May 2023

1. Governing Texts

In Alberta, both private and public-sector organisations are subject to specific privacy statutes administered by a provincial independent body of the Legislative Assembly of Alberta ('the Legislative Assembly').

Below is an overview of Alberta's data protection landscape including the applicable law, its scope, existing regulatory authority, key definitions, available legal basis, principles, obligations on organisations, rights of individuals, and penalties for non-compliance.

1.1. Key acts, regulations, directives, bills

The Office of the Information and Privacy Commissioner of Alberta ('OIPC') oversees four Alberta privacy statutes, including:

• the Freedom of Information and Protection of Privacy Act, RSA 2000, c F-25 ('FOIP') and its associated regulations regulate and govern personal information held by public bodies and government institutions;
• the Personal Information Protection Act, SA 2003, c P-6.5 ('PIPA') and its associated regulations regulate and govern personal information held by private sector organisations;
• the Health Information Act, RSA 2000, c H-5 ('HIA') and its associated regulations regulate and govern health information in the custody and control of healthcare custodians;
• the Access to Motor Vehicle Information Regulation (Alberta Regulation 140/2003) ('AMVIR') (the OIPC has a role in reviewing the decisions of the Registrar of Motor Vehicle Services to grant access to personal driving and motor vehicle information); and
• Personal Information Protection Act Regulation (Alberta Regulation 366/2003) ('the Regulation').

The Office of the Privacy Commissioner of Canada ('OPC') administers two federal privacy statutes:

• the Privacy Act, RSC 1985, c P-21 ('the Federal Privacy Act'); and
• the Personal Information Protection and Electronic Documents Act, SC 2000, c 5 ('PIPEDA').

PIPEDA does not apply to organisations that operate entirely within Alberta unless engaged in commercial activity that involves the flow of personal information across provincial or national borders. PIPEDA does apply to federal works, undertakings, or businesses operating in Alberta.

The Federal Privacy Act and its associated regulations apply to a person's right to access and rectify personal information held by the Government of Canada.

This summary will focus on the FOIP, PIPA, and the HIA, with a limited comment on the Federal Privacy Act and PIPEDA.

1.2. Guidelines

Both the OIPC and the OPC publish guidance materials on their websites to inform organisations and the public about their rights and responsibilities under Alberta's and Canada's privacy laws.

1.3. Case law

The OIPC issues and publishes a variety of decisions on its website. These decisions include formal binding orders, investigation reports, breach notification decisions, judicial reviews of OIPC orders, and external adjudication orders rendered pursuant to the FOIP and HIA.

These decisions are complemented by case law in order to provide direction to organisations and individuals with respect to privacy compliance requirements.

A recent notable Alberta decision regarding privacy law is the decision of the Alberta Court of King's Bench ('the Alberta King'sBench') in ES v Shillington, 2021 ABQB 739. This case recognised the latest privacy tort: public disclosure of private facts. The Alberta King's Bench confirmed that this common law tort exists in Alberta, and the plaintiff was ultimately awarded CAD 155,000 (approx. €106,064) in damages.

In Shillington, the plaintiff and defendant were married for 11 years, over the course of which the plaintiff provided the defendant with explicit images of herself. Without the plaintiff's consent, the defendant went on to post these images on various pornography websites. The plaintiff brought an action against the defendant in response, which included an argument for the recognition of a tort for public disclosure of private information – a tort set out by the Ontario Court of Appeal in Jones v Tsige (2011 ONSC 1475) and officially recognised by Ontario Courts.

The Court set out four factors that a plaintiff must meet to establish such a tort in Alberta:

• the defendant publicised an aspect of the plaintiff's private life;
• the plaintiff did not consent to the publication;
• the matter publicised or its publication would be highly offensive to a reasonable person in the position of the plaintiff; and
• the publication was not of legitimate concern to the public.

The private information captured by this tort includes health records, financial records, sexual matters, and personal relationships. The Alberta King's Bench additionally held that if the information does not fall into one of the four categories, then the question to determine whether the information is private is: 'what would a reasonable person feel if they were placed in the same position as the claimant faced with the same publicity?'

The Shillington decision was upheld and the tort of public disclosure of private information was again recognised in LDS v SCA, 2021 ABQB 818 where the Alberta King’s Bench dealt with the online distribution of sexually explicit photographs without consent. The Alberta King's Bench commented that online disclosure "is particularly insidious in that, the full impact of the online disclosure may never be known and may surface years in the future". The Court awarded CAD 130,000 (approx. €88,957) in general, aggravated, and punitive damages.

