The Freedom of Information and Protection of Privacy Act (FOIP Act) of Alberta has been the long-standing data privacy law of the province — but things have changed in 2024. With the passing of Bill 33 and Bill 34, we’ll now be seeing some legislative amendments to the FOIP Act.
Here, we’ll discuss the basics of handling personal private information under the FOIP Act and its related new laws. This article can be used by lawyers who want to know more about this legislation, or their clients as an educational piece.
What is the Freedom of Information and Protection of Privacy Act in Alberta?
Alberta’s Freedom of Information and Protection of Privacy Act (FOIP Act) is the provincial law on matters involving access to one’s personal information, including its protection when handled by organizations. This law also provides the legal remedies related to an organization’s handling of personal information, and how the information should be collected, used, and disclosed.
The FOIP Act was recently amended in December 2024. It will be split into two provincial laws: the Protection of Privacy Act (PPA) and the Access to Information Act (ATIA). These changes, including the publication of its regulations, are expected to take effect in 2025.
While most principles and rules in the FOIP Act were retained by the PPA and the ATIA, there are also significant differences. As such, organizations in the province are urged to learn about these new laws and how these impact their operations.
These changes to the FOIP Act are a welcoming one, considering that a lot of things have changed ever since the law has been enacted. Here’s an overview of these changes, as discussed by Nate Glubish, Alberta’s Minister of Technology and Innovation:
Learn more about the FOIP Act and its changes by consulting the best data privacy and cybersecurity lawyers in Canada as ranked by Lexpert.
Bills 33 and 34: amending the FOIP Act
PPA (Bill 33) and AIP (Bill 34) received royal assent on December 5, 2024; these laws will then take effect upon their proclamation. In brief, these Bills will introduce the following changes or additions to the FOIP Act:
- Part 1 and Part 2 of the FOIP Act will be split into the AIP and PPA, respectively, with the rest of the FOIP Act being apportioned with the two laws
- changes on how personal information will be protected, when handled by public bodies (whether executive, legislative, and judicial)
- a mandatory breach notification regime, which organizations must follow immediately after a data breach has occurred
- individuals who want to access their own personal information will now follow the updated ‘access to information’ process
- as the provincial regulator, the new laws give new powers to the Office of the Information and Privacy Commissioner of Alberta (OIPC)
Basically, while Bill 33 (PPA) deals with the protection of privacy, Bill 34 (AIP) improves the ways people can access personal information used by these bodies.
What is the Protection of Privacy Act of Alberta?
Building from the protection that the FOIP Act provides, the Protection of Privacy Act will mandate public bodies to create programs and services to protect personal information. It will also implement a process where individuals will be notified if their personal information is involved in a privacy breach.
Collection, use, and disclosure
When a public body collects, uses, or discloses personal information, the protective measures set up by the PPA apply. They can only collect personal information if it’s:
- allowed by federal or provincial privacy laws
- used for law enforcement purposes
- necessary for the public body’s program or service
Its use will also be dependent on the purpose of its collection. As a new feature from the FOIP Act, the PPA prohibits public bodies from selling personal information, including for marketing or advertising purposes.
As to its disclosure, the PPA has a long list of situations where a public body can disclose personal information it has collected. Among them is if it would not violate AIA’s provision on the unreasonable invasion of personal privacy.
In any case, this video explains how provincial and federal data privacy laws interact and apply on specific professionals, particularly the nurses, in Alberta:
For more help regarding data privacy laws, including the previous Freedom of Information and Protection of Privacy Act and its amendments (PPA and ATIA), reach out to the best data privacy and cybersecurity lawyers in Alberta as ranked by Lexpert.
Reporting of data privacy breaches
In case of a data privacy breach, public bodies will be required to report the incident to at least these three parties:
- the person who owns the personal information
- the OIPC
- the Minister of Technology and Innovation
On what incidents should be reported, the PPA says those involving the loss, unauthorized access, or unauthorized disclosure of personal information. Plus, if there’s a real risk of significant harm to the personal info’s owner because of such breach. If these standards are met, then the incident must be immediately reported.
In any case, it’s important to reach out to a privacy breach lawyer when these incidents occur.
