New Privacy Legislation - POPA & ATIA: A Governance and Compliance Perspective
Executive Summary
Alberta’s introduction of the Protection of Privacy Act (POPA) and Access to Information Act (ATIA) represents a structural shift in how public sector organizations must govern information. These Acts replace the longstanding Freedom of Information and Protection of Privacy Act (FOIP), introducing expanded scope, new obligations, and increased expectations for demonstrable compliance. This includes mandatory breach reporting requirements and clearer thresholds for when incidents must be escalated to the Office of the Information and Privacy Commissioner.
Across municipalities, post-secondary institutions, and broader public sector organizations, a consistent pattern is emerging: while awareness of legislative change is increasing, organizational readiness remains uneven and is often overestimated. Many organizations have initiated gap assessments or policy reviews; however, these efforts alone do not establish compliance.
The core issue is not awareness of requirements. It is the ability to translate those requirements into operational, enforceable, and auditable practices across governance, processes, people, and technology.
This paper presents the Tantus perspective that POPA and ATIA represent a governance and operational reset rather than a minor legislative update. Compliance requires coordinated capability across the organization, not documentation alone. The primary risk is not only regulatory penalty, but the lack of defensibility in audit, breach, access request, or investigation scenarios.
Many organizations remain underprepared for the level of coordination, technical enablement, and investment required. While legal and policy teams define obligations, IT, cybersecurity, records management, data governance, and business units are required to make those obligations operational in practice.
Privacy compliance is not a legal problem. It is an organizational capability problem.
Organizations that treat POPA and ATIA as a compliance exercise will struggle. Those that treat them as a governance capability will succeed.
Introduction
Public sector organizations in Alberta are entering a new phase of privacy and information access accountability. For decades, the Freedom of Information and Protection of Privacy Act provided the primary legislative framework for access to information and privacy protection. That framework has now been replaced by two separate pieces of legislation: POPA and ATIA.
This separation matters. It reflects a broader recognition that privacy governance and access to information are related, but distinct, disciplines. Privacy now requires deeper attention to how information is collected, used, disclosed, protected, transformed, retained, and governed. Access to information requires public bodies to maintain reliable, timely, and defensible processes for responding to requests.
For municipalities and post-secondary institutions, the change is especially significant. These organizations manage complex information environments that include resident records, employee information, operational data, student information, geospatial data, financial information, case management records, utility information, security logs, and increasingly, analytics and AI-enabled data products.
The practical implication is clear: POPA and ATIA cannot be addressed through legal interpretation alone. They require governance structures, operational processes, technical controls, workforce awareness, and evidence that the organization is managing privacy and access obligations in a deliberate and defensible way.
This paper is written for public sector executives, governance leaders, IT leaders, privacy professionals, cybersecurity leaders, records and information management teams, and business owners. Its purpose is to explain why POPA and ATIA should be treated as an enterprise governance priority, what readiness actually requires, and how organizations can begin moving from awareness to defensible compliance.
The Legislative Reset: From FOIP to POPA and ATIA
The Freedom of Information and Protection of Privacy Act (FOIP) was repealed in June 2025, at which time the POPA and ATIA dual framework came into effect. This transition is illustrated in Figure 1.
Figure 1: Shift from a single to a dual legislative framework
This transition is sometimes interpreted as a legislative update. In practice, it is more significant than that. It represents a restructuring of Alberta’s public sector privacy and access framework.
This legislative shift was driven by recognition that the previous FOIP framework did not adequately address the realities of modern data use. Public bodies now operate in environments where information is routinely aggregated, transformed, shared, and analyzed across systems, partners, and use cases. The growth of digital services, analytics, and increasingly AI-enabled data processing has increased both the value of data and the risk to individuals if it is misused or insufficiently protected.
POPA introduces a more explicit focus on protecting individuals in this context. It strengthens requirements around how personal information is handled, expands obligations to include derived and non-personal data, and establishes clearer expectations for accountability, documentation, and oversight. The intent is not only to regulate information, but to ensure that public bodies can demonstrate that they are managing data responsibly in an increasingly complex environment.
