The OIPC has archived several resources. Please contact the OIPC if you are looking for a specific resource that has been archived.
This one-page tip sheet is based on the OIPC's Guidelines for Managing Emails. This guidance was issued to assist public bodies, health custodians and private sector organizations and their staff in understanding that emails are records and should be managed in accordance with records management principles and the requirements of Alberta’s access to information and privacy legislation. Published in March 2019.
This brochure summarizes Alberta's access to information laws. The online version is for viewing on screens. Updated in March 2021.
This brochure summarizes Alberta's access to information laws. Feel free to print for various meetings or events, or contact our office and we will provide you with printed copies. Updated in March 2021.
The OIPC developed these guidelines for an advance ruling under section 36(3) of PIPA. Updated in September 2017.
This advisory was developed to assist senior leaders and employees in all sectors who are regularly subject to phishing incidents, based on breach reports the OIPC receives. The advisory defines phishing, describes how phishing is executed, outlines what to watch for to prevent phishing incidents, gives examples of safeguards to help mitigate the risks of phishing, and provides an overview of what to do if and when a breach occurs. Published in May 2019.
This advisory was developed to assist public bodies, health custodians and private organizations with preventing and responding to ransomware cyberattacks. Published in March 2016.
This advisory was published in response to an increase in reported breaches involving cloud storage containers, or "web buckets", that are unintentionally exposed publicly online, typically through misconfigured properties or settings. The advisory is for organizations in the public, health and private sectors, and outlines what web buckets are, how web buckets are exposed, and privacy and security considerations for protecting personal or health information stored in web buckets. Published in October 2020.
This advisory is meant to assist school boards, private schools and their employees in identifying their authority to disclose a student’s participation in a GSA or other voluntary student organization, if considering doing so. The advisory also discusses student privacy rights, especially for mature minors, and outlines how they can exercise their rights if they feel a school has improperly disclosed their personal information. Published in June 2019. Updated in September 2019 to reflect the coming into force of the Education Act, which replaced the School Act.
The Commissioner has the power to authorize a public body, custodian or organization to disregard certain access requests or correction requests made to the public body, custodian or organization. The criteria for authorizing a public body, custodian or organization to disregard a request or requests are set out in section 55(1) of the Freedom of Information and Protection of Privacy Act (FOIP Act), section 87(1) of the Health Information Act (HIA), and section 37 of the Personal Information Protection Act (PIPA). Published in June 2017.
This guidance document, prepared jointly by the federal Office of the Privacy Commissioner and the Offices of the Information and Privacy Commissioner of Alberta and British Columbia is specifically intended to help small- and medium-sized enterprises understand what their privacy responsibilities are and to offer some suggestions to address privacy considerations in the cloud. Published in June 2012.
As direct-to-consumer genetic tests become increasingly available, particularly over the Internet, it is important to understand their privacy risks. This document explains some of the key privacy risks associated with these tests, informs individuals of their rights and encourages them to ask themselves a series of questions before buying one online. (This document opens as an external link.) Updated in December 2017.
This guide outlines what is expected in a privacy management program in order to be accountable for the personal information in the custody or under the control of businesses and organizations. Published in April 2012.
This document provides a snapshot of the full guide, "Getting Accountability Right with a Privacy Management Program". It briefly outlines what is expected in a privacy management program in order to be accountable for the personal information in the custody or under the control of businesses and organizations. Published in April 2012.
This guide was developed to help businesses and organizations understand roles and responsibilities under PIPA during the collection, use, disclosure and safeguarding of personal information of clients and employees. Published in November 2008.
These guidelines were prepared to help licensees comply with PIPA and the Gaming and Liquor Act. The guidelines are an administrative tool intended to assist in understanding the legislation. Published in 2009.
The OIPC issued this high-level guidance document to assist public bodies, health custodians and private sector organizations and their staff in understanding that emails are records and should be managed in accordance with records management principles and the requirements of Alberta’s access to information and privacy legislation. Although the guidance provided in this document is directed at managing emails, the general principles may assist in managing records in other formats. Published in March 2019.
Building on previous publications examining the current state of consent, including challenges and potential solutions, this document sets out practical and actionable guidance regarding what organizations should do to ensure that they obtain meaningful consent. It was jointly issued by the OIPC, the Office of the Privacy Commissioner of Canada and the Office of the Information and Privacy Commissioner for British Columbia. Published in May 2018.
In partnership with the federal Office of the Privacy Commissioner and the Office of the Information and Privacy Commissioner of British Columbia, these guidelines were developed to address the issue of consent requirements under private sector privacy laws. Published in May 2014.
