Insights

The changes to ATIA and POPA were made under Bill 46, Protection of Privacy and Access to Information Statutes Amendment Act, and aim to enhance clarity and modernize the legislation, while strengthening privacy protections for Albertans. The Office of the Information and Privacy Commissioner (OIPC) will continue to oversee and enforce public sector privacy legislation.

ATIA integrates the access to information component from the former FOIP and provides rules and processes for individuals accessing personal records, aiming to protect confidential information.

POPA replaced the protection of privacy section of the former FOIP and governs the ways public bodies may collect, use, or disclose personal information.

Notably, some aspects of FOIP may still apply during the transitional period to ATIA and POPA. For example, an access request that was made, or a matter of a review, inquiry, or investigation that occurred before the repeal of the FOIP Act.

• A timeline change to 30 business days (rather than calendar days) for public bodies to respond to access requests, with possible “reasonable” extensions in certain circumstances, without request to the Commissioner. Automatic extensions may occur in emergencies, e.g., wildfires.
• Public bodies have been given power to disregard an access request without an application to the OIPC, e.g., when the request is overly broad or the information has already been provided to the applicant.
• Duty to Assist revisions clarified that public bodies must make every reasonable effort to assist applicants, e.g., communicating with applicants to resolve unclear requests.
• Disclosure – Records that do not contain personal information may be available without an access request.
• Exemptions – Public bodies can withhold information in workplace investigations where disclosure would otherwise compromise the integrity of the investigation or the privacy of parties involved.
• Higher penalties for contravening legislation.

• In addition to notifying the OIPC and the relevant Minister of privacy breaches, public bodies must notify individuals:
  • If personal information is used for automated systems (e.g., artificial intelligence).
  • Of a privacy breach where there is a significant risk of harm (e.g., financial loss).
• New requirements have been added regarding retention and use of personal information in automated systems to generate content (e.g., making every reasonable effort to ensure the accuracy and completeness of personal information).
• Privacy Management Programs, which document the policies and procedures of public bodies’ privacy practices, are mandatory (within one year of the legislation coming into force).
• Privacy Impact Assessments (PIA) are required before public bodies launch new programs or substantial changes to practice, to address privacy risks and implement safeguards for personal information.
• Personal information cannot be sold in any circumstance or for any purpose.
• So long as the data is reasonably protected against risks, a public body may derive data from personal information it already has or collect it from another public body for data matching.
• While non-personal data (i.e., deidentified personal data) may be used and disclosed for research, analysis, or service delivery purposes, other activities may only be permitted for specific purposes and public bodies.
• Higher penalties for contravening legislation.

If you think you may be affected by these changes, or you are unsure if or how these changes apply to you, it’s recommended to discuss with your employer to ensure you comply with their organizational privacy policies. You may also consult legal counsel for advice, as needed.

As noted in the September 2025 Essentials email, ACSLPA has been working on updating key college documents to align with these changes to privacy legislation. If you would like more information, see the links below.

• Find links to the ATIA and POPA and their regulations on ACSLPA’s website here.
• The Government of Alberta
  • • ATIA Guide
    • POPA Guide
• The Office of the Information and Privacy Commissioner (OIPC) of Alberta’s website.

If you found this article interesting, all of our Insights publications can be accessed here. If you have questions about these topics, the legislation behind them, or the way ACSLPA functions please email feedback@acslpa.ca or call 780-944-1609 ext. 101.

If there is a conflict or discrepancy with the information or advice set out on this webpage and the information contained in a more official ACSLPA document, then the information contained in the more official ACSLPA document applies and not the information or advice set out here. For the purposes of this disclaimer, ACSLPA’s more official documents include the governing legislation (including the Health Professions Act and the Speech-Language Pathologist and Audiologist Profession Regulation) as well as ACSLPA’s Bylaws, policies, Standards of Practice, Code of Ethics, manuals and/or any other official document approved by Council, a statutory committee or a college official. Persons interacting with ACSLPA are responsible for reviewing and familiarizing themselves with the relevant information contained in ACSLPA’s official documents.