Access and Privacy Office

Access to Information - Protection of Privacy 

The Government of Alberta repealed the Alberta Freedom of Information and Protection of Privacy Act (the “FOIP Act”) effective June 11, 2025 and has replaced this Act with two pieces of legislation that will both facilitate access to information and also protect the privacy of individuals concerning Mount Royal University within the Province of Alberta.

The two new Acts consist of:

• The Alberta Access to Information Act (the “ATIA”) and
• The Alberta Protection of Privacy Act (the “POPA”)

A summary of the purpose and functionality of both Acts are provided below.

The Alberta Access to Information Act 

The ATIA (here) is intended to modernize access to information rules and processes in response to an ever increasing digital environment. This Act falls under the responsibility of the Ministry of Service Alberta and Red Tape Reduction.

The purposes of the ATIA are the following:

1. To allow any person a right of access to the records in the custody or under the control of the University subject to limited and specific exceptions as set out in the Act;
2. To allow individuals, subject to limited and specific exceptions as set out in this Act, a right of access to personal information about themselves that is held by the University, and;
3. To provide for independent reviews of decisions made by the University under this Act and the resolution of complaints under this Act (via the Office of the Information and Privacy Commissioner).

The Ministry of Service Alberta and Red Tape Reduction has provided additional information concerning the ATIA on their website (here).

The Alberta Protection of Privacy Act 

The POPA (here) is intended to modernize protection of privacy operational processes for the University in response to an ever increasing digital environment. This Act falls under the responsibility of the Ministry of Technology and Innovation.

The purposes of the POPA are the following:

1. To control the collection, use and disclosure of personal information by the University;
2. To allow individuals a right to request corrections to personal information about themselves that is held by the University;
3. To control the creation, use and disclosure of data derived from personal information and non-personal data by the University; and
4. To provide for independent reviews of decisions made by the University under this Act and the resolution of complaints under this Act (via the Office of the Information and Privacy Commissioner).

The Ministry of Technology and Innovation has provided additional information concerning the POPA on their website (here).

What are the key operational changes for Mount Royal University Departments?
While much of the POPA reflects the language of the FOIP Act, there are a few notable changes for University Departments to consider regarding how they manage personal information under the POPA:

• The requirements for Notification Statements required prior to collecting personal information directly from an individual has been revised.
  • The University is now required under the POPA to notify individuals if it intends to input the collected personal information into an automated system, (for example through AI software), in order to generate content, make decisions, recommendations or predictions.
  • The new template Notification Statements under the POPA are available here. Contact foip@mtroyal.ca if you require assistance with how to adopt these changes.

• The POPA has established further requirements related to Data Matching activities.
  • The POPA defines Data Matching as meaning Data derived from personal information that is “created” through the linking of personal information between 2 or more databases or other electronic sources of information.
  • The Access and Privacy Office is establishing further departmental resources to support compliance with these new requirements. These Department resources will gradually be made available on MyMRU Access and Privacy (Electronic Records) website here.

• The University's approach to complying with its obligations under the POPA will be formally documented into a Privacy Management Program. This will be established by June 2026.

• The University is required to complete a Privacy Impact Assessment when onboarding or changing certain systems which manage personal information.
  • Privacy Impact Assessments consist of a review of the way personal information will be collected, used and disclosed within a process or system. This review is conducted by the Information Management and Privacy Advisor.
  • More information about Privacy Impact Assessments, including how to ask for a Privacy Impact Assessment can be found here.

• The University is now required to notify, through its Access and Privacy Office, both the Office of the Information and Privacy Commissioner ("OIPC") and Minister of Technology and Innovation in the event of a privacy breach which presents a real risk of significant harm.
  • While the University's previous practice has been to notify the OIPC in such circumstances the University's Access and Privacy Office will be updating its formal processes to ensure alignment with the new requirement.
  • For more information about Privacy Breach reporting can be found here.