant can rely on their request for review an any attachments instead of providing a submission to the inquiry. The applicant or complainant must inform the Commissioner in writing that they are relying on these documents, following the instructions set out in the Notice of Inquiry.

Parties should ensure they address each issue set out in the Notice of Inquiry. Parties are also encouraged to review relevant Orders, case law, and OIPC Practice Notes. Orders and other OIPC decisions are available here and on CanLII.org. The parties may also review other Practice Notes that address specific issues, available on the OIPC website.

Information that may be useful for parties to provide to the Commissioner for an inquiry includes:

• Excerpts from relevant legislation or regulations that apply to the operations of the public body, custodian or organization, and that relate to the issues in the inquiry;
• Excerpts from policy manuals that set out relevant practices or policies of the public body, custodian or organization;
• Excerpts and pinpoint citations of relevant orders and relevant court decisions; and
• Excerpts and pinpoint citations of decisions made by Information and Privacy Commissioners in other jurisdictions that may be of assistance to the Commissioner when considering the issues.

It is important to identify how the above information relates to the issues set out for the inquiry.

Do not provide entire copies of statutes, regulations, court decisions or Orders.

Upon receipt of the parties’ submissions, the Commissioner may request additional information or arguments from one or more parties. Deadlines for responses will be provided.

Parties should be aware that submissions previously provided for the settlement phase are generally not carried forward to the inquiry. All materials provided to the Commissioner for the inquiry will be attached to the Notice of Inquiry; parties are responsible for ensuring that any additional information they want the Commissioner to consider in the inquiry is included in their inquiry submission.

 

Back to top of the page

Page limits for submissions

The maximum length for a submission is 20 pages. The Commissioner may decline to consider lengthy submissions. This limit does not include supporting evidence such as affidavits or excerpts of authorities.

Back to top of the page

Submissions are exchanged

Parties must provide a copy of their submissions and related documents to each of the other parties listed in the Notice of Inquiry. Submissions and other documents that are not exchanged with the other parties will not be provided to the adjudicator for the inquiry.

The exception is where a party has sought and received permission to provide a portion of their submission or other document in camera. Parties wanting to request that part of their submission be accepted in camera must make the request in accordance with the process set out in the Request to Provide an In Camera Submission form. Generally, the party must provide a proposed redacted version of the submission and provide detailed reasons for not exchanging the identified portions. Submissions will be accepted in camera only in specific circumstances set out in form.

Requests to provide part of a submission in camera may be rejected if they do not follow the process set out in the form.

Back to top of the page

Timelines for submissions

Each Act sets out specific time limits for completing inquiries under those Acts. While the OIPC considers these time limits to be directory – see Peters v East 3rd Street North Vancouver Limited Partnership, 2023 BCSC 879 (CanLII), at paragraph 27, or  Rahman v. Alberta College and Association of Respiratory Therapy, 2001 ABQB 222 (CanLII) – the inquiry process has been designed to meet those timelines in all possible cases.

Parties will be expected to provide their submissions and other requested information by the deadline provided in the Notice of Inquiry or correspondence from the adjudicator. A party may request a short time extension to provide a submission or response where necessary. Such requests must

• be made before the party’s deadline;
• be made in writing;
• include the additional time requested;
• include reasons for the request;
• be provided to the other parties listed in the Notice of Inquiry.

Decisions to grant extensions are at the discretion of the Commissioner and may be constrained by the time limits for completing the inquiry.

Parties are encouraged to submit their extension requests using the Request to Extend the Submission Deadline form, available on the OIPC website.

Back to top of the page

Decision following completion of inquiry

Once the above inquiry process is complete, the Commissioner will review the submissions and other materials provided for the inquiry, and make a determination on the issues. The Commissioner’s decision will be provided to the parties in writing.

Back to top of the page

Address for Service/Contact information

Written inquiries are conducted by email or other electronic means as determined by the Commissioner. Parties are required to provide an email address for service to be used for the exchange of written inquiry submissions and other correspondence.

Parties unable to participate electronically may request permission to participate by mail. A formal request must be made to the adjudication team to participate by mail.

All parties must also provide written notice, as outlined above, of any changes to their address for service. The form for change of contact or address for service is available on this page.

If the applicant or complainant who asked for the inquiry fails to provide a current address for service or fails to give notice of changes to the address for service, the Commissioner may discontinue the inquiry.

Back to top of the page

Correspondence with the OIPC

All inquiry materials must be provided in writing. During an inquiry, parties are asked to send all correspondence to the Adjudication Case Manager or Registrar of Expedited Inquiries, as directed. Do not contact or send correspondence directly to the Commissioner or adjudicator.

