FAQs for the public about the unauthorized distribution of the List of Electors

As stated in a news release by Elections Alberta and the Information and Privacy Commissioner (link above), the Election Act governs the content, distribution, protection, and authorized use of the provincial List of Electors. The Information and Privacy Commissioner does not have jurisdiction over the creation and distribution of the List of Electors by Elections Alberta or over those entitled to receive this list, such as registered political parties. This activity is governed by the Election Act.  Questions about whether your name is on this List or with whom the List is shared should be directed to Elections Alberta.

On May 6, 2026, the Information and Privacy Commissioner issued a Notice of Investigation to the Centurion Project Ltd. regarding her investigation under the Personal Information Protection Act (PIPA) into allegations that the Centurion Project Ltd. has collected, used and disclosed personal information derived from the Alberta List of Electors, which, if true, may be in violation of PIPA. More information about this investigation can be found in the news release issued on May 7, 2026, announcing this investigation to the public.

Under PIPA, an organization may only collect, use or disclose personal information if permitted by PIPA. For personal information that is in the custody or control of an organization, the organization is obligated to make reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction. “Organization” is defined in PIPA to include a corporation.

It is important for the public to know that privacy laws, such as PIPA, ensure an individual has control over their own personal information. PIPA facilitates this control using a two-pronged approach to collection, use and disclosure of personal information. An organization subject to PIPA may only collect, use or disclose personal information with consent (unless an exception to consent exists) and for a reasonable purpose. Any collection, use or disclosure of personal information that does not meet these two requirements is unauthorized and unlawful.

There seems to be confusion in the public domain about privacy laws. They are not about confidentiality; they are about the right of individuals to control their own personal information and retain the choice to decide which organization to do business with and which of their personal information the organization may collect, use or disclose. This is how control is generally exercised under PIPA.

Your personal information belongs to you. That’s true even when some of it is easy to find or already out in public. Being visible doesn’t make it free for the taking. In Alberta, organizations can only collect, use, or share your personal information when PIPA allows it, because the information is yours, not theirs.

The Information and Privacy Commissioner is an independent Officer of the Legislature and is mandated under PIPA to monitor compliance with this Act to ensure its purposes are achieved.

Under PIPA, the Commissioner has broad powers of investigation, including the authority to launch investigations into allegations of non-compliance by organizations.

When conducting an investigation, the Commissioner has all the powers, privileges and immunities of a commissioner under the Public Inquiries Act, and the powers set out in section 38 of PIPA, including the following:

(2)  The Commissioner may require any record to be produced to the Commissioner and may examine any information in a record, including personal information, whether or not the record is subject to this Act.

(3)  Notwithstanding any other enactment or any privilege of the law of evidence, an organization must produce to the Commissioner within 10 days any record or a copy of any record required under subsection (1) or (2).

(4)  If an organization is required to produce a record under subsection (1) or (2) and it is not reasonable to make a copy of the record, the organization may require the Commissioner to examine the original record at its site.

(5)  After completing a review or investigating a complaint, the Commissioner must return any record or any copy of any record produced.

(6)  The Commissioner may publish any finding or decision in a complete or an abridged form

Note that the authority under the Public Inquiries Act does not give the Commissioner the ability to conduct a public inquiry. Rather, this authority extends certain powers under that Act to the Commissioner, such as the power to compel witness testimony.

Section 36(1)(b) gives the Commissioner the power to order an organization to comply with PIPA on finding a violation of PIPA at the conclusion of an investigation. Orders of the Commissioner can be enforced by the Court.

Under section 37.1(1), the Commissioner has the power to require an organization to notify individuals affected by a breach of their personal information, where there is a real risk of significant harm to these individuals as a result of the breach.

