The Legislation

What ATIA and POPA Now Require

Alberta's Access to Information Act (ATIA) and Protection of Privacy Act (POPA) were modernized to require every public body — including municipalities of any size — to implement a formal Privacy Management Program. The compliance deadline was June 11, 2026.

A Privacy Management Program is not a single document. It is a documented, organization-wide system for managing personal information responsibly: who is responsible, what information you hold, how staff are trained, and what happens when something goes wrong. For most small and rural municipalities, building one from scratch is genuinely new work.

The legislation applies regardless of your municipality's size or staffing level. A village with one part-time administrator has the same legal obligation as a city of 50,000. The scale of your program should reflect the scale of your operations — but the program must exist.

48% of Canadian public servants already use AI tools on the job. Only 22% of organizations have a formal AI adoption policy. (KPMG Canada, 2025.) In most municipalities, your Privacy Management Program gap and your shadow AI problem are the same problem.

The Compliance Checklist

8 Things Your Municipality Must Have in Place

This is the practical checklist. Each item below is a required component of a compliant Privacy Management Program under ATIA and POPA. If any of these does not exist in your organization as a written, adopted document, you have a gap.

  1. Designated Privacy Officer

    Formally designate a staff member as your Privacy Officer in writing — a council resolution or administrative order. This person receives access requests, manages breaches, and is accountable for the Privacy Management Program. The designation must be documented.

  2. Personal Information Inventory

    Map every location where your municipality collects, uses, or discloses personal information — paper records, software systems, cloud services, and AI tools staff are using. Shadow AI tools belong in this inventory. If you do not know what you have, you cannot protect it.

  3. Plain-Language Privacy Policy

    A written policy explaining what personal information you collect, why, how you protect it, and how individuals can access or correct their records. It must reference ATIA and POPA explicitly and be accessible to the public — posted on your website at minimum.

  4. AI Acceptable Use Policy

    A formal policy governing staff use of AI tools: which tools are sanctioned, which are prohibited, what data may and may not be entered into AI systems, and the consequences of unauthorized use. This is the document that addresses shadow AI directly. Without it, you have no governance over what your staff are doing with ratepayer data right now.

  5. Breach Response Procedures

    Written, step-by-step procedures for responding to a privacy breach: who is notified, in what timeframe, what records are kept. POPA requires notification to the Privacy Commissioner and affected individuals for breaches that create a real risk of significant harm. You do not want to figure this out during an incident.

  6. Staff Training Records

    Documented evidence that staff who handle personal information have received privacy and AI use training. Training records are a required component of the Privacy Management Program — not just a best practice. Keep records of who was trained, when, and on what content.

  7. Third-Party Vendor Agreements

    Review every software contract, cloud service, and vendor relationship involving personal information. Data processing agreements must be in place. Flag any AI vendors — including Microsoft Copilot, Google Workspace AI, or third-party apps — processing citizen data without an executed agreement.

  8. Documented, Council-Adopted Program

    Compile all of the above into a single Privacy Management Program document, dated and brought to council for adoption. Establish a review cycle — at minimum annually. The program is a living document: update it whenever your technology stack changes. The moment you deploy a new AI tool or cloud service, the program requires review.

The Hidden Risk

Shadow AI Is Already in Your Municipality

Shadow AI is staff using AI tools — ChatGPT, Microsoft Copilot, Google Gemini, free tools on personal devices — without organizational authorization or governance. It is not hypothetical. KPMG Canada found that nearly half of Canadian public servants already use AI at work. The majority of municipalities have no policy governing this use.

When a staff member pastes a ratepayer complaint into ChatGPT to draft a response, or uses a free AI tool to summarize council meeting audio, that data has left your systems and entered a public AI platform's training pipeline. Whether that constitutes a POPA breach depends on context — but without a policy, you have no governance, no documentation, and no defence.

Your AI Acceptable Use Policy is the first control. Your staff training is the second. Neither can happen until someone in your organization has been designated to own the problem.

What the OIPC looks for: The Office of the Information and Privacy Commissioner of Alberta does not expect perfection. It expects demonstrated commitment to compliance — a designated officer, documented policies, evidence of staff training. Organizations with no program and no evidence of effort are in materially worse standing than those with an imperfect program actively being improved.

If You Missed the Deadline

You're Not Compliant Today. What Now?

Start immediately. Not next month, not after budget season — this week. The OIPC focuses on meaningful compliance, not perfect timing. A municipality that can demonstrate active steps toward compliance within days of the deadline is in a fundamentally different position than one that has done nothing.

The minimum credible first step is designating a Privacy Officer and engaging a qualified consultant to begin the assessment. That combination — a named internal owner and documented external support — demonstrates organizational intent. It is the foundation everything else is built on.

For most small municipalities, a practical Privacy Management Program can be drafted and council-adopted in 30 to 60 days with qualified support. The window to be in an acceptable compliance posture before a complaint is filed is narrow. Start the clock now.

Frequently Asked Questions

Common Questions from Municipal Administrators

Does this apply to our municipality? We're a small village with two staff.

Yes. The Privacy Management Program requirement applies to all public bodies in Alberta regardless of size. The scale of your program should reflect the scale of your operations, but the program must exist and be documented. A village with two staff has a smaller inventory and a simpler policy — but it needs both.

Can we use a template privacy policy we found online?

Templates are a starting point. Your Privacy Management Program must reflect your municipality's actual data practices — the systems you use, the data you collect, the AI tools currently in use. A policy that doesn't match your operations offers limited protection if a complaint is filed. Customization to your specific context is essential, and that customization requires someone who understands both your municipality and the legislation.

What is the difference between ATIA, POPA, and the Privacy Management Program requirement?

ATIA governs the public's right to access information held by public bodies. POPA governs how public bodies collect, use, and disclose personal information. Both were modernized to include the Privacy Management Program requirement — the obligation to have a systematic, documented approach to privacy governance, not just ad hoc responses to requests and complaints.

How long does it take to build a compliant Privacy Management Program?

For a small or rural municipality, 30 to 60 days with qualified support is realistic. The Spencer Morley Consulting Municipal AI Readiness Assessment produces a compliance roadmap in approximately two weeks, followed by policy drafting and council adoption. The primary variable is your council meeting schedule — not the complexity of the work.

Does our Privacy Management Program need to cover AI tools specifically?

Yes. The modernized ATIA and POPA were updated specifically to address the technological environment your staff are already operating in. An AI Acceptable Use Policy is not optional — it is the governance control that determines whether your staff's current AI use is authorized and documented, or unauthorized and exposed. If your Privacy Management Program does not address AI, it does not reflect your actual risk profile.

What about municipalities in other provinces?

Equivalent legislation applies across Canada. Ontario's MFIPPA, BC's FOIPPA, and Manitoba's FIPPA all have comparable privacy management obligations. The specific requirements and timelines differ by province, but the core need — a designated privacy officer, written policies, staff training, and breach procedures — is consistent. Spencer Morley Consulting serves municipalities across all Canadian provinces and territories.