Under the previous model, FOIP addressed both access to information and privacy protection. Under the new model:
POPA governs privacy and data use by public bodies
ATIA governs access to information processes
Both Acts came into force on June 11, 2025
POPA introduces a requirement for public bodies to establish and maintain a Privacy Management Program (PMP), with a key compliance milestone by June 11, 2026
Technical controls are required to enforce PMP obligations. This includes capabilities such as:
Data classification
Access controls aligned to least privilege
Retention and disposal enforcement
Logging and monitoring
Data protection measures such as Data Loss Prevention (DLP)
This shift matters because it changes the expectations placed on public bodies. Organizations are no longer being asked simply to understand privacy obligations. They are expected to demonstrate that those obligations are embedded into governance, operations, and control environments.
Key changes include:
Mandatory Privacy Management Programs
Designated privacy accountability
Privacy Impact Assessment expectations
Breach management and notification obligations
Expanded treatment of derived and non-personal data
Stronger penalties and enforcement mechanisms
More explicit expectations for documented, demonstrable compliance
A significant shift under POPA is the introduction of a more explicit and enforceable penalty framework. Under the previous FOIP Act, enforcement was limited and fines were relatively low, with a maximum penalty of approximately $10,000 and minimal historical use of enforcement mechanisms.
POPA introduces substantially higher penalties and expands accountability to both organizations and individuals. For offences involving personal information, penalties can reach up to $125,000 for individuals and $750,000 for organizations. For data-related offences, including misuse of non-personal or derived data, penalties can reach up to $200,000 for individuals and $1 million for organizations. These changes are summarized in table 1, which contrasts the enforcement model under FOIP with the expanded penalty and accountability framework introduced under POPA.
Table 1: Evolution of Enforcement and Penalties from FOIP to POPA
This represents a material change in enforcement posture. The introduction of individual liability, combined with higher financial penalties, signals a shift toward greater accountability and deterrence. Public bodies and their employees are now expected not only to comply, but to demonstrate that reasonable and proportionate safeguards are in place and actively maintained. This shift reinforces that privacy compliance is no longer a low-risk administrative obligation. It carries tangible legal, financial, and reputational consequences.
The significance of the legislative reset is not limited to privacy teams. It affects organizational decision-making, data governance, IT system configuration, access controls, vendor management, breach response, records management, analytics, and staff behaviour.
From an individual perspective, these changes strengthen protections by addressing risks that were previously less visible. Even where direct identifiers are removed, individuals can still be affected by how their data is used, combined, or analyzed. POPA’s expanded scope reflects the reality that privacy risk is not limited to identifiable information, but extends to how data can influence decisions, outcomes, and potential harm at scale.
Privacy as a Governance Discipline
Privacy has historically been treated in many organizations as a legal, policy, or records management function. That framing is now too narrow.
Under POPA, privacy must be understood as a governance discipline that extends across multiple organizational functions. It intersects with data governance, cybersecurity, records and information management, risk management, procurement and vendor oversight, business process design, system configuration, workforce training, and incident response. This broader perspective is critical because privacy obligations cannot be fulfilled through policy statements alone. While policies may define what should happen, governance determines who is accountable, operational processes define how work is performed, and technology ultimately determines whether requirements can be consistently enforced in practice.
Data creates risk. Governance defines control. Technology enforces it.
Figure 2: Privacy as a Governance Discipline
This relationship is represented in Figure 2, which illustrates how data creates risk, governance defines control, and technology enables enforcement and evidence.
For example, an organization may have a policy stating that personal information should only be accessed by authorized users. That policy becomes meaningful only when:
Roles and responsibilities are defined
Access approvals are documented
System permissions are configured
Access is reviewed periodically
Monitoring or audit trails exist
Staff understand their responsibilities
Exceptions are escalated and resolved
This relationship between data, risk, and control is central to POPA readiness. As organizations generate, transform, link, analyze, retain, and disclose information, they must understand not only what data exists, but how risk changes throughout the data lifecycle. This lifecycle is illustrated in figure 3, which highlights how privacy obligations evolve as data is collected, used, shared, retained, and ultimately destroyed.
Figure 3: Data Lifecycle and Associated Privacy Obligations
The Misconception Problem: Compliance is Not Triggered by Attention
One of the most concerning misconceptions across parts of the public sector is the belief that compliance risk is low because an organization does not expect to be a focus of regulatory attention (unless they experience a breach).
This assumption is not defensible.