To help organizations achieve compliance with private sector privacy legislation, the offices of the federal, B.C. and Alberta privacy commissioners developed these guidelines. In a question and answer format, this document sets out the principles for evaluating the use of video surveillance and for ensuring that its impact on privacy is minimized. Published in March 2008.
When organizations search for information about an individual, the collection, use and disclosure of that personal information is subject to the privacy provisions of PIPA. This guide urges organizations to understand the legal implications of conducting a background check using social media. Published in December 2011.
This document provides practical guidance to the insurance industry regarding the collection, use, disclosure and retention of personal information related to usage-based insurance programs. See also Privacy Impact Assessment Guidelines for Insurers Looking to Implement Usage-Based Insurance Programs in Alberta. Published in March 2021.
These guidelines are meant to assist organizations in fulfilling obligations under the Personal Information Protection Act when disconnecting energy services. Published in November 2011.
This document outlines the procedures when a matter before the OIPC goes to inquiry. Published in May 2012, and updated in September 2020.
This document describes what respondents must do in preparing records at issue for an inquiry. Published in September 2020, and replaced "Adjudication Practice Note 1: Preparing Submissions, Records and Indexes for Inquiries".
This document outlines how to prepare submissions for an inquiry. There are also tips for providing evidence and arguments in a written submission. Published in September 2020, and replaced "Adjudication Practice Note 2: Evidence and Arguments for Inquiries".
In partnership with the Office of the Privacy Commissioner of Canada and the Office of the Information and Privacy Commissioner of British Columbia, these guidelines were published to address what organizations should consider when determining whether to implement BYOD. Published in August 2015.
In a June 2008 joint resolution, Information and Privacy Ombudspersons and Commissioners from across Canada agreed to work together to implement public education activities meant to increase awareness among children and young people of the privacy risks inherent to their online activities.
In a February 2008 joint resolution, Information and Privacy Ombudspersons and Commissioners from across Canada expressed concerns and called on governments to initiate certain actions regarding enhanced driver's licences.
In a January 2016 joint resolution, Information and Privacy Ombudspersons and Commissioners from across Canada called on governments at all levels to respect and promote privacy and access to information rights and principles when embarking on information sharing initiatives.
In an October 2019 joint resolution, Information and Privacy Ombudspersons and Commissioners from across Canada urged their governments to modernize access to information and privacy laws.
In an October 2013 joint resolution, Information and Privacy Ombudspersons and Commissioners from across Canada urged their governments to modernize access to information and privacy laws.
In a September 2009 joint resolution, Information and Privacy Ombudspersons and Commissioners from across Canada called on Ministries of Health to keep Commissioners and the public informed of their progress toward developing and implementing personal health records.
In a September 2018 joint resolution, Information and Privacy Ombudspersons and Commissioners from across Canada urged their governments to require political parties to comply with globally recognized privacy principles.
In an October 2014 joint resolution, Information and Privacy Ombudspersons and Commissioners from across Canada urged their respective governments to review and modernize their information management frameworks.
Canada’s Information and Privacy regulators called on their respective governments to respect Canadians' quasi-constitutional rights to privacy and access to information. The regulators took note of the serious impact the COVID-19 pandemic has had on the right of access to information and privacy rights in Canada and called on governments to use the lessons learned during the pandemic to improve these rights.
The following page includes joint resolutions agreed upon by federal, provincial and territorial Information and Privacy Commissioners and Ombudspersons across Canada. The information is linked to the Office of the Privacy Commissioner of Canada's website. The page also includes a Memorandum of Understanding on privacy in the private sector between the Privacy Commissioner of Canada, and Information and Privacy Commissioners of Alberta and British Columbia.
This document outlines the four key steps in responding to privacy breaches for use by organizations, custodians or public bodies. The purpose is to provide guidance on how to manage a privacy breach. Updated in August 2018.
A lesson plan for teachers and students where students watch a short video that compares getting rid of personal information online to getting toothpaste back in a tube. After a short discussion of visual analogies like this work, students discuss the meaning of the video - that information online is permanent - through a series of short scenarios. Finally, students create a simple animation that illustrates these principles. Published in January 2019.
A lesson plan developed for teachers and students to introduce students to the privacy principles that inform private sector privacy laws in Canada relating to personal information collection online. They learn ways to find out what personal information may or has been collected by platforms that they use, how to limit data collection about themselves, and the various forms of recourse that are available to them if they feel an organization is not respecting their rights. Published in January 2019.
