Quick reference
| I want to… | What I do |
|---|---|
| Understand how the Division handles privacy | Read this guide |
| See what kinds of personal information the Division holds | See Personal Information Banks, or visit https://governance.grasslands.ab.ca/pib-directory |
| See or correct my own personal information, or make a complaint | See Your rights |
| Request a copy of this Privacy Management Program | See How to request a copy of this program |
| Know who to contact about privacy | See Who handles privacy at the Division |
Legislative framework
The Division's Privacy Management Program is established under and brings into practice:
- Protection of Privacy Act (POPA), SA 2024, c P-28.5
- Access to Information Act (ATIA), SA 2024, c A-1.4
- Protection of Privacy (Ministerial) Regulation, Alta Reg 143/2025 ("M-Reg 143/2025")
- Protection of Privacy Regulation, Alta Reg 132/2025 ("Reg 132/2025")
- Education Act, SA 2012, c E-0.3
About personal information
What is personal information? Personal information is recorded information about an identifiable individual, for example, a person's name, address, contact details, date of birth, financial information, employment records, opinions about the individual, and any other information that can be used to identify a person.
Our commitment. The Division's privacy principles, set out in Policy 311, are the foundation of how we handle personal information:
| Principle | What it means |
|---|---|
| Collection limitation | We only collect personal information when the law allows it or when it's directly necessary for a Division program or activity. |
| Purpose specification | We identify why we're collecting personal information at or before the time we collect it. |
| Consent | We collect personal information directly from the individual wherever possible, with appropriate notice and consent where required. |
| Use limitation | We only use personal information for the purpose it was collected for, or a consistent purpose, unless we have consent or the law says otherwise. |
| Disclosure limitation | We only share personal information as POPA allows or with the individual's consent. |
| No sale of personal information | We don't sell personal information or use it for marketing or advertising. Full stop. |
| Accuracy | We keep personal information as accurate, complete, and current as it needs to be for the purposes we're using it. |
| Safeguards | We protect personal information with reasonable security measures appropriate to how sensitive it is. |
| Transparency | We're open about our policies and practices for managing personal information. |
| Individual access | People have the right to see the personal information we hold about them and to request corrections. |
| Accountability | We're accountable for all personal information in our custody or control. |
A note on what's not in this document. Some technical security measures aren't published, because describing them publicly would make our systems easier to attack. The detailed configurations and operational procedures that implement some of these sensitive controls are documented in restricted Working Instructions which the Division does not make public, as allowed by section 6(4) of M-Reg 143/2025.
Your rights
You have these rights about personal information the Division holds about you:
Access. You can request to see the personal information the Division holds about you. Direct your request to the Access and Privacy Coordinator at privacy@grasslands.ab.ca. The Division's full process for handling these requests is set out in A.P. 324 – Access to Information.
Correction. If you believe personal information about you is inaccurate or incomplete, you can request a correction (POPA s.7). Direct your request to the Access and Privacy Coordinator at the same address. The Division's full process is set out in A.P. 323 – Privacy Management.
Complaint. If you have a concern about how the Division has collected, used, or disclosed your personal information, you can make a complaint. Start by contacting the Access and Privacy Coordinator, who will investigate and respond. If you're not satisfied with the Division's response, you can take your complaint to the Office of the Information and Privacy Commissioner of Alberta at oipc.ab.ca (POPA s.38(2)).
Request a copy of this program. Anyone can request a copy of the Division's Privacy Management Program. See "How to request a copy of this program" below.
Who handles privacy at the Division
The Superintendent is the head of the public body under POPA and has ultimate responsibility for the Division's compliance with POPA and ATIA. The Superintendent may, and does delegate operational privacy responsibilities to the Access and Privacy Coordinator under CG-003 – Delegation of Authority Under POPA.
The Access and Privacy Coordinator (currently assigned to the Associate Superintendent Business Services) is the Division's privacy officer, the Privacy Officer designation recorded in CG-004 – Statutory Designations. This is the role you contact about privacy inquiries, complaints, correction requests, PMP requests, and access to information requests. The Access and Privacy Coordinator oversees the program, maintains the Personal Information Banks directory, coordinates privacy impact assessments.
The Director of Technology handles the technical side of privacy controls, including the privacy training platform, privacy impact assessment facilitation, and coordination between privacy and security governance.
System Owners are responsible for the privacy obligations tied to the systems they own including identifying Personal Information Banks, supporting privacy impact assessments, and following the Division's data handling rules.
Site Coordinators support privacy compliance at each school, including monitoring privacy training completion and handling initial privacy breach reporting.
For complete role definitions and detailed responsibilities, see A.P. 323 – Privacy Management.
Personal Information Banks
The Division maintains a directory of all Personal Information Banks (PIBs) in its custody or control, as required under section 57 of POPA. A PIB is a collection of personal information that's organized or retrievable by an individual's name or identifying number. The directory is published at:
https://governance.grasslands.ab.ca/pib-directory
For each Personal Information Bank, the directory lists the types of personal information held, the categories of individuals, the purpose of collection, the legal authority, and the System Owner.
For questions about any Personal Information Bank, or to request access to or correction of your personal information, contact the Access and Privacy Coordinator at privacy@grasslands.ab.ca.
How to request a copy of this program
Anyone can request a copy of the Division's Privacy Management Program. The Division will provide a copy, or directions to where you can find one, within 30 business days of receiving the request (POPA s.25(3)).