Compliance is not triggered by an audit, complaint, breach, access request, or investigation. Compliance is an ongoing obligation. Public bodies must be able to demonstrate that they have taken reasonable, structured, and proportionate steps to meet their obligations.
Organizations should assume that, at some point, they may need to demonstrate:
Who is accountable for privacy governance
What policies and procedures are in place
How staff are trained
How PIAs are triggered and completed
How breaches are assessed and escalated
How access requests are managed
How data matching and derived data activities are governed
How technical safeguards support legal and policy requirements
How decisions are documented
The absence of previous enforcement activity does not remove the obligation to comply. It also does not provide a defensible rationale for inaction.
Technology alone does not create compliance.
Alignment between governance, operational processes, and technical controls does.
The risk is not only that an organization may face penalties. The more immediate risk is that an organization may be unable to demonstrate reasonable due diligence when challenged.
These misconceptions are summarized in Table 2, which contrasts common assumptions with the operational reality required under POPA and ATIA.
Table 2: Perception vs Reality in Privacy Compliance
Scope Expansion: Beyond Personal Information
One of the most significant changes introduced by POPA is the expanded treatment of data beyond traditional personal information.
Under the previous FOIP-oriented mindset, many organizations focused primarily on identifiable personal information and records management. POPA requires a broader view. The new legislation introduces or emphasizes obligations connected to:
Personal information
Non-personal data derived from personal information
Data matching
Re-identification risk
Controls over creation, use, disclosure, and protection of this data
This is a major shift. Privacy is no longer limited to obvious identifiers such as name, address, date of birth, employee number, or account number. It extends into how information is transformed, analyzed, combined, de-identified, anonymized, and potentially re-identified. Figure 4 illustrates data transformation, which is a subset of the full data lifecycle referenced in Figure 3, demonstrating how obligations persist across collection, use, sharing, retention, and destruction.
Figure 4: Data Transformation Lifecycle
For municipalities and post-secondary institutions, this matters because many business activities rely on data use beyond individual records. Examples include:
Program analytics
Service demand forecasting
Geospatial analysis
Student success analysis
Resident service dashboards
Asset management planning
Community trend analysis
Data sharing with partners
Reporting and business intelligence
Even where identifiers are removed, obligations may remain. If data is derived from personal information, or if it can be linked, matched, or re-identified, governance and control expectations still apply.
Even data without identifiers can carry privacy obligations.
This expands the compliance conversation from “Where do we store personal information?” to “How does information move, change, combine, and create risk across the organization?”
Understanding this lifecycle is critical to POPA readiness. Privacy risk does not exist at a single point in time, but evolves as data moves through the organization, requiring controls and oversight at each stage.
ATIA: Access to Information as an Operational Discipline
While POPA has received significant attention because of privacy and penalty implications, ATIA also introduces important operational expectations.
ATIA replaces the access to information portion of FOIP and establishes the formal process for requesting access to records in the custody or control of public bodies [1]. This requires organizations to maintain reliable and timely processes for receiving, tracking, searching, reviewing, redacting, and responding to access requests.
For many organizations, this creates practical challenges. Access to information depends on the quality of underlying records and information management. If records are poorly classified, inconsistently stored, duplicated across systems, retained longer than required, or difficult to search, ATIA compliance becomes harder and more expensive.
ATIA therefore depends on several organizational capabilities:
Clear request intake processes
Searchable and well-managed records
Consistent redaction and review processes
Decision letter templates and approval workflows
Deadline tracking and escalation
Secure electronic disclosure methods
Training for staff who may hold responsive records
The operational risk is not only missing a statutory deadline. The broader risk is being unable to demonstrate that the organization made reasonable, complete, and well-documented efforts to respond appropriately.
ATIA reinforces the same central theme as POPA: information governance is no longer optional administrative hygiene. It is a compliance capability.
Why Many Organizations Remain Underprepared
Despite increasing awareness of POPA and ATIA, many organizations remain underprepared for full compliance. This is not because public bodies are ignoring the issue. In many cases, the problem is that they are underestimating the scale and nature of the work required.
Over-Reliance on Gap Assessments
Gap assessments are useful and often necessary. They help establish current state, identify priority risks, and build a roadmap. However, a gap assessment does not create compliance.