Although Shillington and LDS dealt with personal relationships, the holdings can be applied to businesses and the information they collect regarding or belonging to clients and employees.

2. Scope of Application

2.1. Personal scope

The FOIP applies to public bodies. These are defined in Section 1 of the FOIP, and examples of 'public bodies' include Ministries, Crown Corporations, local public bodies, the Alberta Ombudsman, and the Public Interest Commissioner.

The HIA outlines the rules applicable to the collection, use, and disclosure of health information, and applies to custodians that have custody or control of health information. Custodians are defined in Section 1(f) of the HIA as including, inter alia, regional health authorities such as Alberta Health Services, provincial health boards such as the Health Quality Council of Alberta ('HQCA'), nursing homes, ambulance operators, community clinics, and regulated health professionals such as physicians, dentists, chiropractors, registered nurses, pharmacists, and midwives.

Pursuant to the HIA, custodians have custody of records when the records are in the possession of the custodian. If a custodian has the power to retrieve records that are not immediately in their custody, then they are still under the custodian's control.

PIPA applies to provincially regulated private sector organisations, including corporations, unincorporated associations, professional regulatory associations, trade unions, partnerships, private schools or colleges, and any individual acting in a commercial capacity.

PIPA applies in a limited way to certain prescribed non-profit organisations, but only to the extent that those non-profits are involved in commercial activities. PIPA has been deemed substantially similar to PIPEDA.

PIPEDA applies to federally regulated organisations, federal works, undertakings or businesses operating in Alberta, and organisations that operate entirely within Alberta when and to the extent they are engaged in commercial activity that involves the flow of personal information across provincial or national borders.

Section 3 of the Federal Privacy Act defines the federal government institutions that it applies.

2.2. Territorial scope

PIPA applies to personal information collected, used, and disclosed by provincially regulated private sector organisations within Alberta.

The FOIP and the HIA are limited to public bodies and custodians, respectively, as defined within those Acts. See the definitions of public bodies and custodians as outlined in the section on personal scope.

2.3. Material scope

Personal information means information about an identifiable individual. This information may be factual or subjective, recorded or not, and includes without limitation age, name, identification numbers, ethnicity, social status, employee files, loan records, medical records, or evaluations (Section 1 of PIPA).

Personal information means recorded information about an identifiable individual. Some examples include ethnicity, age, sex, marital status, education, employment history, identifying numbers, address, personal opinions, or criminal history (Section 1 of the FOIP).

Health information as one or both of the following: diagnostic, treatment and care information, and registration information. Diagnostic, treatment, and care information can mean information about inter alia, the physical and mental health of an individual, a health service provided to an individual, or any information respecting a health services provider who provides a health service to that individual. Registration information generally includes information that is collected for the purpose of registering an individual for the provision of health services (Section 1(1)(k) of HIA).

Personal information means information about an identifiable individual that is recorded in any form. Examples include race, religion, age, marital status, medical history, criminal history, address, fingerprints, or opinions (Section 3 of the Federal Privacy Act).

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The OIPC is an independent office of the Legislative Assembly tasked with overseeing the FOIP, PIPA, and the HIA. The OIPC's mandate includes ensuring public bodies, custodians, and private sector organisations uphold the access to information and privacy rights contained in the laws of Alberta.

The OPC was established in 1983 following the passing of the Federal Privacy Act. The mission of the OPC is to protect and promote privacy rights, and the mandate of the OPC is to oversee compliance with the Federal Privacy Act and PIPEDA. The OPC is independent of government and reports directly to the Parliament of Canada.

3.2. Main powers, duties and responsibilities

Apart from overseeing Alberta's access and privacy laws, the OIPC also advocates for the access to information and privacy rights of Albertans, and investigates matters relating to the application of the privacy legislation it oversees. In addition, the OIPC also resolves access to information and privacy complaints or disputes between individuals and public bodies, and provides fair, independent, and impartial reviews related to access to information requests, and complaints related to the collection, use, and disclosure of personal and health information. The OIPC has the power to decide questions of fact and law by conducting inquiries and issuing binding orders.