Parties with questions about the inquiry process can call or email the Adjudication Case Manager or Registrar of Expedited Inquiries; contact information will be provided in the correspondence sent to parties.

Back to top of the page

Expedited Inquiries

In some circumstances, a request for a review may be streamlined to an expedited inquiry process. In general, the following requests for review may proceed to an expedited inquiry:

• a public body’s failure to respond to an access request under the ATIA;
• a public body’s decision to extend its time to respond;
• a public body’s decision to disregard a request; or
• a public body’s decision that a request was abandoned.

An organization’s or custodian’s failure to respond to an access request under PIPA or the HIA may be streamlined directly to an expedited inquiry process.

The expedited inquiry process generally involves condensing the usual inquiry process, including shortening submission schedules, and a strict adherence to timelines. Where available, respondents are encouraged to provide their submission using the relevant form, available on the OIPC website at https://oipc.ab.ca/forms/.

Back to top of the page

Glossary of Terms

Term	Definition
Adjudication	The team that manages the inquiry phase.
Adjudicator	The person that the Commissioner has delegated to be the decision-maker in the inquiry.
Affected parties	Individuals or other organizations that could be affected by the decision made in the inquiry. May also be referred to as third parties.
Applicant	The individual who formally requested access to information or requested correction of their personal or health information under the ATIA, FOIP Act, HIA or PIPA.
Arguments	The reasons why a party believes the evidence shows certain facts to be true, and why the Commissioner should interpret the law a certain way.
Case Resolution	The team that conducts the settlement phase of a review.
Complainant	The individual who made a formal complaint that personal information was collected, used or disclosed in contravention of the FOIP Act, HIA or PIPA.
Custodian	The health service provider, whether an individual or an organization, from which the information was requested or against which the complaint was made (also called “respondent”).
Evidence	Information/material that establishes the facts on which a party is relying.
In camera	A portion of a submission provided only to the Commissioner in an inquiry.
Inquiry	A formal adjudicative process, usually conducted in writing.
Interveners	Individuals or organizations whose opinions or specialized knowledge can provide a broader understanding of the issues at inquiry.
Mediation/investigation	A process authorized by the Commissioner to explore opportunities to settle issues with the parties. May also be referred to as the settlement phase.
Notice of Inquiry	Identifies the parties involved in the inquiry and their contact information, the issues that will be addressed, and a schedule for submissions.
Organization	The business, corporation, union or partnership from which the information was requested or against which the complaint was made (also called “respondent”).
Parties	The respondent (public body, custodian or organization), applicant/complainant, or other affected parties who are part of the inquiry.
Public body	The government department or other public entity from which the information was requested or against which the complaint was made (also called “respondent”).
Respondent	The public body, custodian or organization that has duties under the legislation.
Senior Information and Privacy Manager	The person that the Commissioner has authorized to investigate and try to settle the confirmed issues at the Case Resolution phase. May also be referred to as an investigator.
Settlement	A process authorized by the Commissioner to explore opportunities to settle issues with the parties. May also be referred to as a mediation or investigation.
Submissions	Informs the Commissioner and the other parties about what a party thinks are the central issues in a case, and provides evidence and makes arguments about how those issues should be decided.
Third Parties	Parties, other than the respondent or applicant/complainant, who are part of the inquiry. For example, organizations and individuals whose information is the subject of an applicant’s access request. May also be referred to as affected parties.

Back to top of the page

General Guidelines when providing affidavits

In an inquiry, affidavits are to be exchanged with the other parties to the inquiry.

An affidavit must contain information about the person swearing the affidavit, including the individual’s name and an explanation of how they have knowledge of the evidence being presented in the affidavit.

An affidavit should, wherever possible, be sworn by a person having personal knowledge of the facts being sworn to.

Affidavit evidence should be sufficiently detailed to allow the Commissioner and parties to an inquiry to fully understand its contents, and should, wherever possible, be confined to facts within the personal knowledge of the person swearing the affidavit.

Parties shall ensure that all affidavits provided to the Commissioner are truthful, complete, and accurate.

It is an offence under the Acts for anyone to willfully make a false statement to, mislead, or attempt to mislead the Commissioner in the performance of their functions.

Back to top of the page

Affidavits in support of a Respondent’s search for records

The duty to assist under section 10 of the FOIP Act, section 12 of the ATIA, section 27 of PIPA and section 10 of the HIA includes a duty to conduct an adequate search for records.  The respondent has the burden of proving that it conducted an adequate search for records responsive to an access request.