A gap assessment:
Identifies issues
Prioritizes gaps
Provides recommendations
Supports planning
It does not:
Establish governance
Implement controls
Train staff
Configure systems
Resolve ownership
Organizations that stop at the assessment stage may have improved awareness, but not improved compliance capability.
Fragmented Accountability
Privacy, access, data governance, cybersecurity, records management, and business operations often sit in different parts of the organization. Each may own part of the problem, but no single function can solve it alone. Without clear governance and defined accountability, organizations frequently experience delayed decision-making, conflicting interpretations of requirements, inconsistent implementation across departments, unclear escalation paths, and gaps between policy intent and actual system behaviour.
Limited Technical Alignment
Legal and policy teams can define requirements, but IT is required to help enact them. This includes system configuration, identity and access management, logging, retention controls, data loss prevention, secure sharing, and monitoring.
Where technical controls are not aligned to privacy obligations, compliance becomes dependent on manual effort and user behaviour. That is rarely sustainable.
Underestimation of Effort
Many organizations underestimate the time required to move from awareness to defensible compliance. Developing a Privacy Management Program, establishing governance, aligning technical controls, updating procedures, training staff, and embedding change across departments is not a short-term exercise.
Data governance maturity determines privacy compliance success.
Organizations with weak data governance, unclear ownership, inconsistent classification, poor retention practices, and limited system visibility will find POPA and ATIA compliance significantly harder.
What Compliance Actually Requires
Compliance with POPA and ATIA requires coordinated capability across three domains: governance, operational processes, and technical controls.
Governance
Governance defines accountability, decision rights, and oversight across the organization.
This includes establishing a designated Privacy Officer, clearly defining roles and responsibilities, and implementing governance structures such as committees or working groups to support coordination and decision-making. Effective governance also requires defined escalation paths, formal decision-making structures, and a supporting policy and standards framework, along with regular reporting to leadership. Critically, governance must be integrated with cybersecurity, records management, data governance, and broader risk management functions.
Ultimately, governance answers the question: Who is accountable, and how are decisions made?
Operational Processes
Operational processes translate obligations into repeatable, day-to-day activities across the organization.
This includes establishing Privacy Impact Assessment (PIA) processes, breach response workflows, and formal access request procedures, alongside ongoing privacy training to build awareness and capability. Organizations must also implement structured breach reporting and escalation, govern data matching activities, and conduct vendor and third-party privacy reviews where applicable. Effective operations rely on consistent documentation and evidence management, supported by defined metrics and monitoring to track performance and compliance.
Effective operations address the question: How does the organization consistently do the right thing?
Technical Controls
Technical controls enable and enforce privacy and access requirements. This includes:
Data classification
Identity and access management
Retention and disposal controls
Logging and monitoring
Secure file sharing
Data loss prevention
Encryption
Backup and recovery controls
Endpoint and cloud configuration
eDiscovery and search capabilities
Technical controls answer the question: How are requirements enforced and evidenced in systems?
As illustrated in Figure 5, compliance is only defensible when governance, operational processes, and technical controls work together.
Figure 5: Three Pillar Model for Compliance
Organizational and Workforce Implications
POPA and ATIA introduce not only regulatory requirements, but also organizational capability requirements. This has direct workforce implications.
Privacy Literacy
Staff need to understand how privacy applies to their role. Training should not be limited to privacy officers or records teams. Employees who collect, use, disclose, store, transform, or share information must understand their responsibilities.
Privacy literacy and training must extend beyond specialized roles such as privacy officers or records teams. Employees who collect, use, or manage information need to understand how privacy applies to their daily responsibilities, including appropriate handling, breach recognition, and secure information sharing practices. Under POPA this is extended to include the use of classification labels.
Role Clarity and Cross-Functional Collaboration
Public sector organizations must define who owns different parts of privacy and access compliance across the whole of the organization to enable effective collaboration. Ambiguity creates risk. If everyone assumes another team owns the issue, critical work will not happen.
Privacy and access compliance require sustained collaboration. For example:
Legal may interpret the obligation
Records may define retention and access processes
IT may configure controls
Cybersecurity may monitor risks
Business units may own the data
Leadership must prioritize resources and resolve trade-offs
This requires a governance model that brings the right stakeholders together with clear authority and defined decision-making accountability.
Behavioural Change
Compliance ultimately depends on behaviour. Staff need to know what to do differently in their daily work.