In addition to enforcing PIPEDA and the Federal Privacy Act, the OPC provides advice and information for individuals regarding protecting their personal information. The OPC carries out its mandate and mission by investigating privacy complaints, conducting audits, pursuing court actions under PIPEDA and the Federal Privacy Act, publicly reporting on the personal information handling practices of public and private-sector organisations, supporting and publishing research into privacy issues, and promoting public awareness and understanding of privacy issues. Unlike the OIPC, the OPC does not have the authority to issue binding orders, but does issue non-binding recommendations and can enter into compliance agreements with organisations.

4. Key Definitions

Data controller: 'Data controller' is not a term explicitly defined under Alberta and Canadian privacy statutes. Instead, the FOIP refers to public bodies, the HIA refers to custodians, PIPA refers to private sector organisations, and the Federal Privacy Act refers to government institutions. See section on personal scope above for a further description of these terms.

Data processor: 'Data processor' is not a term explicitly defined under Alberta and Canadian privacy statutes. However, the HIA uses the term 'information manager' and provides custodians with the power to enter an agreement with an information manager. However, the information manager, as a person or body that processes, stores, retrieves, or disposes of health information in accordance with the regulations, strips, encondes, or otherwise transforms individually identifying health information to create non-identifying health information, or that provides information management or information technology services in a manner that requires the use of health information.

Personal data: 'Personal information' is defined slightly differently under Alberta and federal Canadian privacy laws, but generally means information about an identifiable individual (in some statutes, specified as recorded information). Examples include race, ethnicity, age, sex, family status, criminal or employment history, address, telephone numbers, and opinions of the individual. See section on scope territorial scope, above for additional details on each statute.

Sensitive data: Alberta and federal Canadian privacy statutes do not generally differentiate between different levels of personal information. However, one of the factors to take into consideration when determining whether a breach of security safeguards creates a real risk of significant harm to the individual affected includes the sensitivity of personal information involved in the breach (Section 10.1(8) of PIPEDA). Moreover, while any type of information can be considered sensitive; generally, medical records and income information are almost always considered to be sensitive (Section 10.1(8) of PIPEDA).

Health data: 'Health information' is defined in the HIA to include information with respect to the physical or mental health of an individual, information with respect to any health service provided to an individual, information regarding any donation of a body part or bodily substance, information that is collected while providing health services to an individual or incidentally to the provision of health services to an individual, a drug provided to an individual, a healthcare aid or device provided to an individual, amount of any benefit paid or payable in respect to a health service provided to an individual, and/or registration information (information that is collected for the purpose of registering an individual for the provision of health services).

Biometric data: Alberta and Canadian privacy statutes do not provide a specific definition of 'biometric data'. However, depending on the nature of such information biometric data could be considered personal or health information.

Pseudonymisation: : 'Pseudonymisation' is not defined in Alberta and Canadian privacy statutes; however, the OPC has previously found where personal information is properly de-identified or anonymised, such that the information can no longer be used to identify an individual, the information will no longer be considered 'personal information' within the meaning of the applicable Act.

The HIA provides a definition for 'non-identifying' health information which means that the identity of the individual who is the subject of the information cannot be readily ascertained from the information. Non-identifying health information may generally be collected, used, and disclosed for any purpose.

5. Legal Bases

5.1. Consent

In general, Alberta and Canadian privacy statutes require organisations to obtain consent for the collection, use, and disclosure of personal information.

PIPA specifically requires organisations to inform individuals as to the purposes for which their personal information will be used. Consent is only valid in respect of the purposes the individual was informed about. Moreover, consent is not valid if an organisation attempts to obtain consent by providing false or misleading information regarding the collection, use, or disclosure of the information, or by using deceptive or misleading practices (Section 10 of PIPA). Additionally, an individual may withdraw or vary consent to the collection, use, or disclosure by giving reasonable notice (Section 9 of PIPA).

Similar consent requirements apply to custodians under HIA in that, an individual may revoke their consent at any time (Section 34(2) of HIA).

Furthermore, no public body can use personal information under its control without consent, unless it is being used for the purpose for which it was obtained or for one of the enumerated exceptions set out in the FOIP (Section 39 of the FOIP).

5.2. Contract with the data subject

This concept is generally not provided for in Alberta and Canadian privacy statutes. However, the consent requirement outlined in section on consent above can generally be fulfilled by either oral or written consent from the subject individual.

