Alberta
Alberta's Personal Information Protection Act (PIPA)
Last reviewed 2026-06-29 · Plain-language summary, not legal advice.
Alberta's Personal Information Protection Act (PIPA) is the province's general private-sector privacy law. Enacted as S.A. 2003, c. P-6.5 and in force since January 1, 2004, it has been declared substantially similar to the federal PIPEDA, which means it governs private-sector handling of personal information that takes place within Alberta. You can read the full statute from the Alberta King's Printer: Personal Information Protection Act (S.A. 2003, c. P-6.5).
What Alberta PIPA covers
PIPA sets out how Alberta organizations may collect, use, and disclose personal information — generally requiring consent, limiting collection to what is reasonable for the identified purposes, requiring reasonable safeguards, and giving individuals the right to access and correct their own information. In structure it tracks the same fair-information ideas as PIPEDA's ten principles, so an organization with a sound PIPEDA program is most of the way to PIPA compliance for its Alberta activity — but the details and the enforcement differ.
Employee personal information: a key difference from PIPEDA
One of PIPA's most practically important features is that it expressly governs personal employee information. The Act sets rules for how an employer may collect, use, and disclose information about its employees — including provisions that allow certain handling without consent where it is reasonable for managing the employment relationship, provided the employee is given notice. PIPEDA only reaches employee data in federally regulated workplaces, so for most Alberta employers PIPA, not PIPEDA, is the law that governs the employee file.
Mandatory breach notification — Alberta got there first
Alberta was the first province in Canada to require private-sector breach notification, well ahead of PIPEDA's federal regime. Under PIPA, an organization must notify the Office of the Information and Privacy Commissioner of Alberta of an incident involving a real risk of significant harm to an individual, and the Commissioner may then require the organization to notify the affected individuals. Because the trigger, the timing, and the body you report to differ from the federal rule, organizations that touch Alberta data should read this alongside our guide to PIPEDA breach reporting and treat the two as separate obligations.
How PIPA and PIPEDA fit together
PIPA governs activity that stays inside Alberta; PIPEDA continues to govern personal information that crosses a provincial or national border in the course of commercial activity, as well as federally regulated works and undertakings operating in the province. In practice many Alberta organizations are accountable under both at once, depending on where the data goes. If you are not sure which applies to a given flow, start with federal vs provincial: which privacy law applies?, and see how Alberta compares with British Columbia's PIPA and Quebec's Law 25. The full map lives on the privacy-law hub.
Who enforces it
The Office of the Information and Privacy Commissioner of Alberta administers PIPA. The Commissioner investigates complaints, receives breach reports, holds inquiries, and can issue binding orders — a stronger enforcement posture than PIPEDA's federal complaint-and-recommendation model. When an Alberta buyer sends you a privacy questionnaire, it will often be testing both your PIPA and PIPEDA posture at once; our Canadian privacy questionnaire guide shows how to answer.
Common questions.
What is the difference between Alberta PIPA and PIPEDA?
Both govern how private-sector organizations handle personal information, and the federal government has declared Alberta's PIPA substantially similar to PIPEDA. The practical difference is jurisdictional: Alberta PIPA applies to personal information handled by organizations in the course of activity that stays within Alberta, while PIPEDA continues to apply to personal information that crosses a provincial or national border in the course of commercial activity, and to federally regulated works. An Alberta organization that sells across Canada is therefore usually answering to both — PIPA for its provincial activity, PIPEDA for the flows that leave the province.
Does Alberta PIPA require breach notification?
Yes. Alberta was the first Canadian jurisdiction to mandate private-sector breach notification, years before PIPEDA's federal rule. Under PIPA, an organization must notify the Office of the Information and Privacy Commissioner of Alberta of an incident involving a real risk of significant harm to an individual, and the Commissioner can require the organization to notify affected individuals. Because the trigger and the destination differ from PIPEDA's, organizations operating in Alberta need to understand both regimes.
Does Alberta PIPA cover employee personal information?
Yes — and this is a notable difference from PIPEDA. Alberta PIPA expressly addresses 'personal employee information' and sets out rules for collecting, using, and disclosing it, including situations where an organization may do so without consent for purposes reasonably required to manage the employment relationship, with notice. PIPEDA, by contrast, only reaches employee information in federally regulated workplaces. For most Alberta employers, PIPA is the law that governs their handling of staff data.
Who enforces Alberta PIPA?
The Office of the Information and Privacy Commissioner of Alberta (OIPC) oversees PIPA. The Commissioner investigates complaints, receives breach reports, conducts inquiries, and can issue binding orders requiring an organization to stop a practice or to perform a duty under the Act. That order-making power is a meaningful contrast with PIPEDA's federal model, where the Privacy Commissioner of Canada issues findings and recommendations and contested matters proceed to the Federal Court.