ARTICLE
22 June 2026

Alberta Privacy Regulator Issues New Guidance For Public Sector Compliance

GW
Gowling WLG

Contributor

Gowling WLG logo
Gowling WLG is an international law firm built on the belief that the best way to serve clients is to be in tune with their world, aligned with their opportunity and ambitious for their success. Our 1,400+ legal professionals and support teams apply in-depth sector expertise to understand and support our clients’ businesses.
Explore Firm Details
The Office of the Information and Privacy Commissioner of Alberta (OIPC) has released new guidance to assist public bodies with privacy management programs (PMP) and privacy impact assessments under Alberta’s...
Canada Alberta Privacy
Krista Schofer,Arielle Sie-Mah, and Nicole Sapieha
Your Author LinkedIn Connections
Gowling WLG are most popular:
  • within Wealth Management and Compliance topic(s)
  • with Senior Company Executives, HR and Inhouse Counsel
  • with readers working within the Consumer Industries and Technology industries

The Office of the Information and Privacy Commissioner of Alberta (OIPC) has released new guidance to assist public bodies with privacy management programs (PMP) and privacy impact assessments under Alberta’s Protection of Privacy Act1 (POPA), which came into effect in June 2025 (click here to read our overview).

Under the legislation, public bodies were required to establish and implement PMPs not later than June 11, 2026. The OIPC has now provided the following guidance on their implementation:

1. Developing a comprehensive privacy management program

Privacy officer: To facilitate organizational commitment required for a PMP, public bodies must designate a privacy officer, who:

  • is responsible for POPA compliance and for the development, implementation, and maintenance of the PMP;
  • serves as the primary point of contact for privacy inquiries, supports policy development, oversees compliance, delivers employee training, and coordinates incident response; and
  • reports directly to the head of the public body.

Program controls: A PMP should include the following core program controls:

  • internal policies and procedures for correction requests, privacy incidents, and complaints;
  • policies for non-personal data and automated systems (including artificial intelligence);
  • a security classification system (e.g. a personal information inventory which captures all recorded personal information held by a public body, including by vendors);
  • mandatory employee training with specified retraining periods; and
  • timelines for periodic review.

Additional requirements for highly sensitive or high volumes of personal information: Public bodies are subject to additional statutory requirements when handling biometric information, financial information, or information respecting minors, seniors, or vulnerable individuals, all information considered highly sensitive, or high volumes of personal information, including:

  • documented internal privacy roles and accountabilities;
  • privacy impact assessment processes;
  • proactive monitoring of information systems;
  • consent procedures;
  • artificial intelligence and data matching policies; and
  • written administrative, technical, and physical safeguards.

2. Ongoing assessment and revision

Public bodies must establish timelines for the periodic review, assessment, and updating of their PMP to ensure that privacy controls remain current and effective in the face of organizational change, changed or new regulations, OIPC orders regarding POPA, or emerging security threats. This includes regularly updating personal information inventories, revising policies and procedures, updating risk assessments, improving incident response protocols, ensuring service provider management, and improving external communication for transparency and accountability.

3. Demonstrating compliance

Under POPA, public bodies must provide a copy of their PMP, or directions to where a copy may be accessed, to any person who requests it within 30 business days. The OIPC recommends making the PMP publicly available online, subject to the ability to withhold security-related information.

Privacy impact assessment template and guidance

Under POPA, public bodies must complete privacy impact assessments (PIAs) for new or substantially changed practices, programs, projects, or services involving personal information where there is a risk of significant harm or where factors requiring submission to the Information and Privacy Commissioner (the Commissioner) apply, as set out in Protection of Privacy (Ministerial) Regulation2. In certain circumstances, PIAs must be submitted to the Commissioner for review and comment.

Any public body that is required to submit a PIA to the OIPC under POPA must use the PIA Template. The OIPC’s PIA Template Completion Guide is intended as a companion document and outlines the expectations for each question, providing explanation or clarification where needed. 

The OIPC’s guidance is a practical resource that can support public bodies in preparing PIAs. It is a helpful reference and should be used alongside legal advice, not in place of it.

Key takeaways

Public bodies are increasingly expected to demonstrate accountability not only through written policies, but in day-to-day program design, procurement, service delivery, and information governance.

Footnotes

1. S.A. 2024, c. P-28.5.

2. Alta Reg. 143/2025 at ss. 7(1) and 7(5).

Read the original article on GowlingWLG.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Krista Schofer
Krista Schofer
Photo of Arielle Sie-Mah
Arielle Sie-Mah
Photo of Nicole Sapieha
Nicole Sapieha
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More