Privacy Management Program Deadline Looms – Are You Ready?

The recent passage of the Protection of Privacy Act (“POPA”) has not only ushered in a new legislative framework for the collection and management of personal information, but has also come with concrete—and time-bound—compliance obligations for public bodies in 2026.

Our recent publications have discussed the general considerations for public bodies under POPA which, alongside the Access to Information Act, replaced the Freedom of Information Act and Protection of Privacy Act in June 2025.

One particularly noteworthy consideration under POPA is the requirement that public bodies have a fully implemented Privacy Management Program (“PMP”) in place within a year of the Act coming into force or, in other words, by June 11, 2026. And with that deadline rapidly approaching, many public bodies should already be planning—and in many cases acting—to meet scope of the new statutory requirements.

To assist public bodies with preparing for compliance, we will be outlining what PMPs are and the practical steps public bodies can take between now and the June 11, 2026 deadline.

What is a Privacy Management Program?

Privacy Management Programs can be simply understood as the frameworks used by public bodies to ensure that they meet their privacy obligations under POPA. In particular, POPA explicitly requires public bodies to establish and maintain PMPs made up of documented policies, procedures, and practices that “promote the public body’s compliance with its duties under [the] Act.”[1]

Privacy Management Programs are not static policies. Rather, PMPs should be tailored to a public body’ particular needs and evolve to address emerging privacy concerns. Furthermore, well-structured PMPs can help streamline responses to privacy breaches—big or small—that invariably occur due to human error, as well as minimize or eliminate breaches associated with unclear roles or outdated processes.

Privacy Management Programs ultimately aim promote accountability, mitigate risks, and enhance operations by integrating privacy policies into public bodies’ day-to-day operations. POPA also encourages transparency by empowering members of the public to request access to a public body’s PMP.[2] Aside from a few security-related exceptions, public bodies are required to comply with such requests.

PMP Building Blocks

Guidelines shared by the Government of Alberta and the Office of the Information and Privacy Commissioner of Alberta identify several common “building blocks” of statutorily-compliant PMPs.

  • Proportionality

    POPA makes it clear that PMPs must be proportionate.[3] Smaller public bodies or those handling less sensitive information are not expected to have the same level of documentation as those that manage high volumes or highly-sensitive personal information. What qualifies as highly-sensitive information is defined in the POPA regulations, but generally includes personal information related to biometrics, financials, or vulnerable populations such as minors or seniors.[4] Public bodies handling highly sensitive information must ensure that their PMPs include additional documentation for their internal privacy management.

    In any case, all public bodies—no matter the size—must ensure that their PMPs sufficiently contemplate foreseeable privacy risks and install reasonable safeguards.

  • Governance

    Every public body must designate a privacy officer responsible for overseeing compliance. This role should be clearly defined, supported by appropriate authority and resources, and embedded into organizational decision-making. Senior leadership buy-in is critical; while privacy officers are often the main point of contact for privacy-related concerns, their role does not negate public bodies’ organizational accountability.

    Larger public bodies may also need a dedicated privacy office to support the work of the privacy officer. Similar to the privacy officer, the role of the privacy office should be clearly defined and supported by adequate resources. Privacy office staff should have delegated responsibilities to monitor compliance and foster the integration of privacy management practices into all levels of the public body’s work. 

  • Documented policies and procedures

    A key feature of any good PMP is the explicit policies and procedures respecting the public body’s management of personal information. At a minimum, PMPs should contain written procedures covering:

  • Collection, use, and disclosure of personal information
  • Correction of personal information
  • Retention and secure destruction of personal information
  • Privacy complaints and incident responses
  • Use of automated systems, artificial intelligence, and non-personal data

If, for example, a public body’s work involves the active collection of personal information, a compliant PMP should identify the particulars of the notices that must accompany any information collection activities.[5] This includes specifying the purpose for which the information is being collected, the legal authority for collection, the contact information for the public body’s privacy office or officer, and whether the information will be input into any automated systems, such as artificial intelligence. 

PMPs must also specifically address the completion of privacy impact assessments and privacy incident notifications, both of which are new requirements under POPA. More information regarding the particulars of privacy impact assessments and privacy incident notifications can be found in our June 24, 2025 publication on the topic.