In an inquiry addressing a respondent’s search for records, it is helpful for the respondent to provide the Commissioner with an affidavit regarding the search conducted for records responsive to the applicant’s access request. In addition to the elements set out in the general guidelines above, the respondent may wish to consider addressing the following:

 The specific steps taken by the respondent to identify and locate records responsive to the applicant’s access request.

• The scope of the search conducted, such as physical sites, program areas, specific databases, off-site storage areas, etc.
• The steps taken to identify and locate all possible repositories where there may be records relevant to the access request: keyword searches, records retention and disposition schedules, etc.
• Who did the search? (Note:  that person or persons is the best person to provide the direct evidence).
• Why the respondent believes no more responsive records exist other than what has been found or produced.
• Any other relevant information.

Back to top of the page

Affidavits in support of an application of sections 4(1)(a), (s), (t), or (w) of the ATIA

Where a public body has refused access to records or information for the reason that the records or information are excluded from the scope of the ATIA under sections 4(1)(a), (s), (t), or (w) of that Act, the public body has the burden of proving that there is no right of access (section 63(1)).

In an inquiry addressing a public body’s claim that section 4(1)(a), (s), (t), or (w) of the ATIA applies, it is helpful for the respondent to provide the Commissioner with an affidavit setting out the relevant facts. In addition to the elements set out in the general guidelines above, the affidavit should include a schedule in which the public body lists the records to which it has applied sections 4(1)(a), (s), (t), or (w) of the ATIA, along with the description for each record. The description for each record should include sufficient detail to satisfy the public body’s burden of proof. Certain subsections may require specific information, for example:

• whether the public body has custody or control of the record and if not, why not (sections 4(1)(a), (s));
• who created the record (section 4(1)(t), (w));
• the position titles of the individuals involved in the communications (section 4(1)(w));
• Any other information relevant to the particular exclusion being claimed.

If the public body wishes to provide additional information regarding its application of these provisions in camera, it may request permission to do so following the process set out in Request to Provide an In Camera Submission form.

A public body is not precluded from providing the relevant records to the Commissioner as evidence.

Back to top of the page

Affidavits and other evidence in support of a claim of cabinet confidences under section 27 of the ATIA

Where a public body withholds information under section 27 of the ATIA in response to an access request, the public body has the burden of proving that there is no right of access (section 63(1)).

If a public body does not provide records or information to the Commissioner on the basis that section 27 applies to that record or information, the Commissioner may require the public body to attest that this provision applies to the information or record over which it is claimed (section 50(7)). Section 11 of the ATIA Regulation states that a public body may provide this attestation by way of a letter:

• signed or approved by the head of the public body; and
• containing a description of the record or information explaining how section 27 applies to the record or information.

A description must be provided for each record containing information to which section 27 is applied. Therefore, an attestation should include a schedule in which the public body lists the records to which it has applied sections 27(1)( or (2) of the ATIA, along with the description for each record. The description for each record should include sufficient detail to satisfy the public body’s burden of proof. The public body should address the particular elements set out in the subsection being claimed.

As the public body bears the burden of proof, a public body may also consider providing an affidavit in support of its claim.

If the public body wishes to provide additional information regarding its application of section 27 in camera, it may request permission to do so following the process set out in the Request to Provide an In Camera Submission form.

A public body is not precluded from providing the relevant records to the Commissioner as evidence.

Back to top of the page

Affidavits in support of a claim of legal privilege

A respondent is not required to provide the Commissioner with records or information over which solicitor-client privilege, litigation privilege, or informer privilege is being claimed under the FOIP Act or PIPA, or to which section 32(1)(a) or (2) of the ATIA has been applied[1]. This part of the Practice Note applies to legal privilege under the ATIA, and solicitor-client, litigation and informer privilege under the FOIP Act and PIPA.

Where a respondent withholds information in response to an access request claiming a relevant privilege, the respondent has the burden of proving that there is no right of access[2]. The respondent is not precluded from providing the relevant records to the Commissioner as evidence.

As stated in Edmonton (City) Police Service v Alberta (Information and Privacy Commissioner, 2020 ABQB 10 (EPS), when a respondent does not provide records that it asserts are subject to privilege for review, it is required to establish its claim by meeting the civil litigation standard for refusing to produce such records, set out in Canadian Natural Resources Ltd v ShawCor Ltd, 2014 ABCA 289 (CanLII), 580 A.R. 265 (ShawCor).

