Alberta POPA: Private Sector Implications

What happened

The Government of Alberta has published an official implementation guide for the Protection of Privacy Act (POPA), which came into force on June 11, 2025. POPA replaced the privacy portion of Alberta's former Freedom of Information and Protection of Privacy Act (FOIP), consolidating public sector privacy obligations under a single statute. The June 11, 2026 deadline for public bodies to have a formal Privacy Management Program in place is now weeks away.

POPA applies to Alberta public bodies — government ministries, municipalities, school boards, universities, colleges, and other designated entities. It does not replace PIPA, which continues to govern private sector organizations in Alberta.

---

Who POPA applies to

POPA applies to Alberta public bodies as defined in the Act, including:

• Government of Alberta ministries and departments
• Municipalities and municipal agencies
• School boards and school authorities
• Post-secondary institutions (universities, colleges, technical institutes)
• Health authorities and other designated health bodies
• Other government agencies and boards designated under the Act

Private sector organizations — businesses, professional practices, non-profits engaged in commercial activity — are not subject to POPA. They remain governed by Alberta PIPA (Personal Information Protection Act, SA 2003 c P-6.5), administered by the same regulator: the OIPC Alberta.

---

What POPA requires

POPA codifies privacy obligations for public bodies across three main areas:

Privacy Management Programs — mandatory by June 11, 2026 Every public body subject to POPA must have a formal Privacy Management Program in place. The program must include a designated privacy officer accountable for compliance, written policies and procedures for the collection, use, and disclosure of personal information, employee privacy training, and documented procedures for managing privacy breaches. The OIPC Alberta has published a Privacy Management Program guide to support implementation.

Privacy Impact Assessments — mandatory template POPA requires public bodies to conduct Privacy Impact Assessments before implementing new programs or systems involving personal information. The OIPC Alberta released a mandatory PIA template on March 26, 2026. As of May 1, 2026, the OIPC will not accept PIA submissions that do not use the new template. Organizations that submitted PIAs under the old FOIP framework must now use the POPA template.

Breach notification — RROSH threshold POPA applies the same Real Risk of Significant Harm (RROSH) threshold for breach notification that governs private sector organizations under Alberta PIPA. Public bodies must notify the OIPC Alberta and affected individuals when a breach poses a real risk of significant harm. The obligation and threshold are consistent across both statutes.

---

POPA vs. Alberta PIPA — comparison

	Alberta POPA	Alberta PIPA (current)
Who it governs	Public bodies (ministries, municipalities, school boards, universities)	Private sector organizations
Administered by	OIPC Alberta	OIPC Alberta
In force since	June 11, 2025	February 1, 2004
Breach notification	Mandatory when RROSH present	Mandatory when RROSH present
Privacy Management Program	Mandatory — deadline June 11, 2026	Not yet mandatory — amendments forthcoming
Privacy Impact Assessments	Mandatory for new programs	Best practice — not yet mandatory
Regulator reporting	OIPC Alberta	OIPC Alberta

The breach notification obligations are substantively identical across both statutes — same RROSH threshold, same four factors, same regulator. The difference is on the proactive side: POPA mandates Privacy Management Programs and PIAs for public bodies now, while PIPA does not yet require them for private sector organizations.

---

Why private sector organizations need to pay attention

Private sector organizations have two direct reasons to follow POPA closely despite not being subject to it.

Serving public body clients. MSPs and service providers that handle personal information on behalf of municipalities, school boards, or other public bodies are working with clients who now face new statutory obligations. Your public sector clients need Privacy Management Programs, will be conducting PIAs, and must notify the OIPC Alberta under the same breach threshold you already know from PIPA. Understanding what they are now subject to is directly relevant to how you support them — and in some cases, your services are within the scope of their PIA obligations.

Where private sector obligations are heading. The OIPC Alberta has indicated that privacy management program resources are being developed for PIPA once upcoming amendments are proclaimed in force. POPA is not a separate direction — it is the same direction, applied first to the public sector. The accountability structures, Privacy Management Program requirements, and breach notification standard now codified for public bodies are the clearest signal available about what Alberta PIPA will require of private sector organizations when the amendments take effect.

---

What the PIPA amendments will bring

The PIPA amendments referenced by the OIPC Commissioner have not yet been proclaimed in force as of May 2026. No proclamation date has been announced. When they are proclaimed, private sector organizations in Alberta are expected to face obligations comparable to those now applying under POPA, including formal Privacy Management Program requirements and potentially mandatory PIAs for higher-risk programs.

Organizations should not wait for a proclamation date to begin building their privacy documentation. The gap between "amendments introduced" and "amendments in force" is typically short once proclamation is imminent. Organizations that have already designated a privacy officer, documented their privacy policies, and built their breach response procedures will have a straightforward path to compliance. Organizations that have done none of this will face a compressed implementation timeline.

---

What to do now

For private sector organizations subject to Alberta PIPA:

• Designate a privacy officer if you have not already done so — PIPA already requires this under its accountability principle; POPA's Privacy Management Program requirements reinforce the expectation
• Document your privacy policies and procedures — written policies covering collection, use, disclosure, retention, and disposal of personal information
• Build your breach response procedure — documented steps for assessing RROSH, filing with the OIPC Alberta, and notifying affected individuals
• Review your vendor contracts — if you hold personal information on behalf of clients, understand your contractual and regulatory obligations when a breach occurs
• Monitor OIPC Alberta communications for the PIPA amendment proclamation date and any private sector Privacy Management Program guidance published alongside it

---

MSP implications

If you are an MSP or IT service provider with public body clients in Alberta, POPA's June 2026 deadline is immediately relevant to your client relationships.

Your public sector clients are now required to have Privacy Management Programs. If you manage their infrastructure, hold their data, or process personal information on their behalf, your services are likely within the scope of their privacy documentation obligations. Clients may request updated data processing agreements, privacy terms in your service contracts, or information about your own privacy practices as part of their compliance work.

For breaches involving public body client data, POPA applies the same RROSH threshold and OIPC Alberta notification obligations you already know from PIPA. The response process is substantively the same — the difference is which statute the public body client is reporting under.

---

For guidance on Alberta PIPA breach notification obligations that currently apply to private sector organizations, see Alberta PIPA Breach Notification Requirements.

ClearBreach covers privacy breach obligations under PIPEDA, Alberta PIPA, and BC PIPA for private sector organizations. POPA governs Alberta public bodies and is outside ClearBreach's direct assessment scope. Quebec Law 25 and Ontario PHIPA are also outside scope.