5.3. Legal obligations

The FOIP, PIPA, and the HIA all provide for several exceptions to the general rule against the disclosure of personal information without consent. A number of these exceptions relate to different legal obligations of the public body or custodian. Some examples include:

• complying with subpoenas and other court or government orders;
• disclosing, under a public requirement, personal information to appropriate authorities in matters of significant public interest;
• where the individual is a minor, seriously ill, or mentally incapacitated, and seeking consent is impossible or inappropriate; and
• in order to comply with an Act or regulation.

5.4. Interests of the data subject

A public body may disclose personal information where the public interest in disclosure clearly outweighs any invasion of privacy that could result from disclosure (Section 32(1) of the FOIP).

 A custodian is permitted to disclose health information without consent where the trustee believes on reasonable grounds the disclosure will avoid or minimise danger to the health or safety of any person (Section 35(1)(m) of the HIA).

 Moreover, several circumstances where disclosure of personal information is permitted without the consent of the individual to whom the information relates. One of these exceptions allows for the disclosure of information where the disclosure is because of an emergency that threatens the life, health, or security of an individual (Section 20 of PIPA).

5.5. Public interest

See section on interests of the data subject. 

5.6. Legitimate interests of the data controller

Organisations may only collect personal information for reasonable purposes and may only collect information to the extent that it is reasonable for meeting the purposes for which the information is collected (Section 11 of PIPA).

Under the FOIP, a public body is permitted to disclose personal information for the purposes for which the information was obtained or compiled by the public body or for a use consistent with that purpose.

A custodian shall only collect health information that relates directly to and is necessary for the purpose for which it is being collected (Section 20 of the HIA).

5.7. Legal bases in other instances

 A public body is permitted to collect and disclose personal information for the purpose of management, audit, and or administration of personnel of the government institution (Sections 34(1) and 40(1) of the FOIP).

6. Principles

PIPEDA

Ten principles organisations subject to PIPEDA must follow for the protection of personal information (Schedule 1 of PIPEDA):

• accountability;
• identifying purposes;
• consent;
• limiting collection;
• limiting use, disclosure, and retention;
• accuracy;
• safeguards;
• openness;
• individual access; and
• challenging compliance.

To comply with accountability requirements under PIPEDA, organisations are required to appoint an individual responsible for the organisation's compliance with PIPEDA and develop personal information policies and practices. Further, under the accountability principle, an organisation is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing.

To comply with identifying purposes requirements under PIPEDA, organisations are to identify and document why personal information is needed and notify individuals of the purposes for collection. Under the consent principle, organisations are to obtain the knowledge and consent of the individual for the collection, use, or disclosure of personal information, except where inappropriate. Under the limiting collection principle, organisations are not to collect personal information indiscriminately or deceive individuals about the reasons for collection.

To limit use, disclosure, and retention under PIPEDA, organisations are to only disclose personal information for the purpose for which it was collected (unless the individual consents), keep personal information for a reasonable time to allow the individual to access it but only if needed, and destroy information that is no longer required for an identified purpose or legal requirement. Under the accuracy principle, organisations are to minimise the possibility of using incorrect personal information. Under the safeguard principle, organisations are to protect personal information against loss or theft and safeguard it against unauthorised access or disclosure.

To ensure openness, organisations are to inform customers, clients, and employees of their policies for managing personal information and make these policies easy to understand in accordance with PIPEDA. Under the individual access principle, organisations are to allow individuals access to their personal information and correct or amend inaccuracies or deficiencies. Under the challenging compliance principle, organisations are to develop simple accessible complaint procedures, inform individuals of their avenues for recourse, and investigate all complaints received.

Alberta privacy statutes

Organisations may only collect personal information for reasonable purposes and may only collect information to the extent that it is reasonable for meeting the purposes for which the information is collected. Per Section 13 of PIPA, the organisation must notify the subject individual as to the purposes for which the information is collected (Section 11 of PIPA).

Public bodies may only collect information if the collection is expressly authorised by another federal or provincial law, for the purposes of law enforcement, or if the information is collected for a purpose that relates to an existing or proposed program or activity of the public body (Section 33 of the FOIP).

Custodians are required to only collect, use, or disclose health information that relates directly to and is necessary for the purpose for which it is being collected, used, or disclosed (Section 20 of the HIA).

Organisations must make a reasonable effort to ensure any personal information is accurate and complete to the extent that is reasonable (Section 33 of PIPA). Public bodies are required to ensure personal information being used to decide matters that directly affects the individual, is as accurate and complete as reasonably possible (Section 35 of the FOIP). There is an impositions of a similar duty on custodians (Section 61 of HIA).