Following Alberta (Information and Privacy Commissioner) v. University of Calgary, 2016 SCC 53 (CanLII) and ShawCor, affidavits of records provided in support of claims of legal privilege must comply with Rules 5.7 and 5.8 of the Alberta Rules of Court (producible records, and records for which there is an objection to produce). In ShawCor, the Alberta Court of Appeal discussed the application of Rules 5.7 and 5.8 of the Rules of Court (producible records, and records for which there is an objection to produce). The Court stated (at para. 42-43):

… Therefore, in explaining the grounds for claiming privilege over a specific record, a party will necessarily need to provide sufficient information about that record that, short of disclosing privileged information, shows why the claimed privilege is applicable to it. Depending on the circumstances, this may require more or less than the “brief description” contemplated under Rule 5.7(1)(b) although we expect that oftentimes the brief description will suffice.

Accordingly, under either interpretation of the relevant Rules, a party must provide a sufficient description of a record claimed to be privileged to assist other parties in assessing the validity of that claim. From this, it follows that all relevant and material records must be numbered and, at a minimum, briefly described, including those records for which privilege is claimed. As noted, though, this is subject to the proviso that the description need not reveal any information that is privileged.

In addition to the elements set out in the general guidelines above, the affidavit should include a schedule in which the respondent lists the records (or bundle of records) for which privilege is claimed, along with the description for each record or bundle. A group of records may be numbered and treated as a single record if the records are all of the same nature, and the bundle is described in sufficient detail to enable the Commissioner to understand what it contains. The description for each record (or each bundle) must be sufficient to meet that test, without revealing the privileged information.

For claims of solicitor-client privilege, the Respondent should provide:

• Information about the relationship between the Respondent and the lawyer in the context of the relevant communication
• Information about the circumstances to establish that the record was created in the course of requesting or providing legal advice or is a record revealing such a request or advice
• Information about the confidentiality of the communication

For claims of litigation privilege, the Respondent should provide:

• Information establishing that the record was created for the dominant purpose of litigation
• Information establishing that the litigation has not ended

In Pritchard v. Ontario (Human Rights Commission) [2004] 1 SCR 809, the SCC determined that more evidence to support the application of solicitor-client privilege is required when advice sought from or given by an in-house or government lawyer is at issue. This is because such lawyers may be called upon to give policy advice, which is not legal advice. The Court said:

Owing to the nature of the work of in-house counsel, often having both legal and non-legal responsibilities, each situation must be assessed on a case-by-case basis to determine if the circumstances were such that the privilege arose. Whether or not the privilege will attach depends on the nature of the relationship, the subject matter of the advice, and the circumstances in which it is sought and rendered.

Therefore, a respondent that is claiming solicitor-client privilege over the advice of an in-house or government lawyer must provide sufficient information about the relationship between the lawyer and the respondent and about the circumstances in which the advice is being requested and provided, to establish that the subject-matter is legal advice rather than policy or other advice.

If the respondent wishes to provide additional information regarding its claim of privilege in camera, it may request permission to do so following the process set out in the Request to Provide an In Camera Submission form.

Back to top of the page

Sample Affidavit

 

OIPC File Number  _____________________

Applicant  __________________________________________

Respondent Public Body/Organization/Custodian __________________________________________

Affidavit of (name and status) Sworn (or Affirmed) by _____________________ on _______________, 20__

 

I, ______________________ of (municipality, province), have personal knowledge of the following (or, where applicable, I am informed and do believe that):

I am an authorized representative of (name of Respondent).

I have reviewed the records.

The records listed in Schedule 1 are in the custody or under the control of (name of Respondent).

(Name of Respondent) objects to produce the records listed in Schedule 1 on the grounds of privilege identified in that Schedule.

 

SWORN (OR AFFIRMED) BEFORE ME

at ___________________________, Alberta, this _____ day of _______________, 20___.

Commissioner for Oaths in and for the Province of Alberta

____________________________________

(Signature of Representative)

_____________________________________

 

Schedule 1

Records in the custody or under the control of (name of Respondent) for which there is an objection to produce on the ground of [cite relevant exception or legal privilege]:

	Exception or Privilege Claimed	Description
1.
2.
3.

 

Back to top of the page

 

[1] Sections 27(1)(a) of the FOIP Act, 32(1)(a) and (2) of the ATIA, 24(2)(a) of PIPA

[2] Section 63(1) of ATIA, section 71(1) of the FOIP Act, and section 51 of PIPA

Records at Issue

When the Commissioner requests records at issue for a review, respondents must:

Document all redacting decisions made regarding the records.

