Put Your House in Order: Preparing Public Bodies for a New Privacy Regime under POPA and ATIA

On June 11, 2025, the Protection of Privacy Act (“POPA”) and Access to Information Act (“ATIA” ) came into force. Together, the Acts assume the personal information management functions previously governed by the Freedom of Information and Protection of Privacy Act (“FOIP”).

Our previous publication on January 9, 2025, anticipated some of the changes that could be expected with the passage of the two Acts. As these Acts are now in force, let’s take a look at some of the significant changes and what they will mean for public bodies. 

Protection of Privacy Act (POPA)

• Artificial Intelligence (AI) and Automated Systems: POPA will require public bodies to explicitly notify users if collected personal information will be input into an “automated system to generate content or make decisions, recommendations or predictions.”[1] It is worth noting that this only applies to information collected after POPA was proclaimed.[2] Information collected prior to June 11, 2025, may still be used in artificial intelligence and automated systems without providing users with additional notice. Public bodes must, however, update their collection notices to reflect any future use of artificial intelligence and automated systems.
• Collection Notices: Collection notices must also be updated to indicate where users may direct questions regarding the collection of personal information by a particular public body.[3] This is in addition to the requirement that collection notices contain an explanation of the purpose and specific legal authority for the collection of personal information. This differs from FOIP, which did not require contact information to be to be provided contemporaneously with the collection of personal information.
• Non-personal data and “data matching”: POPA provides new directions regarding the creation, use, and disclosure of non-personal data by public bodies.  POPA also provides new direction regarding “data matching”, which refers to data created by linking information from two or more information sources. This is particularly relevant in the case of public bodies working in tandem with other public bodies for the delivery of services.[4]
• Privacy Impact Assessments: POPA requires public bodies to prepare privacy impact assessments (PIAs) whenever there is an introduction of or substantial change to an administrative practice, program, project or service that will involve the collection, use, or disclosure of personal information. PIAs must identify several features regarding the collection, use, or disclosure of the personal information, including the purpose, legal authority, associated risks, and provided safeguards.
• Privacy Incident Notifications: FOIP provided public bodies with discretion as to whether to report privacy breaches. Under POPA, public bodies are required to report breaches in accordance with the assessment criteria contained in the regulations. The assessment criteria requires considering the likelihood that the personal information in the breach will be misused, whether the breach was the result of malicious intent, the sensitivity of the impacted information, and other factors. In cases where a privacy breach creates a real risk of significant harm, public bodies are required to give notice of the breach to any affected individual(s), the Commissioner, and the Minister. Notices must take the specific form prescribed under POPA and the regulation.
• Privacy Management Programs: POPA requires public bodies to establish and implement privacy management programs (PMPs) within one year of the enactment of POPA i.e. by June 11, 2026.[5] PMPs are defined under the Act as documented policies and procedures that promote the public body’s compliance with its duties under POPA. PMPs must be specific to the functions, operations, and capacity of the particular public body. All PMPs must, however, designate a privacy officer for the particular public body, outline procedures for responding to breaches, and establish a security classification system for personal information, among other requirements. PMPs must either be made publicly available or provided upon request.[6]

POPA brings with it several new requirements for public bodies respecting information management and privacy breach preparedness. These requirements will require updating collection notices, developing PIAs, and formulating sufficient PMPs prior to the June 11, 2026 deadline. Public bodies will also have to address privacy breach procedures, both with respect to reporting and the training of internal personnel.

Access to Information Act (ATIA)

ATIA places markedly more responsibility on individual public bodies than was previously the case under FOIP, particularly with respect to managing and responding to access to information requests.

Some of the more noteworthy changes include:

• Disregarding Requests: ATIA now provides public bodies with the authority to disregard access to information requests in certain circumstances, such as if the request is repetitious, abusive, or unreasonably interferes with the operations of the public body.[7] Public bodies must nevertheless inform applicants of their decision to disregard the request within 30 days of receiving the request.
• Duty to Assist: Public bodies are required under the ATIA to make every reasonable effort to assist individuals who make a formal access to information.  The duty to assist has been expanded from what was originally included in FOIP and includes clarifying a request, if necessary; adequately searching for records; and remaining responsive to the applicant. Public bodies must create and maintain accurate records documenting any decisions and actions related to fulfilling access to information requests.[8]
• Exceptions: The ATIA provides additional categories of exception in responding to access requests. These include exceptions related to workplace investigations, if their disclosure could be reasonably expected to interfere with the investigation or harm the parties involved, certain labour relations information, and information relied on during collective bargaining.
• Procedure: Applicants who disagree with the response of a public body must first submit the concern directly to the public body, along with supporting evidence as to why they believe additional records exist.

Public bodies must ensure that all access to information requests received after June 11, 2025, are dealt with in accordance with the ATIA, particularly as it relates to preparing responses and identifying potential exceptions to disclosure.

What’s Next?

Given that the Acts are now in force, public bodies will have to act quickly to bring themselves in compliance with their requirements. This is particularly true with respect to formulating sufficient PMPs within the one-year deadline, as well as adequately responding to access requests received after June 11, 2025, in compliance with the ATIA.

The Privacy team at McLennan Ross is prepared to assist public bodies with:

• Updating collection notices, including for the use of artificial intelligence and automated systems;
• Updating existing privacy policies and procedures to comply with the new legislation and associated regulations;
• Formulating Privacy Impact Assessments in response to new programs or services;
• Preparing guidance, recommendations, and Privacy Incident Notifications in response to information breaches;
• Developing public body-specific Privacy Management Programs, including helping to identify and train public body privacy officers;
• Responding to access to information requests, including advising about instances where public bodies may rightfully disregard requests that violate the ATIA;
• Preparing tailored training sessions to meet the individual needs of public bodies and their staff; and
• Representing public bodies in OIPC reviews, complaints, and inquiries.

^{[1]Protection of Privacy Act, SA 2024, c P-28.5 [“POPA”] at s 5(2)(d), https://canlii.ca/t/2krlv#sec5.}