Privacy Management Program

.

Effective June 11, 2025, the Alberta Protection of Privacy Act requires all public bodies to develop, and make available, a comprehensive Privacy Management Program (PMP).

Privacy Officer

AGLC has designated the Manager of Privacy, Records & Information Access as its Privacy Officer – tasked with the day-to-day administration of Alberta’s Access & Privacy Legislation, including education and assessing & mitigating potential risks.

AGLC has a comprehensive delegation matrix outlining our responsibilities under the Access to Information Act and the Protection of Privacy Act, identifying who within the organization is responsible for each decision or requirement.

To ensure organizational awareness and accountability, AGLC staff are required to complete AGLC’s Access & Privacy course through our internal Learning Management System. This course further expands on the responsibilities and requirements outlined in our corporate policies (found at Section 2 herein) including: 

• Responsibilities when responding to an Action Request
• Understanding what constitutes personal information
• Proper collection, use and disclosure of personal information
• Reasonable security measures and proper handling of information
• Identifying privacy breaches and how to report them.

Privacy Complaints

All complaints made to AGLC under section 38(2) of the Protection of Privacy Act will be forwarded to AGLC’s Privacy Officer. All reasonable attempts will be made to resolve the complaint to the complainant’s satisfaction.

In the event the complaint moves to review and/or inquiry with the Office of the Information and Privacy Commissioner, AGLC’s Privacy Officer will act as AGLC’s representative in resolving the matter. 

.

AGLC has comprehensive corporate policies and procedures detailing how we:

The following AGLC policies have been developed to outline our role and responsibilities under the Access to Information Act (ATIA) and the Protection of Privacy Act (POPA): 

AGLC IT Security Policies

If you have questions relating to any of these policies or procedures, please contact our Privacy, Records & Information Access team at privacy@aglc.ca for more information.

.

AGLC is committed to the protection of privacy and to ensuring privacy is built into our programs and systems “by design” by way of thorough Privacy Impact Assessments and Privacy Compliance reviews.

Privacy Impact Assessments

Section 26(1) of the Protection of Privacy Act states that AGLC must prepare a Privacy Impact Assessment that will identify risks associated with our collection, use and disclosure of personal information, develop mitigation strategies and safeguards respecting those risks, address how we will comply with our duties under POPA and must comply with the Protection of Privacy Regulation requirements. Under the Ministerial Regulation, all PIAs must: 

• Include a summary of the purpose of the collection, use or disclosure of personal information for the new, or substantial change to an existing, administrative practice, program, project or service.
• Identify the legal authorities for the collection, use or disclosure of personal information.
• Identity of any privacy risks and mitigation strategies respecting personal information.
• Identify or describe any administrative, physical and technical safeguards in place to protect personal information, including how the personal information will be securely transmitted, matched or linked by the public body, if applicable.
• Include a description of the accuracy, correction and retention procedures that will be implemented to ensure the personal information is accurate and complete, and
• Provide evidence of the establishment of a clear governance structure respecting the responsibilities and accountability of each public body if 2 or more public bodies are engaging in a common or integrated program or service or if a public body is collecting personal information from another public body under section 17(3) of the POPA for the purpose of carrying out data matching.

AGLC is required to submit PIAs to the OIPC for the following project types (NOTE: this relates to submission requirements only and does not impact the requirement to prepare the PIA. In any instance where AGLC is required to prepare a PIA but not required to submit it, the OIPC may request a copy for review): 

If there is a substantial change to an existing practice, program, project or service, and AGLC has previously completed a PIA for the practice, program or service – the existing PIA may be amended to account for the change by way of addendum.

Privacy Compliance Reviews

A Privacy Compliance Review is conducted in any area within AGLC that deals with Personal Information but did not recently undergo a Privacy Impact Assessment. These reviews ensure AGLC remains compliant and mitigates any risk.

AGLC has developed a process that includes a risk rating of each area based on the volume and type of personal information they are responsible for. PCRs are completed (where operationally feasible) in order from highest risk to lowest.

Where there are any areas of non-compliance, these are noted with the subject area and rectified as part of the process (prior to the completion of the final report). 

Records Management

An extension of our responsibilities under POPA and in accordance with the Records Management Regulation, AGLC must adhere to its approved retention schedules and data classification systems. Proper Records Management reduces risk and assists in ensuring records are protected, properly stored and retrievable.

Training

AGLC has created an Access & Privacy Training course covering the roles and responsibilities of its employees (and contractors). This is a required course for all employees with re-training required every 24 months.

AGLC’s Privacy Officer provides customized training sessions for all areas within AGLC on request (or as a result of recommendations stemming from our Privacy Compliance Reviews). These sessions focus on the specific area’s interactions with PI and covers job-specific, relevant examples to ensure complete understanding of our responsibilities.