If the respondent decides to release more information following the settlement phase, the records and information at issue will consist only of records and information still being withheld.

Provide a copy of the records in electronic format.

The Commissioner may specify the method and format respondents must use to provide the records.

Provide copies of the records at issue, not originals.

A respondent must keep its own set of records at issue so that it can make arguments or respond to questions.

Indicate the information that has been withheld or severed, and cite under what provision.

With respect to severed information, the preferred format is one copy of an unredacted version that identifies the severing decisions (e.g. by highlighting or outlining). Where this is not practicable, the Commissioner may accept both a severed and unredacted version of the records.

The section numbers of the applicable legislation (i.e. exceptions to disclosure) that are being relied on to withhold records or information are to be noted on the page adjacent to each redaction. Where multiple exceptions are applied to information in a page, it must be clear which exception applies to what information. For example, in some cases one exception is applied to only to one sentence in a paragraph, and another exception is applied to the whole paragraph. The records must clearly show which exception was applied to only the sentence and which sentence it was applied to, as well as which exception was applied to the whole paragraph.

Blank pages of records withheld in their entirety need not be provided where there are large numbers of such pages, or where all the records are withheld, but it must be made clear in an index

of records stating how many such records there are, and which section of the applicable legislation is being applied to each page.

If a respondent is proposing to disclose information but a third party objects to its disclosure, then this information should be labeled in the records as “third party objection”.

Document only those redaction decisions that have been or are being communicated in a response to an applicant.

If a respondent has made a decision to apply a particular provision (i.e. exception to disclosure) and has communicated this decision to the applicant, then the notation in the records as to which exception was applied should refer to only that provision.

The records should not refer to, or indicate, any severing decisions that are not current or that have not been communicated to the applicant.

Number the records, with the numbering also on records provided to third parties and the applicant.

The page numbers of the records provided to the Commissioner must be consistent with the page numbers of the records provided to the applicant and third parties. If severed or blank pages provided to a third party or applicant have different numbers than those provided to the Commissioner, it becomes difficult, and in some cases impossible, to identify the records to which the parties are referring in their submission.

If there are multiple packages of records, the page numbering must be consecutive from the first package to the last, unless this is not practicable. For example, with two binders of different documents, each one may already have pages numbered in sequence. In that case, the binders may be described as “Record A” and “Record B” and the pages do not need to be renumbered; identification such as “Record A, page 2” is sufficient. A loose collection of diverse records, however, should always be numbered in sequence.

Be legible.

The records should be reviewed to make sure that the copies can be read, to the fullest extent possible.

The deadline for providing the records to the Commissioner for the settlement phase is set out in the acknowledgement letter issued when a review is opened.

Back to top of the page

Additional requirements for records provided for an inquiry

Records provided for an inquiry must not contain notations or explanations other than to note the provision applied.

Respondents are to provide reasons for applying a provision in their submission to the inquiry and not in the records at issue (see Practice Note: Inquiry Procedures). Additional notations or explanations appearing in the records at issue are not properly before the Commissioner in an inquiry and will not be reviewed or relied on in the inquiry.

This limitation does not apply to the records provided for the settlement phase of the review.

Back to top of the page

Index of Records

When there are more than three (3) pages of records at issue, the respondent must provide an index of records to the Commissioner for the review. The index of records is to be provided in a table format. The index of records required for the review at the settlement phase must include the following:

• All of the pages numbered in sequence, unless this is not practical (see above).
• For withheld or severed pages, a column identifying the section number(s) of the applicable legislation under which the information has been withheld.

Indexes of records provided at the settlement phase may also include a column containing a description of the nature of the records or information being withheld but is not required.

A deadline for providing the index of records for the settlement phase will be provided to the respondent in writing.

Indexes of records provided for an inquiry must also include a column containing a description of the nature of the records or information being withheld (e.g. “email”, “letter”, “briefing note”, “report”, etc.). It is helpful to include titles and dates of documents if that information is not at issue.

In an inquiry, a copy of the index of records must be provided to the applicant and/or third party with the respondent’s submission (see Practice Note: Inquiry Procedures)

The index of records is to be sent by the respondent to the Commissioner and all other parties named on the Notice of Inquiry with the respondent’s submission. It should be labelled “Index of Records (Provided to the Parties)”.

Because the index of records must be provided to the other parties in an inquiry, it should not itself reveal any information that the party preparing it seeks to withhold from the other parties.

