In a move unanticipated by many privacy nerds (they do exist if you search hard enough), the Government of Alberta introduced Bill 33: the Protection of Privacy Act (POPA) to replace the existing Freedom of Information and Protection of Privacy Act (FOIPPA). FOIPPA has long needed an overhaul, but the decision to divide the legislation into POPA and the Access to Information Act (more on this in the future) has come as a surprise.

POPA does not represent an entire reworking of the existing protection of personal information provisions within FOIPA. Rather, it addresses some longstanding calls for change, including from the Privacy Commissioner of Alberta. These changes include the following:

1. Public bodies will have to establish and implement a privacy management program.

Public bodies will have to introduce and implement privacy management programs that promote the public body’s compliance with its duties. The concept of proportionality is introduced as these programs must be proportional to the extent of personal information under the control of that public body and comply with the requirements imposed by the Act itself.

The concept of privacy management programs exists within legislation in other jurisdictions, but the terms has not been historically used in Alberta’s legislation. This change signals the need for public bodies to implement more robust organizational practices that extend well beyond a mere general privacy policy. For example, what specific safeguards will be in place for contractors or service providers who will be granted access to personal information within the custody of a public body? Also now required are privacy impact assessments in “prescribed circumstances”.

2. Public bodies will not be able to sell personal information, including for marketing and advertising purposes.

Public bodies will be prohibited from selling personal information in any circumstance – including for marketing or advertising purposes. Limited exceptions apply- post-secondary educational bodies, which may use personal information for their own fund-raising activities, but even then, must discontinue such use when requested by the individual subject of that personal information.

3. Public bodies must notify an individual if their information is used in an automated system to generate content or make decisions, recommendations, or predictions.

Where an automated system is used by a public body to make decisions directly affecting an individual, the public body is required to make every reasonable effort to ensure the accuracy and completeness of the personal information and must retain that information for at least one year following its use. This one-year requirement may be shortened so long as there is agreement between the individual and the public body and any other body approving the record retention and disposition schedule of the public body.

4. Individuals must be notified of a privacy breach where there is a risk of significant harm.

Unsurprisingly, POPA introduces mandatory breach reporting that is already required under Alberta’s Personal Information Protection Act and the Health Information Act. Should incidents occur which involve the loss of unauthorized access to, or unauthorized disclosure of personal information under the custody or under the control of a public body, and a reasonable person would consider there to be a real risk of significant harm to an individual as a result of the incident, then the public body must give notice of this incident. Notice must be given without unreasonable delay and must be communicated to (i) the individual to whom there exists a risk of significant harm, (ii) the Information and Privacy Commissioner appointed under the Access to Information Act, and (iii) the Minister appointed under the Government Organizations Act.

5. Increase in fines for contravening legislation.

POPA has gained some additional enforcement teeth as compared to its predecessor. Categories of offences have been amended, and those offences pertaining to misuse of data will carry higher penalties- up to $200,000 for an individual and a maximum of $1,000,000 for any other person.

Takeaway

The introduction of POPA represents a unique opportunity for public bodies to revisit their privacy practices and refresh training for employees and service providers. What better way to ring in 2025 [privacy nerds rejoice]. Stay tuned for commentary on the Access to Information Act.

If you have any questions about POPA or need assistance with changes to your privacy policies and practices, reach out to Marc Yu in Edmonton, Kelly Nicholson in Calgary, or any member of Field Law's Privacy + Data Management Group.