These legislative changes are sure to have substantial impact on municipalities across Alberta, as they modernize and streamline Alberta’s access to information and privacy laws, strengthen privacy protections and clarify access to electronic records.
What’s Changed?
Access to Information Act
The ATIA allows individuals access to the records in the custody or under the control of a municipality and provides for independent review of decisions made by municipalities. Key changes and additions introduced in the ATIA include:
- Recognition of electronic records
- Extended response time for municipalities’ requests during emergency situations
- Timelines for responding are defined as “business days”
- Municipalities have a duty to assist applicants by providing electronic records
- Municipalities are empowered to proactively disclose information outside of the access to information process
- Certain documents can be withheld from mandatory disclosure by the municipality
- Clear timelines are set out for the Office of the Information and Privacy Commissioner of Alberta (OIPC) to complete reviews and respond to access requests
- A municipality may be ordered to disclose information after OIPC completes its review of an access request
Protection of Privacy Act
The POPA exists to control the collection, use and disclosure of personal information by a municipality. Under POPA, individuals are able to request corrections to their personal information that is held by a municipality. Key changes and additions introduced in the POPA include:
- Municipalities are required to establish a privacy management program to ensure compliance with requirements set out in the POPA
- Mandatory privacy impact assessments when implementing a new, or making a substantial change to an existing, administrative practice, program, project or service if:
- The administrative program, project or service involves the collection, use and disclosure of personal information where the loss of, unauthorized access to or unauthorized disclosure of the personal information that will be collected, used or disclosed could result in a real risk of significant harm
- The practice, program, project or service:
- Will collect, use or disclose personal information considered to be of high sensitivity
- Will involve the personal information of a significant percentage of the population the municipality serves
- Will involve data matching between two or more public bodies
- Is part of a common or integrated program or service
- Involves the development or use of innovative technology
- Municipalities must give notification of privacy breaches where a real risk of significant harm occurs
- Restrictions are placed on data derived from personal information
- Non-personal data may only be disclosed for specific purposes and with safeguard conditions in place
- The OIPC is not required to proceed with investigations under certain circumstances
- Stronger penalties implemented for contravening the Act
Establishing and implementing a privacy management program
It is important that municipalities are aware of their responsibilities under the new privacy legislation. If not already in place, municipalities need to establish and implement a privacy management program to ensure compliance with their duties, as required by the POPA. A privacy management program requires having documented policies and procedures in place to promote the safe handling of personal information and non-personal data.
Section 6 of the Protection of Privacy (Ministerial) Regulation provides that privacy management programs must be compliant with section 25 of the POPA and include:
- The designation or identification of a privacy officer within the municipality who is responsible for ensuring the municipality’s compliance with the POPA
- Internal policies and procedures set in place to address the municipality’s duties under the POPA
- The establishment of a security classification system for personal information, data derived from personal information and non-personal data in the custody or under the control of the municipality
- Mandatory training for employees of municipalities to understand their obligations under POPA
- Timelines for periodic review, assessment and updates of the privacy management program
Further requirements must also be in place for municipalities that manage a high volume of personal information or highly sensitive personal information.
Our MLT Aikins Municipal team is equipped to assist municipalities to ensure they are in compliance with the new requirements under the ATIA and the POPA. If you have any questions regarding the changes to Alberta’s privacy legislation or are seeking assistance with developing a privacy management program, please reach out to a member of our team.
Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.
Share