Index of Records Example

The index of records should account for each of the withheld or redacted pages, and every section of the applicable legislation applied. As a result, the index of records should be comprised of two tables:

• Table 1 according to page numbers, with descriptions of the records or information if the index is provided for an inquiry.
• Table 2 according to the sections of the applicable legislation in which the descriptions need not be repeated.

The two tables ensure the person conducting the review can quickly identify and locate the information and exceptions at issue in the records.

Table 1 Example

Page Number	Description	Section(s) of the Act
1-17	Cabinet minutes	22(1)
18-19	Minister’s report to Cabinet	22(1), 16(1)(a)(ii),(b), (c)(i), 25(1)(c)
20-22	Third party report to Treasurer	22(1), 16(1)(a)(ii), (b), (c)(i)
23	Public Body X’s letter to Minister of Public Body Y re: development in City Y	21(1)(a)(ii), 25(1)(c)
24-30	Memo re: Policy Options for Public Body Y	Disclosed
Record A	Treasury’s financial analysis for Cabinet	22(1)
Record B	Third Party’s report to Public Body X	16(1)(a)(ii),(b),(c)(i)

Table 2 Example

Section(s) of the Act	Page Number(s)
Section 16(1)(a)(ii),(b), (c)(i)	18-19, 20-22; Record B
Section 21(1)(a)(ii)	23
Section 22(1)	1-17, 18-22; Record A: 1-5
Section 25(1)(c)	18-19, 23

Back to top of the page

Preparing Records at Issue Checklist

	Are the records numbered?
	Is the numbering consistent, such that the numbers on the records are the same as those on records provided previously to the applicant or a third party?
	Are the records legible? If the records are in electronic form, can they be opened?
	Are all redaction decisions current and clearly indicated on the records?
	Has the requestor been told about all the redaction decisions documented on the records?
	Has a set of records been kept for the respondent’s use in the inquiry?
	If the records are for an inquiry, have all extraneous comments been removed from the records?
	Should an index of records be provided? If so, has an index of records been prepared?

Back to top of the page

Glossary of Terms

Term	Definition
Adjudication	The team that manages the inquiry phase.
Adjudicator	The person that the Commissioner has delegated to be the decision-maker in the inquiry.
Affected parties	Individuals or other organizations that could be affected by the decision made in the inquiry. May also be referred to as third parties.
Applicant	The individual who formally requested access to information or requested correction of their personal or health information under the ATIA, FOIP Act, HIA or PIPA.
Arguments	The reasons why a party believes the evidence shows certain facts to be true, and why the Commissioner should interpret the law a certain way.
Case Resolution	The team that conducts the settlement phase of a review.
Complainant	The individual who made a formal complaint that personal information was collected, used or disclosed in contravention of the FOIP Act, HIA or PIPA.
Custodian	The health service provider, whether an individual or an organization, from which the information was requested or against which the complaint was made (also called “respondent”).
Evidence	Information/material that establishes the facts on which a party is relying.
In camera	A portion of a submission provided only to the Commissioner in an inquiry.
Inquiry	A formal adjudicative process, usually conducted in writing.
Interveners	Individuals or organizations whose opinions or specialized knowledge can provide a broader understanding of the issues at inquiry.
Mediation/investigation	A process authorized by the Commissioner to explore opportunities to settle issues with the parties. May also be referred to as the settlement phase.
Notice of Inquiry	Identifies the parties involved in the inquiry and their contact information, the issues that will be addressed, and a schedule for submissions.
Organization	The business, corporation, union or partnership from which the information was requested or against which the complaint was made (also called “respondent”).
Parties	The respondent (public body, custodian or organization), applicant/complainant, or other affected parties who are part of the inquiry.
Public body	The government department or other public entity from which the information was requested or against which the complaint was made (also called “respondent”).
Respondent	The public body, custodian or organization that has duties under the legislation.
Senior Information and Privacy Manager	The person that the Commissioner has authorized to investigate and try to settle the confirmed issues at the Case Resolution phase. May also be referred to as an investigator.
Settlement	A process authorized by the Commissioner to explore opportunities to settle issues with the parties. May also be referred to as a mediation or investigation.
Submissions	Informs the Commissioner and the other parties about what a party thinks are the central issues in a case, and provides evidence and makes arguments about how those issues should be decided.
Third Parties	Parties, other than the respondent or applicant/complainant, who are part of the inquiry. For example, organizations and individuals whose information is the subject of an applicant’s access request. May also be referred to as affected parties.

Back to top of the page