Data Privacy, Security & Residency

Personal Information Protection Act

The Personal Information Protection Act (Alberta) (PIPA) governs and regulates the collection, use and disclosure of personal information by provincially-regulated private sector organizations, including:

• Corporations

• Unincorporated associations

• Professional regulatory associations

• Trade unions

• Partnerships

• Private schools or colleges

• Any individual acting in a commercial capacity

Related Resource(s):
A Guide for Businesses and Organizations on the Personal Information Protection Act (OIPC Alberta)

Personal Information Protection and Electronic Documents Act

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Federal law that governs how private-sector organizations collect, use, and disclose personal information in the course of for-profit, commercial activities across Canada.

Unless the personal information crosses provincial or national borders, PIPEDA does not apply to organizations that operate entirely within Alberta, British Columbia or Quebec. Please refer to the Officer of the Privacy Commissioner of Canada Q&A document regarding PIPEDA and Provincial Privacy Laws for additional information.

AHS Policies

AHS has policies in place to ensure compliance with HIA as well as other legislation such as the Freedom of Information and Protection of Privacy Act (Alberta) (FOIP). The following policies may pertain to your innovation:

Collection, Access, Use, and Disclosure of Information Policy #1112

Privacy Impact Assessment Policy #1145

Privacy Impact Assessments

AHS departments are expected to ensure that any innovation or initiative is reviewed for risks and impacts to data privacy and security through a consultative process with the AHS Privacy Office. They help determine whether a privacy impact assessment (PIA) should be conducted. A PIA is a documented process to assist AHS in reviewing the impact new projects might have on individual privacy.

When is a PIA Required?

When identifiable health information is involved, a PIA is mandatory.

Under the Health Information Act 64(1): "Each custodian must prepare a PIA that describes how proposed administrative practices and information systems relating to the collection, use and disclosure of individually identifying health information may affect the privacy of the individuals who are the subject of the information."

As per the AHS Privacy Impact Assessment Policy #1145:

Do I need a PIA if I my innovation only uses personal information?

AHS is also governed by FOIP and whether you need a PIA will be determined by the AHS Privacy Office.

What kind of information do I need to provide for a PIA?

Please refer to the OIPC PIA Requirements Guide.

How long does the PIA process take?

Depending on volumes, and the completeness of the PIA submission, the PIA acceptance process could take up to 12 months.

Data Security

Personal Information

The Personal Information Protection Act (Alberta) (PIPA) governs and regulates the collection, use and disclosure of personal information by provincially-regulated private sector organizations. As an innovator, you are required to take reasonable security measures to protect personal information at all times.

Please refer to Organization Responsibilities for Protecting Personal Information for more information.

Health Information

As a custodian under the HIA, AHS has a duty to protect health information using administrative, technical and physical safeguards. Custodians are responsible for the actions of their affiliates, including information managers.

What is an information manager?

As per HIA section (66)(1):

If your innovation is an information manager, then an agreement between the custodian and the information manager must be in place. For more information about the Information Manager Agreement, please refer to section (7.2) of the Health Information Regulation.