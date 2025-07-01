These legislative changes are sure to have substantial impact on municipalities across Alberta, as they modernize and streamline Alberta's access to information and privacy laws, strengthen privacy protections and clarify access to electronic records.

What's Changed?

Access to Information Act

The ATIA allows individuals access to the records in the custody or under the control of a municipality and provides for independent review of decisions made by municipalities. Key changes and additions introduced in the ATIA include:

Recognition of electronic records

Extended response time for municipalities' requests during emergency situations

Timelines for responding are defined as "business days"

Municipalities have a duty to assist applicants by providing electronic records

Municipalities are empowered to proactively disclose information outside of the access to information process

Certain documents can be withheld from mandatory disclosure by the municipality

Clear timelines are set out for the Office of the Information and Privacy Commissioner of Alberta (OIPC) to complete reviews and respond to access requests

A municipality may be ordered to disclose information after OIPC completes its review of an access request

Protection of Privacy Act

The POPA exists to control the collection, use and disclosure of personal information by a municipality. Under POPA, individuals are able to request corrections to their personal information that is held by a municipality. Key changes and additions introduced in the POPA include:

Municipalities are required to establish a privacy management program to ensure compliance with requirements set out in the POPA

Mandatory privacy impact assessments when implementing a new, or making a substantial change to an existing, administrative practice, program, project or service if: The administrative program, project or service involves the collection, use and disclosure of personal information where the loss of, unauthorized access to or unauthorized disclosure of the personal information that will be collected, used or disclosed could result in a real risk of significant harm The practice, program, project or service: Will collect, use or disclose personal information considered to be of high sensitivity Will involve the personal information of a significant percentage of the population the municipality serves Will involve data matching between two or more public bodies Is part of a common or integrated program or service Involves the development or use of innovative technology

Municipalities must give notification of privacy breaches where a real risk of significant harm occurs

Restrictions are placed on data derived from personal information

Non-personal data may only be disclosed for specific purposes and with safeguard conditions in place

The OIPC is not required to proceed with investigations under certain circumstances

Stronger penalties implemented for contravening the Act

Establishing and implementing a priva cy management program

It is important that municipalities are aware of their responsibilities under the new privacy legislation. If not already in place, municipalities need to establish and implement a privacy management program to ensure compliance with their duties, as required by the POPA. A privacy management program requires having documented policies and procedures in place to promote the safe handling of personal information and non-personal data.

Section 6 of the Protection of Privacy (Ministerial) Regulation provides that privacy management programs must be compliant with section 25 of the POPA and include:

The designation or identification of a privacy officer within the municipality who is responsible for ensuring the municipality's compliance with the POPA

Internal policies and procedures set in place to address the municipality's duties under the POPA

The establishment of a security classification system for personal information, data derived from personal information and non-personal data in the custody or under the control of the municipality

Mandatory training for employees of municipalities to understand their obligations under POPA

Timelines for periodic review, assessment and updates of the privacy management program

Further requirements must also be in place for municipalities that manage a high volume of personal information or highly sensitive personal information.