Management programs and impact assessments
Another new mandate by the PPA is that public bodies should have the following:
-
Privacy management program: This is a public body’s set of policies and procedures for its compliance with the PPA. It must be proportional to the volume and sensitivity of the personal information handled by the public body.
-
Privacy impact assessment: This assessment must identify and review the risks of the public body’s handling of personal information, including their mitigation strategies and safeguards. All of these are set up to comply with the PPA and its regulations.
A public body’s privacy management program may be requested by any concerned person, while its privacy impact assessment must be given to the OIPC when requested.
Reviews and complaints
Both the PPA and the AIA have similar provisions which provide for a person’s right to ask the OPIC to review the compliance of a public body with these two laws.
As for the PPA, a process was established by the law, so that persons who want to ask for a review may do so according to this process. However, it’s required that before resorting to a review by the OPIC, a person must first raise their concern with the public body.
If the concern remains unresolved, a request for review can be sent to the OPIC. The PPA provides for the following procedure:
- informing the public body concerned on the request for review
- a mediation may be authorized by the OPIC between the parties
- if the matter is still unresolved after the mediation, the OPIC will conduct an inquiry
- after the inquiry, the OPIC will make an order to resolve the issue
Also, the statute has also empowered independent adjudicators to resolve issues related to the PPA.
Penalties for violating the PPA
The PPA has listed the offences that persons and public bodies may commit. Below is a summary of these offences:
- the collection, use, or disclosure of personal information in violation of any of the provisions of the PPA
- making a false statement to the OPIC, or misleading them, when they’re exercising any of their powers under the PPA
- failing to comply with an order made by the OPIC or by an independent adjudicator
Depending on the offence, penalties include fines (up to $125,000 for individuals and up to $750,000 for organizations). These fines increase when they involve derived data and non-personal information.
What is the Access to Information Act of Alberta?
The Access to Information Act (AIA) is more concerned with ensuring that people in Alberta can freely check the sensitive and private information about them out there. The law also grants additional powers to the OPIC and establishes the legal regime on reviews, just like in the PPA.
Freedom of information
The AIA continues the right of access to information that is ensured by the FOIP Act. Under the rule, any person has the right to personal information handled or controlled by a public body.
Requesting is still structured, with the AIA providing for a specific process that a public body must follow when a request is made, including the timeline. Of course, the AIA also grants public bodies the power to disregard these requests in certain circumstances, such as when:
- the request would unreasonably interfere with the public body’s operations
- the request is abusive, threatening, frivolous, vexatious, or overly broad
- the information was already provided or is already publicized
While the time limit for responding to a request can be extended, one change is that a public body can extend the response time to a request in times of emergencies.
Exceptions to a disclosure
However, there are cases when a request may be denied or when a public body can validly refuse to disclose personal information. These exceptions are visibly the bulk of the AIA.
Below are the general classifications of information that may not be disclosed:
- when the disclosure is harmful to the public body, to a third party, the government, the economy, or the public in general
- if the information is confidential, such as in confidential employment evaluations and workplace investigations
- if the information are government confidences (e.g. Cabinet and Treasury Board confidences, local public body confidences)
- if it’s a privileged information (e.g. solicitor-client privilege, parliamentary privilege)
However, there are times when these exceptions would not apply. For instance, a disclosure is permitted when a third party — who is supposed to be protected by the privacy law — has already consented to such disclosure.
Reviews and complaints
Like the PPA, the AIA also establishes clear timeframes for the OIPC to review and respond to access requests from the complaining public. Again, it’s still required that a person must first file their request with the public body concerned.
The AIA process of reviews and complaints works similarly to the PPA; there will be a notice requirement to the public body, mediation, and inquiry involved.
Alberta’s FOIP Act: Legislative changes with the PPA and the ATIA
While the Freedom of Information and Protection of Privacy Act of Alberta (FOIP Act) is a protective law for so long, it has been improved by the amendments brought by Access to Information Act (AIA) and the Protection of Privacy Act (PPA). As these privacy laws evolve, understanding the changes are essential not only for lawyers but also for their clients. By staying proactive, organizations become free from any potential violations and can protect the privacy of every Albertan.
Want more information on the changes to Alberta’s Freedom of Information and Protection of Privacy Act? Check out Lexpert’s directory of the best Canadian law firms in data privacy and security.