¾ÅÐãÖ±²¥

The Government of ¾ÅÐãÖ±²¥ is separating the current FOIP Act into two acts: the (the “POPA”) and the (the “ATIA”).

Key changes in the Protection of Privacy Act (POPA)

The POPA aims to modernize the rules for how public bodies can create and use personal information and data. Many of the details will be provided in regulations due June 2025. Key changes include:

• Requires public bodies to have documented privacy management programs (addressing “predictions,” “automated system,” "research and analysis" and other elements expected to be set out in regulations).
• Requires public bodies to conduct privacy impact assessments in prescribed circumstances. 
• Imposes mandatory breach reporting where there is a real risk of significant harm (RROSH). 
• Requires, when collecting personal information, that notification statements must now advise if the university intends to use the information in an automated system to generate content, or make decisions, recommendations or predictions (e.g. AI). 
• Prohibits public bodies from data matching to produce derived personal information about an identifiable individual. Data matching will only be permitted for "research and analysis" and "planning, administering, delivering, managing, mentoring or evaluating a program or service."
• Establishes rules for the creation, disclosure and use of non-personal or de-identified data.
• Introduces the following, significant penalties for “knowingly” misusing personal information (note the threshold under FOIP was “willfully”): 
  • For breaches involving personal information, individuals may be fined up to $125,000, and organizations up to $750,000; and 
  • For breaches involving non-personal information and data matching violations, individuals may be fined up to $200,000, and organizations up to $1 million.