This includes recognizing when a Privacy Impact Assessment (PIA) may be required, escalating suspected privacy breaches, applying appropriate classification labels, avoiding unauthorized sharing, and following established retention rules. It also involves using approved systems when handling sensitive information and understanding when activities such as data matching or analytics introduce additional privacy risk.
Without meaningful behavioural change embedded across the organization, compliance remains theoretical rather than operational.
Federal Versus Provincial Privacy Context in Canada
Privacy and access-to-information obligations exist across all Canadian jurisdictions, but the legislative structure differs. Some provinces maintain a combined access and privacy statute, while others separate provincial, municipal, health, or private-sector obligations. Alberta’s POPA and ATIA are therefore best understood not as isolated reforms, but as part of a broader Canadian trend toward more explicit privacy accountability, stronger governance expectations, and more demonstrable compliance requirements.
Alberta Public Sector
POPA and ATIA apply to Alberta public bodies, including municipalities and post-secondary institutions. POPA governs privacy and data use, while ATIA governs access to information.
The key distinction is that POPA introduces a more operational and enforceable model for public bodies. It does not only focus on personal information in the traditional sense. It also addresses broader data lifecycle issues, including derived data, non-personal data, data matching, and re-identification risk.
Across Canada
The table below has been included as a high-level orientation only. It is a broad comparison of the equivalent public-sector Privacy and Access legislation across Canada. It does not compare detailed statutory obligations, sector-specific health privacy legislation, private-sector privacy legislation, or enforcement powers. Organizations should assess the legislation applicable to their jurisdiction, sector, and role.
Table 3: Canadian Privacy and Access Legislation Comparison
What Good Looks Like
“Good” does not mean perfect. It means structured, repeatable, proportionate, and defensible.
Organizations progressing toward compliance typically demonstrate the following characteristics. These are not isolated activities. They are interconnected elements of a broader capability that enables organizations to demonstrate that privacy risks are understood, managed, and controlled in a defensible way.
Clear Accountability
There is a designated Privacy Officer or equivalent accountable role. Responsibilities are documented and understood.
Integrated Governance
Privacy, records, IT, cybersecurity, data governance, legal, and business areas are connected through formal governance structures.
Operational Privacy Management Framework
The PMP is not a static document. It includes policies, procedures, training, safeguards, breach response, PIA processes, metrics, and ongoing monitoring.
Policy-to-Control Alignment
Policies are supported by technical controls where possible. For example:
Classification labels support information handling
Access controls enforce least privilege
Retention controls support disposal obligations
Logging supports investigation and auditability
DLP supports secure handling of sensitive information
Evidence and Defensibility
Organizations retain evidence of decisions, assessments, training, incidents, reviews, approvals, and remediation activity.
The goal is not to eliminate all privacy risk. The goal is to demonstrate that risk is understood, managed, documented, and governed.
A Practical Path Forward
Public sector organizations should approach POPA and ATIA readiness as a structured program rather than a series of disconnected activities. The initial focus should not be on achieving full compliance, but on establishing the governance, visibility, and direction required to move forward in a controlled and defensible way.
In the first 90 days, organizations should prioritize clear accountability and governance. This includes confirming or appointing a Privacy Officer, defining roles and responsibilities across privacy, IT, records management, and business units, and establishing a governance structure to support decision-making and escalation. Without this foundation, subsequent efforts are likely to become fragmented and difficult to sustain.
In parallel, organizations should begin developing the core components of a Privacy Management Program (PMP). This does not require a fully mature program at the outset, but it does require a structured approach to managing and evidencing privacy obligations. Early focus should include establishing Privacy Impact Assessment (PIA) triggers and workflows, as well as defining breach response processes that can be consistently applied.
A clear understanding of the current state is also critical. Organizations should assess existing policies, processes, and controls against POPA and ATIA requirements, with particular attention to high-risk data, systems, and business processes. This assessment should move beyond a checklist and instead identify where governance, operations, and technical controls are misaligned or absent.
These activities do not complete compliance, but they establish the foundation required to move from awareness to execution. They enable leadership to understand the scale of effort required, prioritize investment, and make informed decisions on sequencing and resourcing.