Most importantly, policies outlined in PMPs should be understandable to public body staff and aligned with actual operational practices, as well as statutory requirements.

  •  Security safeguards

Under POPA, public bodies must make “reasonable security arrangements” to protect personal information.[6] This includes administrative, physical, and technical safeguards appropriate to the sensitivity of the information being managed. Furthermore, POPA regulations require public bodies to establish a security classification system to guide how different types of information are handled and protected.[7]

  • Training and awareness

Privacy training under POPA is mandatory, not optional.[8] Training should be ongoing and tailored to roles, with periodic refreshers provided as systems and risks evolve. Additionally, training is required for not only for public body employees, but also contractors, volunteers, and service providers involved in the management of personal information.

  • Ongoing review and improvement

PMPs must be regularly reviewed and updated. Privacy commissioner guidelines emphasize the importance of periodic and regularly-scheduled reviews of privacy management processes, accompanied by formal acknowledgement and training for public body employees.[9] As privacy risks evolve with the emergence of new programs, technologies, and service delivery models, so must PMPs.

 

Practical Steps Public Bodies Can Take Ahead of June 2026

With the June 11, 2026 deadline fast approaching, public bodies should focus on efficient and focused preparation. Practical steps that can be taken in the intermediate include the following:

  • Identify gaps – assess existing privacy policies, practices, and training against POPA requirements. This involves determining what processes and policies are already in place, those that need to be updated, and the elements that are missing altogether.

  • Confirm governance and accountability – ensure a privacy officer has been formally designated with defined roles, powers, and responsibilities. If privacy responsibilities are spread across multiple roles—such as within a privacy office—steps should be taken to document how those responsibilities fit together.

  • Inventory personal information repositories – understand what personal information is already in the control of your public body, as well as the existing collection practices. POPA notably provides different requirements for personal information collected after the Act came into force on June 11, 2025, particularly as it relates to the use of artificial intelligence.[10]

  • Develop and refine key policies – policy development should begin by focusing on high-risk areas such as breach responses, third-party service providers, and new technologies (including AI-enabled tools). Policies should take care to reflect the specific operations of a given public body. 

  • Plan training early – building and delivering effective privacy training takes time. Consider developing training modules that can be adapted for different roles and reviewed periodically.

  • Document review cycles – clear review schedules demonstrate compliance with the expectation that PMPs remain current and effective.

Get in touch with our Privacy Practice Group

The new requirements under POPA are not just a compliance obligation, but an opportunity to reduce risk, improve operational clarity, and strengthen public confidence in the management of personal information. Public bodies that develop detailed PMPs now will be best positioned to meet their statutory obligations, both in advance of the June 11, 2026 and beyond.

Our firm’s privacy group regularly assists public bodies with assessing current privacy practices, designing and implementing PMPs, and supporting privacy officers for functioning in their roles. If you have questions about POPA compliance or would like assistance developing or refining your Privacy Management Program ahead of the June 11, 2026 deadline, we would be pleased to help.

Our firm has also prepared a Privacy Management Readiness Package that can be adapted and modified by public bodies to create their own POPA-compliant PMPs. Please contact the authors for access or to learn more about how we can support your privacy readiness.


[1] Protection of Privacy Act, SA 2024, c P-28.5 [“POPA”], s 25(1).

[2] Government of Alberta, Getting to know the Protection of Privacy regulations, June 9, 2025.

[3] POPA at s 25(2)(a).

[4] Protection of Privacy (Ministerial) Regulation, Alta Reg 143/2025 [“Ministerial Regulation”], s 1.

[5] Government of Alberta, Fact Sheet: Collection Notice, June 9, 2025.

[6] Protection of Privacy (Ministerial) Regulation, Alta Reg 143/2025, s 3.

[7] Protection of Privacy (Ministerial) Regulation, Alta Reg 143/2025, s 2.

[8] Government of Alberta, Fact Sheet: Privacy Management Program, June 9, 2025.

[9] Office of the Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Alberta and British Columbia, Getting Accountability Right with a Privacy Management Program.

[10] Government of Alberta, Fact Sheet: Artificial Intelligence and Automated Systems, June 6, 2025.