Skip to content

Notifications

Government mail service may be affected by the Canada Post labour disruption. Learn about how critical government mail will be handled.

Popular topics:

Alberta.ca Account
Part of Protection of Privacy Act

Privacy management

POPA requires public bodies to establish and implement a privacy management program.

Explore pages in:
Protection of Privacy Act

Overview

Public bodies are required to establish and implement a Privacy Management Program (PMP) consisting of documented policies and procedures that promote the public body’s compliance with their duties under the POPA.

Privacy Management Programs

A Privacy Management Program (PMP) is an evolving set of policies, procedures and tools developed by a public body to ensure privacy is protected and ensures a public body’s internal policies and procedures that align with POPA. 

Any person may request a copy of a public body’s PMP. A public body must provide a copy or provide directions on where to access a copy of the PMP, within 30 business days of the request.

Provision is not yet in force. Public bodies have 1 year from the date of proclamation to implement a PMP and are not required to provide a person with a copy of its PMP. 

Privacy impact assessments

POPA establishes that public bodies are required to prepare privacy impact assessments under prescribed circumstances.

Conducting prepare privacy impact assessments is an exercise to assist public bodies in identifying and addressing privacy risks associated with the implementation of any new administrative practice, program, project or service, when substantial changes are being made to an existing administrative practice, program, project or service. 

Refer to the resources page for more information on privacy impact assessments.

Protection and security arrangements

All public bodies have a responsibility to handle and safeguard personal information, data derived from personal information, and non-personal data in accordance with POPA.

POPA requires public bodies to make reasonable security arrangements to protect the personal information, data derived from personal information and non-personal data. Reasonable security arrangements are administrative safeguards, physical safeguards and technical safeguards to protect personal information, data derived from personal information and non-personal data in the custody or under the control of a public body.

Privacy incident 

A privacy incident occurs when personal information under the custody or control of a public body is lost, accessed or disclosed without authorization, and there is a real risk of significant harm (RROSH) to an individual as a result.  

Privacy incidents may result in significant harm to individuals, but also to organizations, and public bodies. Therefore, taking appropriate steps to contain an incident with an efficient and coordinated approach, minimizes the harm that it may cause to all parties, especially individuals.  

Refer to the resource page for more information on incident response and notifications. 

Visit Report a privacy incident (public bodies) to learn more.

Previous Non-personal data
Next Report a privacy incident (public bodies)