Protection of Privacy Act*

Summary#

• Bill 33 creates a stand‑alone privacy law for Alberta’s public bodies. It sets rules for how government departments, agencies, schools, and other public bodies collect, use, share, and protect personal information.
• It also sets limits on “data matching,” controls how “non‑personal data” (like anonymized or synthetic data) is created and shared, and strengthens the role of the Information and Privacy Commissioner.

Key changes

• Applies to Alberta public bodies only; it does not cover private companies. Health information under the Health Information Act is excluded.
• Limits collection to what is authorized, for law enforcement, or truly needed for a program; requires notice at collection, including if an automated system will help make decisions.
• Bans the sale of personal information by public bodies.
• Gives people the right to ask for corrections; sets timelines and requires annotations when opinions can’t be changed.
• Requires breach notification to the affected person, the Commissioner, and the Minister when there is a real risk of significant harm.
• Sets tight rules for data matching and “data derived from personal information”; generally bans disclosing that derived data.
• Allows creation and sharing of “non‑personal data” with safeguards and anti‑reidentification rules.
• Requires every public body to run a privacy management program and to do privacy impact assessments in set situations.
• Increases oversight powers and penalties (up to $1,000,000 for organizations for certain offences).

What it means for you#

• Residents

  • Your personal information at Alberta public bodies can only be collected for clear, limited reasons. You must be told the purpose, the legal authority, who to contact with questions, and if an automated system will be used.
  • You can ask for errors to be corrected. If it’s an opinion, the record must be linked to your correction request. You should get a decision within 30 business days.
  • If a breach creates a real risk of significant harm, you will be notified without unreasonable delay.
  • Some older records in archives can be released after 25 years (with privacy limits) or 75 years.

• Students and alumni

  • Post‑secondary schools may use alumni records for fundraising, but you can opt out at any time.
  • Schools may share student course evaluations to help students choose courses.

• Families of deceased individuals

  • Some information may be shared with a surviving spouse, partner, or relatives if it is not an unreasonable invasion of privacy.
  • Archives may release older records after set time periods.

• Researchers and organizations outside government

  • You may receive personal information for research only under strict conditions and written agreements (security, no further use without approval, and removal of identifiers).
  • You can receive non‑personal data (including synthetic data) for research, analysis, or program planning under agreements that ban re‑identification and require secure handling and timely destruction.

• Public servants and public bodies

  • You must build a privacy management program (within one year) and follow prescribed safeguards and technical standards.
  • You must give proper collection notices, keep information accurate, and retain it at least one year when it informs a decision that directly affects a person.
  • You must report qualifying privacy breaches and keep a public directory of “personal information banks” your body holds.
  • Data matching is restricted to research/analysis and program purposes, with security controls; disclosure of derived data is mostly banned.
  • Non‑personal data can be created and shared, but re‑identification is prohibited and penalized.
  • Whistleblowers who report privacy violations to the Commissioner are protected from retaliation.

• Minors and safety situations

  • Public bodies can disclose information to protect a minor’s health or safety or to avert imminent danger.

Expenses#

No publicly available information.

Proponents' View#

• Modernizes Alberta’s privacy rules by separating “access to information” from “protection of privacy” and clarifying duties for public bodies.
• Strengthens trust: bans selling personal information and requires timely breach notifications to affected people and the Commissioner.
• Sets clear guardrails for data matching and anonymization, with higher penalties to deter misuse, including attempts to re‑identify data.
• Promotes better public services and research by allowing controlled use of non‑personal data while protecting individuals.
• Gives the Information and Privacy Commissioner stronger tools and enforceable orders to uphold privacy.

Opponents' View#

• Scope concerns: many records are excluded (courts, some legislative records, certain registries), and the law applies only to public bodies, not private companies.
• Broad internal sharing: “consistent purpose,” “common or integrated programs,” and wide non‑personal data sharing among public bodies may expand government data use.
• Heavy reliance on future regulations for key details (security standards, PIA triggers, non‑personal data types) creates uncertainty.
• Re‑identification risks remain with anonymized or synthetic data, despite safeguards and penalties.
• Administrative burden and costs for public bodies to build programs, do PIAs, maintain directories, and manage notices and breaches.
• Limited individual remedies: no right to sue for damages; orders are final (with only judicial review), and timelines for reviews may feel long.