A lesson plan for teachers and students to introduce students to the idea that privacy is a fundamental human rights and that their personal information is valuable. The lesson focuses on the "economics" of personal information and that most "free" apps and online services make some or all of their revenue by collecting, and in some cases reselling, users' personal information. Students will watch a video that illustrates the idea that they they may be paying with their privacy and then discuss some of the ramifications of this. They will learn about tools and techniques for minimizing the personal information they should share and create a public service announcement that helps them and their peers "know the deal" about the value of privacy. Published in January 2019.
The OIPC has received questions from organizations in all sectors about how to manage records or personal information when transitioning staff to work from home. To assist, the OIPC provided some points to consider. Published in April 2020.
The OIPC developed this document to respond to some of the most frequently asked questions received from minor sports associations. Updated in December 2015.
These guidelines were prepared to provide practical guidance to motor vehicle dealership owners and employees regarding the collection, use, disclosure and retention of personal information related to test drives. Published in April 2015.
This document is to help organizations understand their obligations when notifying individuals affected by a privacy breach. Updated in August 2018.
Under PIPA, the Commissioner is required to establish an expedited process for determining whether to require an organization to notify individuals affected by a privacy breach when a real risk of significant harm to an individual is obvious and immediate. This document sets out that process. Updated in August 2018.
The OIPC has received several questions from organizations and individuals about keeping a customer list or contact log during the COVID-19 pandemic, particularly in retail locations and at restaurants. This advisory provides considerations to ensure that organizations comply with Alberta’s Personal Information Protection Act when making and keeping lists of customers and their contact information.
As more individuals receive COVID-19 vaccinations, some organizations may be considering asking customers to provide proof of vaccination in order to receive discounts, access goods or services, or enter a store. This advisory provides guidance for organizations subject to PIPA that are considering asking for or requiring proof of vaccination from customers for these or similar purposes.
Verifying identity to prevent credit card fraud in the retail sector is a practice that has been endorsed not only by credit card companies and payment card processors, but also privacy commissioners. This fact sheet provides perspective on balancing privacy rights with the collection of personal information by organizations. Published in September 2007.
This fact sheet provides seven points for organizations to remember when handling personal information. Updated in January 2018.
This document outlines six principles to consider when planning for an information sharing initiative. The principles are transparency, legal authority, privacy impact assessments, access and correction, accountability and oversight. It also provides links to related documents. Published in June 2017.
The OIPC developed a frequently asked questions document based on issues between landlords and tenants under the Personal Information Protection Act. Published in March 2007.
This document was prepared by the OIPC to provide privacy impact assessment (PIA) drafting guidance to insurers who may decide to prepare and submit a PIA to the OIPC ahead of offering usage-based insurance (UBI) in the province of Alberta. Published in January 2016.
This guidance is meant to help public bodies, health custodians and private sector organizations know how personal or health information may be shared during a pandemic or emergency situation. Privacy laws are not a barrier to appropriate information sharing in these circumstances. Updated in March 2020.
This brochure summarizes Alberta's privacy laws. Updated in March 2021.
This brochure summarizes Alberta's privacy laws. Feel free to print for various meetings or events, or contact our office and we will provide you with printed copies. Updated in March 2021.
This practice note was developed for the OIPC's reviews and inquiries in which a respondent (public body, organization or custodian) to an access request has claimed solicitor-client privilege or litigation privilege. Published in December 2016.
This document is designed to assist organizations and custodians in meeting legislated requirements when reporting a privacy breach to the Commissioner. Public bodies are encouraged to use this document when reporting a breach to the Commissioner. Published in August 2018.
The purpose of this document is to provide parties with a summary of the procedures under which reviews and investigations are conducted by the OIPC and the anticipated date for completion of the reviews and investigations.
This report was submitted to the Standing Committee on Alberta's Economic Future which was tasked with a review of the Personal Information Protection Act in 2015-16. The submission included 10 recommendations. Published in February 2016.
Public bodies and organizations are required under law to take reasonable steps to safeguard the personal information in their custody or control from such risks as unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction. This tool is designed to help public bodies and organizations determine how well they are protecting personal information. Updated in October 2020.
This guidance was developed jointly by the Office of the Privacy Commissioner of Canada and the Offices of the Information and Privacy Commissioner of Alberta and British Columbia to draw attention to key privacy considerations when designing and developing mobile apps. Published in October 2012.
This advisory provides ten steps for implementing PIPA, Alberta's private sector privacy law, in organizations. Updated in January 2018.
Copyright 2022 OIPC. All rights reserved.