Under PIPA, in sections 59(1)(d), (e) and (f) it is an offence for a person, including an organization, to

(d)    obstruct the Commissioner or an authorized delegate of the Commissioner in the performance of the Commissioner’s duties, powers or functions under this Act, including but not limited to obstructing the Commissioner or authorized delegate by disposing of, altering, falsifying, concealing or destroying evidence relevant to an investigation or inquiry by the Commissioner;

(e)    make a false statement to the Commissioner or an authorized delegate of the Commissioner, or mislead or attempt to mislead the Commissioner or authorized delegate, in the course of the performance of the Commissioner’s duties, powers or functions under this Act;

(f)    fail to comply with an order made by the Commissioner under this Act.

The penalty for being found guilty of an offence under PIPA is up to $10,000 for an individual and up to $100,000 for an organization.

Section 60(1) of PIPA provides any individual who is affected by an order made by the Commissioner, which has become final as a result of there being no further right of appeal, with a cause of action against the organization for damages for loss or injury that the individual has suffered as a result of the breach by the organization of obligations under this Act or the regulations.

The Information and Privacy Commissioner does not have any involvement in the creation of the List of Electors and does not have access to the List of Electors. This is governed by the Election Act. Any questions about information contained in the List of Electors should be directed to Elections Alberta.

There are offences and penalties under Alberta’s access and privacy laws. For example, there have been several prosecutions pursued in the courts for violations of the Health Information Act.

However, the Commissioner does not have the ability to “charge” anyone with an offence or administer penalties under those laws. This is generally under the purview of Crown prosecutors and the courts, respectively.

An individual who believes their personal information has been collected, used or disclosed without authority by an organization under PIPA, may make a complaint to the Information and Privacy Commissioner.

That said, the Information and Privacy Commissioner has launched an investigation into these activities by the Centurion Project and may, at the conclusion of her investigation, issue a public investigation report about her findings and any recommendations. The Commissioner has the power to order compliance should she find non-compliance with PIPA.

Rather than making a complaint at this time, individuals may wish to hold off until the conclusion of this investigation.

The potential harms and steps to take to prevent those harms depend on individual circumstances.

For example, you may be an Albertan who does not mind that your name and mailing address is in the public domain. However, you may be employed in a sensitive occupation (such as law enforcement, or similarly exposed professions), be a victim of domestic violence, or belong to another vulnerable group, where the public disclosure of this information may present unique harms to you that may require unique steps to protect yourself.

If you are concerned about personal safety, you should consult resources available from your nearest law enforcement agency about personal safety, such as tips provided by the following agencies:

Alberta RCMP – Services and Information

Calgary Police Service – Crime Prevention

Edmonton Police Service – Personal Safety

In addition, all Albertans should remain vigilant about identity-related fraud; Elections Alberta provided some general advice in this news release UPDATE: Unauthorized Use of List of Electors – Elections Alberta, which is summarized below:

1. Be aware and vigilant. Watch for unexpected mail or missing statements, emails, or phone calls such as debt collection calls for unknown accounts.
2. Be skeptical of texts and emails claiming to help reclaim your information. Do not click links and go only to the official websites of entities you know. Legitimate organizations will not ask for sensitive information via email or text.
3. Consider setting up information monitoring through your internet web browser, antivirus protection, and financial institution.
4. If you think you are a victim of identity theft, you should make a report to the police immediately.

Lastly, you should be vigilant about online safety, including when it comes to information received by email, mail, phone or other means, as these kinds of breaches sometimes lead to personal information being used to manipulate your views or to deliver misinformation about certain events or activities.

Always check sources and avoid clicking on any links sent to you.

DO NOT provide any further personal information to an unknown person without verifying who is collecting this information.

Note that personal information that is accessible in the public domain can be combined with other publicly available information about individuals and be used to target individuals or groups for malicious purposes.

The Information and Privacy Commissioner does not have access to the information as citizen petitions are not within her mandate. This question can be posed to the Office of the Chief Electoral Officer.

Information concerning this question was posted in this message from the Chief Electoral Officer: Message to Albertans from the Chief Electoral Officer re: Unauthorized Use of List of Electors – Elections Alberta