A public body is required to, where reasonable, collect information directly from the individuals to whom the information relates to unless the collection falls into one of the enumerated exceptions (Section 34 of the FOIP).

An organisation has a duty to assist applicants with every reasonable effort (Section 27 of PIPA).

Moreover, an organisation must protect the personal information that is under its custody or control by making reasonable security arrangements against risks such as unauthorised access, collection, use, disclosure, copying, modification, disposal, or destruction (Section 34 of PIPA).

Public bodies are required to protect personal information by making reasonable security arrangements against risks such as unauthorised access, collection, use, disclosure, or destruction (Section 38 of the FOIP).

Furthermore, custodians have a duty to collect, use, or disclose health information with the highest degree of anonymity possible. Custodians also have a duty to take reasonable steps to maintain administrative, technical, and physical safeguards to protect health information (Section 57 of the HIA).

7. Controller and Processor Obligations

7.1. Data processing notification

Public bodies and custodians under the FOIP and the HIA, respectively, are generally not required to notify the OIPC about their data collection, use, or disclosure activities.

Under PIPA, organisations do not generally have a requirement to notify the OIPC about the collection, use, or disclosure of personal information. However, organisations are required to report to the OIPC any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm.

7.2. Data transfers

While PIPA does not prohibit the transfer of personal information outside of Canada, it does establish rules and principles that ensure organisations remain accountable for personal information when it has been transferred to a third party or to a location outside of Canada. Moreover, organisations that directly or indirectly, transfer personal information to a service provider outside of Canada to notify the subject individual(s). (Section 13.1(2) of PIPA) Generally, the same applies to organisations subject to PIPEDA (Principle 4.1.3 of PIPEDA):

'An organisation is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organisation shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party'.

The OPC has provided further guidance on the phrase 'comparable level of protection' stating that this requires an organisation to ensure that, 'the third-party processor must provide protection that can be compared to the level of protection the personal information would receive if it had not been transferred'. This is in line with the Guidelines for Processing Personal Data Across Borders (27 January 2009) the OPC has released on the trans-border flow of data.

7.3. Data processing records

Processing is not explicitly defined in Alberta or federal privacy statutes. However, there exists a requirement under PIPEDA for organisations to maintain a record of every breach of security safeguards involving personal information under their control. Furthermore, organisations are required to document the purposes for which personal information is collected.

7.4. Data protection impact assessment

Custodians are required to submit a Privacy Impact Assessment ('PIA') for review by the OIPC before implementing any proposed new practice or system, or any changes to practices or systems relating to the collection, use, and disclosure of health information (Section 64 of the HIA). For further information on PIAs for the collection, use, and disclosure of health information please see the OIPC's PIA ('the PIA Guidance') and PIA Requirements guidances. Furthermore, the OIPC provides a list of the accepted PIAs in each calendar year available in the OIPC PIA Guidance and operates the PIA Registry, a comprehensive list of all submitted PIAs.

Public bodies and private sector organisations under the FOIP and PIPA, respectively, and federally regulated organisations under PIPEDA, are not mandated or required to submit Data Protection Impact Assessments. Although, federal public-sector institutions are required to conduct PIA pursuant to the Directive on PIA.

7.5. Data protection officer appointment

Organisations must designate one or more individuals to be responsible for ensuring that the organisation complies with PIPA (Section 5(3) of PIPA). Other individuals within the organisation may be delegated to act on behalf of the DPO as their representative (Part 2, Division 1, Section 5(4) of PIPA).

If an organisation designated one or more offices within the organisation to handle subject access requests, the organisation must make the address of that office public and the methods by which that office can receive (Part 3, Sections 8(1) and (2) of the Regulation). Moreover, the OIPC recommends that the identity of the DPO must be made clear to all staff within your organisation and their contact information be available on the organisation's website (Page 19 of the A Guide for Business and Organisations on the Personal Information Protection Act ('the PIPA Guide')).

Similarly, for organisations subject to PIPEDA, an organisation is required to designate an individual or individuals who are accountable for the organisation's compliance with the privacy principles set out in PIPEDA. In addition, organisations must make available to individuals the name or title, and the address, of the person who is accountable for the organisation's policies and practices and to whom complaints or inquiries can be forwarded.

The OIPC outlines that the DPO should according to the Guide for Business and Organisations on the Personal Information Protection Act ('the PIPA Guide'):

• be the contact person(s) for answering questions about PIPA and taking access requests and complaints under PIPA; and
• develop and put into practice, policies, and procedures to protect personal information.