Three ways to make a request:
- Email the Access and Privacy Coordinator at privacy@grasslands.ab.ca
- Send a written request to the Division office
- Visit https://governance.grasslands.ab.ca/view/CG-002 for online materials
The Division may withhold technical security information from the package, as section 6(4) of M-Reg 143/2025 allows.
Keeping this program current
The Division reviews the Privacy Management Program comprehensively at least once every three years (M-Reg 143/2025 s.6(1)(e)). Individual policies and procedures within the program are reviewed annually, or earlier if triggered by changes to legislation, OIPC guidance, complaints, incidents, or governance structure. Reviews coordinate with the governance document review schedule in IM-019 (section 6).
If something in this guide is out of date or unclear, contact the Access and Privacy Coordinator.
Implementing our legal obligations
The tables below map each requirement under M-Reg 143/2025, Reg 132/2025, and POPA to the Division document(s) that satisfy it.
Core requirements, All public bodies (M-Reg 143/2025 s.6(1))
| M-Reg ref | Requirement | Division instrument(s) |
|---|---|---|
| s.6(1)(a) | Designation or identification of a privacy officer | Policy 311 (designates the Associate Superintendent Business Services as Access and Privacy Coordinator) |
| s.6(1)(b)(i)(A) | Internal policies and procedures, responding to requests for correction of personal information (POPA s.7) | A.P. 323 §3 |
| s.6(1)(b)(i)(B) | Internal policies and procedures, responding to privacy incidents (POPA s.10(2)) | A.P. 321; A.P. 323; IM-022 |
| s.6(1)(b)(i)(C) | Internal policies and procedures, responding to privacy complaints (POPA s.38(2)) | A.P. 323 §2 |
| s.6(1)(b)(ii) | Internal policies and procedures, creation, use, and disclosure of non-personal data | A.P. 323 §6 |
| s.6(1)(b)(iii) | Internal policies and procedures, how automated systems will use personal information, including security and technical safeguards | A.P. 312 §4; A.P. 323 §6 |
| s.6(1)(c) | Security classification system for personal information, data derived from personal information, and non-personal data | A.P. 313 |
| s.6(1)(d) | Mandatory training for employees, with specified retraining intervals | A.P. 323 §1; IM-020 |
| s.6(1)(e) | Timelines for periodic review, assessment, and update of the PMP | CG-002 ("Keeping this program current"); IM-019 (section 6) |
Enhanced requirements, High volume or highly sensitive personal information (M-Reg 143/2025 s.6(2))
The Division collects personal information about minors, which is highly sensitive personal information under section 1 of M-Reg 143/2025. The Division therefore meets the enhanced requirements under s.6(2) in addition to the core requirements above.
| M-Reg ref | Requirement | Division instrument(s) |
|---|---|---|
| s.6(2)(a)(i) | Roles, responsibilities, and accountabilities of employees in relation to obligations under POPA | Policy 311; CG-003; A.P. 323 (Responsibilities) |
| s.6(2)(a)(ii) | Process for completing and submitting privacy impact assessments | A.P. 323 §9; A.P. 312 §4; IM-008 |
| s.6(2)(a)(iii) | Proactive monitoring of information systems holding personal information, derived data, or non-personal data | A.P. 326 §3; IM-014 |
| s.6(2)(a)(iv) | Policies and procedures for oral, electronic, and written consent | A.P. 323 §5; Reg 132/2025 s.2 |
| s.6(2)(a)(v) | Policies for the use of personal information in artificial intelligence systems, the creation of data derived from personal information, and the creation of non-personal data | A.P. 312 §4; A.P. 323 §6 |
| s.6(2)(b) | Written administrative, technical, and physical safeguards for personal information, data derived from personal information, and non-personal data | A.P. 313; A.P. 320; A.P. 326; FM-001; Policy 310 |
Public availability of the PMP (M-Reg 143/2025 s.6(3) and (4); POPA s.25(3))
| Statute / regulation | Requirement | Division instrument(s) |
|---|---|---|
| POPA s.25(3) | PMP availability to any person on request, within 30 business days | CG-002 ("How to request a copy of this program") |
| M-Reg 143/2025 s.6(3) | Process for making the PMP available, or publication of the PMP on the public body's website | CG-002; https://governance.grasslands.ab.ca/view/CG-002 |
| M-Reg 143/2025 s.6(4) | Authority to withhold technical/security information that could compromise security | CG-002; restricted Working Instructions in the IM- series |
Other supporting POPA requirements addressed by the Division's PMP
| Statute / regulation | Requirement | Division instrument(s) |
|---|---|---|
| POPA s.10 | Duty to protect personal information; breach notification on real risk of significant harm | A.P. 321; A.P. 323; IM-022 |
| POPA s.57 | Personal Information Banks directory | A.P. 323 §7; https://governance.grasslands.ab.ca/pib-directory |
| POPA Part 3 | Data matching and creation of non-personal data | A.P. 323 §6 |
| M-Reg 143/2025 s.4 | Real risk of significant harm determination | A.P. 321; IM-022 |
| M-Reg 143/2025 s.3(2) | Human oversight, auditing, and validation processes for systems creating data derived from personal information or non-personal data | A.P. 312 §4; A.P. 323 §6 |
| Reg 132/2025 s.1 | Definitions of administrative, physical, and technical safeguards | A.P. 313; A.P. 320; A.P. 326 |
Document history
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | March 2026 | Director of Technology | Initial release; establishes PMP framework per POPA s.25 and M-Reg 143/2025 s.6 |