Skip to content

Notifications

Government mail service may be affected by the Canada Post labour disruption. Learn about how critical government mail will be handled.

Popular topics:

Alberta.ca Account
Part of Personal Information Protection Act engagement

Modernizing Alberta’s Personal Information Protection Act - Private sector organization representative survey

Specifically for private sector organization representatives to provide input on what should be considered when updating the Act.

Introduction

The Personal Information Protection Act (PIPA) is Alberta’s private sector privacy law, governing how provincially regulated organizations collect, use, and disclose personal information. “Organizations” include corporations, businesses, unincorporated associations, trade unions (as defined in the Labour Relations Code), partnerships (as defined in the Partnership Act), individuals acting in a commercial capacity (such as landlords), and, in certain circumstances, non-profit organizations. It does not include individuals acting in a personal or domestic capacity.

The Government of Alberta is exploring options to modernize PIPA to give Albertans stronger privacy rights, align with global standards, and support innovation while respecting the personal information of Albertans.

PIPA was introduced in 2004 and last significantly updated in 2010. Modernizing PIPA is important to ensure Alberta’s privacy protections remain strong, relevant, and responsive to rapid technological change and the realities of today’s digital world.

Your feedback is valuable and will:

  • Inform options for modernizing PIPA;
  • Help government understand concerns, priorities, and expectations regarding privacy; and
  • Ensure policies are practical and effective and support successful implementation.

The survey takes 15 to 20 minutes to complete and closes February 17, 2026.

Survey

Please do not submit responses that include personal information about other people.

  • Introduction
  • Rights of individuals
  • Privacy protections and safeguards
  • Conclusion
  • Complete

Introduction

How would you rate your knowledge of privacy laws in Alberta?

For the following question, “employee” is based on PIPA’s definition under section 1(1)(e):

“employee” means an individual employed by an organization and includes an individual who performs a service for or in relation to or in connection with an organization

(i) as a partner or a director, officer or other office-holder of the organization,

(i.1) as an apprentice, volunteer, participant or student, or

(ii) under a contract or an agency relationship with the organization;

Which of the following best represents the size of your organization?
Select all privacy laws that your organization is subject to:
Alberta’s PIPA adequately protects personal information held by private organizations.

Rights of individuals

Automated systems are systems, software or processes that use computation to help make decisions, collect information or interact with individuals and communities.

Individuals should have transparency on the use of automated systems, such as artificial intelligence, by your organization.
Individuals should have the ability to challenge decisions about the use of automated systems by your organization.

The right to be forgotten is where individuals can ask organizations to remove their personal information when it is outdated, irrelevant, excessive or no longer necessary.

Implementing the right to be forgotten would create conflict with my organization’s existing legal obligations or regulatory requirements.
My organization currently has the technical capacity to fully delete or de-index personal data upon request.
Alberta organizations would benefit from the ability to obtain or transfer personal information from one organization to another, in an accessible format.

Privacy protections and safeguards

In Alberta, minors are individuals under the age of 18.

Personal information should be categorized and treated differently if the information pertains to highly sensitive personal information or minors’ personal information.
The current threshold for real risk of significant harm for breach reporting is easy to interpret and apply in practice.
PIPA is clear on what privacy policies and practices private sector organizations must have in place to be in compliance with the legislation.

Privacy Management Programs are a comprehensive framework to ensure personal information is managed in compliance with privacy laws and best practices. It includes policies and procedures, defined roles and responsibilities, and training and accountability measures.

Does your organization currently have a privacy management program in place?
Private sector organizations should be required to establish privacy management programs.

A privacy impact assessment (PIA) is a process that assists in identifying, assessing and mitigating privacy risks in projects or initiatives involving personal information.

Private sector organizations should be required to complete a privacy impact assessment when initiating projects and/or integrating new systems that involve personal information.
Having a sector-specific or risk-based threshold would help my organization comply with a requirement to complete privacy impact assessments.

“De-identified” data is where personal identifiers are removed, masked or modified but there is still a re-identification risk.

Innovation and value-added products include activities like product development or research and development.

“Anonymized” data is considered permanently transformed and impossible to determine an individual’s identity.

Private organizations should be able to de-identify personal information within its control for innovation and value-added products.
Private organizations should be able to anonymize personal information within its control for innovation and value-added products.

A regulatory sandbox is a controlled environment that enables the innovative use of data and testing new business models under regulatory oversight. In a sandbox, private organizations can design and trial business solutions and assess real-world impacts of new products or services.

Alberta should establish a secure, limited access regulatory sandbox for private sector organizations to test scenarios under temporary, narrowly defined PIPA exemptions.
If regulatory sandboxes were available to Alberta organizations, how likely is your organization to participate?

Third-party service providers are organizations that directly or indirectly provide a service for or on behalf of another organization.

Alberta organizations should be required to include contractual provisions obligating a third-party service provider to comply with PIPA when handling personal information in its custody or under its control.

Administrative monetary penalties (AMPs) are regulator-imposed financial penalties designed to promote accountability, deter misconduct and ensure compliance.

PIPA should include authorities for the Commissioner to impose AMPs against an organization to deter non-compliance.

Conclusion