In addition, the OIPC states that the DPO should also according to the Privacy Management Program – at a Glance Fact Sheet ('the PMP Fact Sheet'):

• ensure that the role and responsibilities for monitoring compliance are clearly identified and communicated throughout the organisation;
• responsible for the development and implementation of the program controls and their ongoing assessment and revision; and
• develop an oversight and review plan on an annual basis that sets out how they will monitor and asses the effectiveness of the organisation's program controls.

The OIPC further details the DPO would be responsible for the privacy management programme, recommended by the OIPC in order to comply with Part 2, Division 1, Section 5(3) of PIPA; this involves according to the guide on Getting Accountability Right with a Privacy Management Program ('the PMP Guide'):

• establishing and implementing programme controls;
• coordinating with other appropriate persons responsible for related disciplines and functions within the organisation;
• being responsible for the ongoing assessment and revision of programme controls;
• representing the organisation in the event of a complaint investigation by a privacy commissioner's office; and
• advocating privacy within the organisation itself.

Furthermore, the OIPC has stated that the DPO should develop an oversight and review plan annually that sets out how and when they will monitor and assess the organisation's privacy management programme's effectiveness. The plan should establish performance measures and include a schedule of when all policies and other programme controls will be reviewed (the PMP Guide, page 16).

7.6. Data breach notification

Organisations subject to PIPA are not required to notify individuals by default if there is a breach, or instance of unauthorised access to or disclosure of personal information. However, organisations must provide notice to the OIPC if there is any breach of security safeguards involving the personal information where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss (Section 34.1 of PIPA) Moreover, in some cases can require the organisation to notify individuals to whom there is a real risk of significant harm as a result of the breach (Section 37.1 of the OIPC).

Furthermore, an individual has a right to be informed by an organisation of any breach of security safeguards involving the individual's personal information if it is reasonable to believe that the breach creates a real risk of significant harm to the individual (Section 10.1(3) of PIPEDA). In addition, organisations are required to report to the OPC any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach created a real risk of significant harm. Significant harm includes, 'bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to or loss of property'.

The factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm to the individual affected by the breach include the sensitivity of the personal information involved in the breach and the probability the personal information will be misused. The OPC has provided guidance on what constitutes 'real risk of significant harm'.

7.7. Data retention

Under PIPA and PIPEDA, respectively, organisations are required to retain personal information only as long as necessary for the fulfillment of the purpose for which it was collected. No specific retention periods are included in the HIA, however, other Alberta legislation or requirements of professional colleges of regulated health professions may place retention requirements on health information.

An organistation is required to keep and maintain a record of every breach of security safeguards involving personal information under its control (Section 10.3(1) of PIPEDA).

7.8. Children's data

Under the FOIP and the HIA, (with minor variances) where an individual is less than 18 years of age, any right or power conferred on that individual is exercisable by their legal custodian, so long as the exercise of the right or power would not constitute an unreasonable invasion of the privacy of the individual. While these Acts do not generally differentiate between adults and children, for consent to be valid it must be meaningful and informed, which suggests that a child's consent may not be valid in every circumstance.

Similar to the Alberta statutes mentioned above, PIPEDA provides that consent for the collection, use, and disclosure of personal information must be meaningful and that user expectations should be taken into consideration in determining the proper form of consent. See the discussion above in section on consent. Further to these requirements, the OPC has released guidance on the collection of personal information from children that recommends limiting, or avoiding altogether, the collection of personal information from children.

7.9. Special categories of personal data

Generally, Alberta and Canadian federal privacy statutes do not differentiate between different types of personal information. However, as mentioned above in section on key definitions, when assessing the real risk of significant harm under PIPEDA, the sensitivity of the information involved is one factor to consider.

7.10. Controller and processor contracts

See the discussion above in section on data transfers. 

8. Data Subject Rights

8.1. Right to be informed

Under PIPEDA, individuals are entitled to be informed of the existence, collection, use, and disclosure of their personal information by an organisation upon request.

While the FOIP, PIPA, and the HIA do not contain a specific right to be informed, as noted above, in order to obtain valid consent under any of these Acts, the consent of the individual must be informed.

8.2. Right to access

Under PIPA, PIPEDA, the HIA, and the FOIP, individuals are entitled to a right of access to their personal information (or in the case of the HIA, their health information).