From a delivery perspective, this phase is a critical transition point. Organizations that take a structured approach combining governance design, practical assessment, and early program definition, are better positioned to move into implementation with clarity and momentum. This is also where targeted external support can add value, helping translate legislative requirements into a realistic, organization-specific program aligned across governance, operations, and technical capability.
Ultimately, the objective of the first 90 days is not to achieve compliance, but to establish a defensible and executable path toward it. Organizations that invest in this foundation early will be significantly better positioned to manage risk, demonstrate progress, and sustain compliance over time.
Synthesis: Privacy as an Organizational
A consistent conclusion emerges from POPA and ATIA readiness efforts: privacy must be treated as an organizational capability rather than a discrete function. It cannot be effectively addressed through legal interpretation, records management, or technical controls in isolation. Instead, it requires coordinated alignment across governance, operational processes, technology, and workforce behaviour.
Organizations that make meaningful progress are those that move beyond assessment and into structured implementation. They establish clear accountability, connect privacy with broader data governance and cybersecurity practices, and translate policy requirements into repeatable processes supported by appropriate technical controls. Just as importantly, they ensure that these controls are understood and applied in practice, supported by training, oversight, and evidence of decision-making.
In contrast, organizations that struggle tend to treat compliance as a documentation exercise or a one-time initiative. Without integrated governance, aligned technical controls, and sustained operational effort, privacy obligations remain theoretical and difficult to defend when challenged.
For this reason, POPA and ATIA readiness should be approached as an enterprise governance priority. Success depends not on the existence of policies, but on the ability to demonstrate consistent, defensible control over data across its lifecycle.
Tantus Perspective
Tantus works with municipalities, post-secondary institutions, and broader public sector organizations navigating overlapping pressures, including legislative change, cybersecurity risk, varying levels of data governance maturity, constrained resources, and increasing public expectations. Across these environments, a consistent pattern emerges: organizations generally understand legislative requirements in principle, but struggle to operationalize them in a way that is sustainable and defensible.
The challenge is rarely a lack of intent, but the difficulty of translating obligations into a practical program that aligns with the organization’s structure, systems, capacity, and risk environment. This requires coordinated progress across governance, operational processes, and technical enablement, rather than policy development or one-time assessments in isolation.
Organizations that make the most progress take a structured approach. They move beyond checklist-based assessments to establish clear accountability, align privacy with data governance and cybersecurity, and develop realistic, prioritized roadmaps. They also ensure that policy requirements are supported by technical controls and reinforced through training and change management to enable consistent adoption.
A gap assessment is a useful starting point, but it is not the destination. Organizations that remain at the assessment stage often struggle to demonstrate progress, while those that transition into implementation and sustained operation are better positioned to achieve defensible compliance.
The distinction between awareness and execution is where most organizations succeed or fail in achieving POPA and ATIA readiness.
The capabilities required to move from awareness to execution span governance, operational, and technical domains.
Tantus Support Capabilities
Tantus supports organizations in progressing from initial assessment to defensible POPA and ATIA compliance through a structured, left-to-right lifecycle approach:
Assess → Govern → Operationalize → Enforce → Demonstrate
This model integrates governance, operational processes, and technical controls to translate legislative requirements into sustainable organizational capability.
Tantus Services – Taking you from Assessment to Defensible Compliance
Tantus supports organizations in moving from awareness to execution. Establishing the governance, operational capability, and technical alignment required to achieve defensible POPA and ATIA compliance.
Conclusion
POPA and ATIA establish a new standard for privacy and information governance in Alberta, one that extends beyond policy awareness into demonstrable, organization-wide capability. For many public sector organizations, the challenge is no longer understanding the legislation but executing against it in a structured and sustainable way.
Compliance requires alignment across governance, operational processes, technology, and workforce behaviour, supported by clear accountability and sustained leadership attention. These elements must function together to ensure that privacy and access obligations are not only defined but consistently applied and enforced in practice.
This is achievable, but it is not optional. Organizations that begin early, take a structured approach, and focus on defensibility will be best positioned to meet regulatory expectations, respond effectively to scrutiny, and maintain public trust.
The key question for leaders is no longer whether POPA and ATIA matter. The question is whether their organization can demonstrate that privacy and access obligations are governed, operationalized, technically supported, and defensible across the full data lifecycle.
Can your organization demonstrate that privacy and access obligations are governed, operationalized, technically supported, and defensible across the full data lifecycle?