AGLC provides tools, templates and training resources for employees. 

Annual Self-Assessment

For any program area that has participated in a PIA, an annual self-assessment form must be completed for any period between the completion of the PIA and the next regularly scheduled PCR.

These assessments help the Access & Privacy team identify any changes to processes or forms to ensure continued compliance. 

Personal Information Banks (PIBS)

AGLC maintains a listing of all databases that contain personal information, detailing the use of the information and the specific legal authority relied on for the collection and or use of the information. This listing is updated annually and published on AGLC’s website.

Additionally, AGLC has implemented its Master Data Management System to assess and update data quality and consistently perform quality assurance checks on information contained in our various systems. 

Tracking

AGLC’s Access & Privacy Team monitors Information Sharing, Non-Personal Data creation and other legislative requirements using interactive tracking sheets. Various policies and procedures require staff to input the data required for these monitoring activities to ensure continued compliance.

Security

AGLC deploys a range of administrative, technical and physical safeguards to protect information in its custody. AGLC IT Security regularly conducts Security Threat and Risk Assessments and sets minimum requirements for any contractors acting on our behalf (SOCII certification, PEN testing, etc.)

See Section 2: Corporate Policies for additional information on safeguards, auditing, logging and monitoring practices.

.

AGLC has a corporate Policy dedicated to AI (Section 17.8 Artificial Intelligence) and developed an Artificial Intelligence Steering Committee dedicated to responsible AI integration.

The steering committee evaluates potential AI applications, establishes ethical frameworks, and ensures alignment with strategic Objectives. AGLC’s Privacy Officer is a standing member of this committee to ensure privacy compliance is taken into consideration with all applications.

AGLC Corporate policy Section 19.3 – Data Matching and Non-Personal Data outlines requirements for the creation, use and disclosure of non-personal data and AGLC’s use of data matching practices.

AGLC has created standards and procedures for the creation, oversight, auditing and validation of non-personal data. These standards and processes can be reviewed here. 

Data Matching

AGLC’s Master Data Management (MDM) program provides AGLC the ability to ensure accuracy of its data as required by section 6(a) of POPA.

Select program data is cross referenced across AGLC programs and services to identify duplication, errors and omissions to ensure all personal information in our custody and control is accurate and complete. 
 

.

The Access to Information Act and the Protection of Privacy Act of Alberta contain instances where consent may be obtained for the use and/or disclosure of personal information collected by AGLC.

Under Alberta access and privacy legislation, an individual may: 

Additionally, an authorized representative of a third-party may consent to the disclosure of third-party business information (ATIA s. 19(3)(a)). 

Despite anything to the contrary, a consent under section 12(1)(b) or 13(1)(c) of the Act is no longer valid if an individual provides notice to AGLC that the individual withdraws their consent.

When obtaining consent for these purposes, the consent must be meaningful and must be recorded and retained with the appropriate file. Consent is considered “meaningful” when the individual fully understands what they are agreeing to and what AGLC is doing with their information.

Consent may be obtained in writing, electronically, or verbally, following the requirements outlined in AGLC approved consent processes.

In all instances where consent is obtained, the consent must be:

.

A privacy related incident or "breach" occurs when there is a loss of or unauthorized access or disclosure of personal information.

The most common privacy breach occurs when information is lost, stolen or mistakenly disclosed (example: a computer or USB is stolen or lost; personal information is mistakenly emailed to the wrong person; a computer system is hacked; etc.).

Any actual or attempted incident involving the loss of or unauthorized access or disclosure of personal information must be reported to AGLC’s Privacy Officer.

In accordance with section 10(2) of the Protection of Privacy Act, where an incident occurs and there exists a real risk of significant harm (RROSH), AGLC will notify: 

Any notice provided will comply with section 4 of the Protection of Privacy Regulations.

AGLC regularly conducts internal table-top exercises at various levels of the organization to evaluate incident response protocols.

Assessment of RROSH

The RROSH assessment is a reasonable person test. This means what a reasonable person would think is appropriate in the situation, i.e. where a reasonable person would consider that there exists a RROSH to an individual as a result of the loss, unauthorized access to or unauthorized disclosure of personal information.

Sections 4(1) and (2) of the M-Regulation sets out criteria for assessing RROSH.  

In addition to the Corporate Policy relating to Privacy Breaches detailed under section 2 herein, AGLC has developed tools to assist in responding to a security incident or “breach.” 

Where an IT Security Incident involves Personal Information AGLC’s Privacy Incident procedure and its IT Security Incident Management & Response Plan will be executed simultaneously. 

.

AGLC’s Privacy Management Program will be reviewed annually.

At minimum, the following will be considered during a review of AGLC’s Privacy Management Program: