Strathcona County Updates Privacy Policy Under New Alberta Laws

Strathcona County council has approved a new privacy and access policy as the municipality moves to comply with Alberta's updated access and privacy laws, marking a shift from a decades-old framework to a more detailed and prescriptive regime.

The change follows the repeal of the province's Freedom of Information and Protection of Privacy Act on June 11, 2025, when it was replaced by two statutes: the Access to Information Act and the Protection of Privacy Act.

During a presentation to council, John Anderson, the county's coordinator of access and privacy, said the transition has been eased by existing practices already in place. 'The county's existing privacy policy and existing privacy and access practices have streamlined the transition process, allowing the administration to focus on the new requirements,' he said.

Some of the changes are procedural, including a shift from calendar days to business days for processing access requests, as well as new powers for public bodies to manage overly broad or duplicative applications.

But the broader overhaul introduces more substantial requirements, including a mandatory privacy management program that all public bodies must have in place by June 11, 2026. 'The program is to consist of documented policies and procedures that promote the county's compliance with its duties under privacy legislation,' Anderson said.

The county's framework will be built on a council-approved policy, a directive issued by the chief administrative officer, and detailed internal procedures, alongside updated governance documents such as information security and information management directives.

Under the new legislation, public bodies must adopt a more formalized and proactive approach to privacy, including documenting processes, conducting privacy impact assessments where required, and embedding 'privacy by design' principles into programs and services.

The laws also introduce stronger safeguards, including mandatory breach notification where there is a real risk of harm, and a prohibition on selling personal information.

Council heard that some aspects of the legislation remain unsettled, particularly around the use of personal information in artificial intelligence or automated decision-making systems. 'For some of the more nuanced concepts, there is rationale for both broad and narrow interpretations,' Anderson said.

Current rules require public bodies to notify individuals if their personal information will be used in automated systems to generate decisions or predictions, but detailed guidance on implementation and oversight is still evolving.

Until further direction is clarified, county staff are required to consult information technology services before using personal information in automated systems.

Councillors voted unanimously to rescind the existing policy and adopt the new privacy and access policy.