Feedback important to help shape effective privacy laws that protect personal information 'while supporting innovation and business,' says government
Alberta is launching a public consultation to modernise its private‑sector privacy law, a move that could lead to significant changes in how businesses handle personal information.
The province has opened an online survey to gather views from Albertans and private‑sector organisations on updating the Personal Information Protection Act (PIPA), which governs how private organisations collect, use, disclose and protect personal information.
The act has been in force since 2004 and has not been substantially updated since 2010, despite what the Alberta government describes as “significant changes in technology, data use and public expectations around privacy.”
Alberta’s government says modernising the act is “an important step in ensuring Albertans have the strongest privacy protections in today’s digital world,” and that updates will explore ways to strengthen privacy rights, align with global standards and support innovation, while ensuring personal information is respected and protected.
“Albertans expect the strongest privacy protections in the country, and we want to hear directly from them to help shape the updated Personal Information Protection Act,” said Nate Glubish, Minister of Technology and Innovation, in the government’s announcement. “This engagement process is extremely important to help shape modern, effective privacy laws that protect personal information while supporting innovation and business within our province.”
Employers are rushing to adopt artificial intelligence (AI) tools, but the legal and privacy risks are piling up faster than many realize. Howard Levitt, Senior Partner at Levitt LLP, says companies need to tread carefully before letting algorithms into the workplace.
Consultation timelines and process
The Alberta government will run a public consultation from Feb. 2 to May 1. As part of that process, an online survey will be open from Feb. 2 to Feb. 17. Stakeholders can participate via this link.
Input from Albertans, subject‑matter experts, private organisations and the Office of the Information and Privacy Commissioner will be considered in developing potential amendments to the act and its regulation.
According to the Alberta government, it has been engaging with stakeholders on privacy legislation since 2021. The renewed engagement is intended to confirm priorities, assess impacts on organisations and ensure future changes reflect Albertans’ expectations and “today’s digital realities.”
Currently, public servants’ use of AI is “exposing governments to potential risks,” according to a previous report.
Employers' responsibilities under PIPA
Here are some of employers’ responsibilities under the PIPA:
|
Responsibility under PIPA |
Description |
|
Federal vs provincial coverage |
Federally regulated entities such as banks, airlines and telecommunications providers are generally governed instead by the federal Personal Information Protection and Electronic Documents Act (PIPEDA), not Alberta’s PIPA. |
|
Scope of information covered |
PIPA covers “personal information” about identifiable individuals and, crucially for HR, “personal employee information” about prospective, current and former employees, volunteers, apprentices, co‑op students and contractors or agents. |
|
“Reasonable person” standard |
Collection, use, disclosure and protection of personal information must be what a reasonable person would consider appropriate in the circumstances. |
|
Overall privacy governance |
Organisations subject to PIPA must create and follow reasonable privacy policies; at a high level, employers must limit collection, use and disclosure to reasonable purposes, rely on consent in most cases, safeguard information, manage retention and destruction, and support access and correction rights. |
|
Collection without consent (employee data) |
PIPA generally relies on consent and restricts what can be collected and how, but allows employers to collect personal employee information without consent when it is solely to establish, manage or terminate employment or volunteer relationships, or to manage post‑employment relationships, provided the collection is reasonable. |
|
Notice to current employees on collection |
For current employees, employers must give reasonable notice before collecting personal employee information and explain why it is being collected—this is critical for everyday HR activities like monitoring, performance tracking and health‑related accommodations. |
|
Limits on use of personal information |
Employers must only use personal information for reasonable purposes, typically those identified at the time of collection or closely related ones; using data for new HR analytics or secondary purposes may require fresh consent or clear justification under PIPA. |
|
Use/disclosure without consent (employment‑related) |
Organisations can use or disclose personal employee information without consent for employment‑related and certain reference‑check purposes if the use or disclosure is reasonable, but must give current employees reasonable notice before disclosing their information and explain the purpose. |
|
Safeguards, retention and destruction |
Employers must implement administrative, technical and physical safeguards suitable to the sensitivity of personal information and retain it only as long as necessary to meet its purposes and legal or business requirements, then securely destroy or anonymise it. |
|
Mandatory breach reporting |
Amendments to PIPA introduced mandatory breach reporting: employers must report breaches posing a “real risk of significant harm” to the Information and Privacy Commissioner, who can require notification of affected individuals—this makes structured incident‑response procedures essential for HR. |
|
Access and correction rights |
Employers must handle access and correction requests within PIPA timelines, correcting inaccurate information where appropriate or annotating the record if they disagree, which directly affects how HR manages personnel files and investigation records. |
|
Accountability, policies and training |
Organisations are expected to designate someone accountable for PIPA compliance (often a privacy officer), implement written privacy and security policies, and train employees—particularly HR and front‑line managers—on these obligations. |
|
Service providers and cross‑border transfers |
When using service providers, especially those outside Canada, employers must manage privacy risks, ensure appropriate protections and notify individuals when their information will be transferred abroad, which is critical given HR’s reliance on outsourced and cloud‑based systems. |