8.3. Right to rectification

Organisations subject to PIPA or PIPEDA are expected to allow individuals to challenge the accuracy and completeness of their personal information and have it amended as appropriate.

Public bodies are required to provide individuals with a right of correction; whereby, individuals who are given access to a record that contains personal information about themselves are entitled to request the correction of the personal information in the record they believe contains an error or omission (Section 36 of the FOIP).

Individuals have the right to an amendment or correction to their health information (Section 13 of HIA).

8.4. Right to erasure

While PIPA and PIPEDA afford individuals the right to withdraw consent and challenge the accuracy, completeness, and currency of their personal data, they do not grant a specific right to require organisations to erase or delete their personal information.

Other Alberta privacy statutes also do not provide a right of erasure or deletion to individuals

8.5. Right to object/opt-out

PIPA, PIPEDA, the FOIP, and the HIA do not provide a right to object or opt out of processing. However, the HIA and PIPEDA specifically provide that an individual may withdraw their consent to the processing at any time.

8.6. Right to data portability

Alberta and Canadian federal privacy statutes do not provide for a right of data portability.

8.7. Right not to be subject to automated decision-making

Alberta and Canadian federal privacy statutes do not provide for a right to not be subject to automated decision making.

8.8. Other rights

Additional rights under Alberta and Canadian federal privacy statutes include an individual's right to make a complaint to the relevant data protection authority. In the case of the FOIP, PIPA, and the HIA, the relevant authority is the OIPC, while under PIPEDA it is the OPC.

Individuals have the right to be informed by an organisation of any breach of security safeguards involving the individual's personal information if it is reasonable to believe that the breach creates a real risk of significant harm to the individual (Section 10.1(3) of PIPEDA). See section on breach notification, above for further details on these rights and reporting requirements.

9. Penalties

Every person who willfully collects, uses, or discloses personal information in contravention of the Act or its associated regulations are guilty of an offence and liable to a fine of not more than CAD 10,000 (approx. €6,840). A number of more specific offences are provided for in the Act (Section 92 of the FOIP).

Every person who knowingly contravenes any provision of HIA or its associated regulations is guilty of an offence and liable to a fine of not more than CAD 200,000 (approx. €136,800), and in the case of a corporation to a fine of not more than CAD 1 million (approx. €684,000) (Section 107 of the HIA). There are several other offences outlined in Section 107 of the Act that carry the same maximum penalty set out above.

Organisations and individuals that contravenes various sections of the Act are liable, in the case of an individual, to a fine of not more than CAD 10,000 (approx. €6,840), or in the case of an organisation, to a fine of not more than CAD 100,000 (approx. €68,400) (Section 59 of PIPA). No person is liable to prosecution for an offence by reason only of complying with a requirement of the OIPC under PIPA. In addition, neither an organisation or individual will be guilty of an offence under PIPA if it is established (to the satisfaction of the court) that they acted reasonably in the circumstances.

Organisations that knowingly contravene certain sections (a failure to retain personal information long enough for individuals to access and correct it, a failure to report security breaches, a failure to maintain records of security breaches, and disciplining or disadvantaging whistleblowers) or obstruct the OPC's investigation of a complaint are guilty of a summary conviction offence and liable to a fine of up to CAD 10,000 (approx. €6,840) or an indictable offence and liable for a fine of up to CAD 10,000 (approx. €6,840) (Section 28 of PIPEDA).

It is an offence under the Federal Privacy Act to obstruct the OPC in their performance of duties and functions under the Act, and each person who commits this offence is liable on summary conviction to a fine of up to CAD 1,000 (approx. €684).

9.1 Enforcement decisions

In addition to the possibility that an individual, organisation, or public body may receive a fine or penalty under Alberta or Canadian federal privacy statutes, the Competition Bureau of Canada ('the Bureau') has recently exercised its powers under its own governing legislation to penalise a social media company for making false or misleading claims to the public about the privacy of individual's personal information. As a result of its findings, the social media company and the Bureau entered a consent agreement requiring the company to pay a CAD 9 million (approx. €6.15 million) penalty, plus an additional CAD 500,000 (approx. €342,000) for the costs of the investigation.

Generally, the main consequence of non-compliance with the privacy legislation in Alberta is reputational damage, although there is also the potential for litigation exposure including the risk of individual lawsuits and class actions, as well as unionised employees taking action to access remedies available under the applicable collective bargaining agreement and labour legislation.