Do Alberta school boards need PIAs under POPA?
Yes. School boards, charter schools, colleges, and universities are all public bodies under POPA. Any SaaS tool that processes student, parent, or employee personal information requires a PIA. This includes learning management systems (LMS), student information systems (SIS), email and productivity suites, video conferencing tools, and any third-party educational technology platform.
Why is student data particularly sensitive under POPA?
The Ministerial Regulation deems personal information of minors to be highly sensitive. This has direct implications for school boards: (1) PIAs involving student data are more likely to require OIPC submission, (2) documented safeguards must be proportionate to the sensitivity, and (3) the jurisdictional analysis in Section G becomes critical — if student data is processed by a US-parented tool, that tool is subject to the CLOUD Act, and a foreign government could theoretically compel access to children's data.
What SaaS tools do schools typically need PIAs for?
Common educational SaaS tools requiring PIAs include: Google Workspace for Education (US-parented, CLOUD Act exposed), Microsoft 365 Education (US-parented, CLOUD Act exposed), Brightspace/D2L (Canadian — not CLOUD Act exposed), PowerSchool (US-parented, CLOUD Act exposed), Zoom (US-parented, CLOUD Act exposed), Canvas (US-parented, CLOUD Act exposed), and various assessment, attendance, and communication platforms. Each requires jurisdictional analysis in Section G of the OIPC template.
What about post-secondary institutions?
Universities and colleges face the same POPA requirements as school boards, often with more complex SaaS environments. Research institutions may also use specialized tools for data collection, analysis, and collaboration — each requiring PIA assessment. Post-secondary institutions often have dedicated privacy officers, but the volume of SaaS tools across departments, faculties, and research groups makes comprehensive PIA completion a significant undertaking.
How should education institutions prioritize their PIAs?
Start with the tools that process the most sensitive data: student information systems, learning management systems, and anything handling minor's personal information. Then move to widely-deployed tools like email and video conferencing. The OIPC will be most interested in PIAs involving highly sensitive information — which in education means student records, health information, and data about minors.
Auto-fill your education PIA template
Select Google Workspace, PowerSchool, Brightspace, and every other tool your institution uses. Our PIA Research Tool generates Sections F, G, and H2 of the mandatory OIPC template. $199.
Start PIA Research Tool →Alberta POPA overview → · CLOUD Act & Canadian data → · Data residency vs sovereignty → · PIA Research Tool →
Frequently asked questions
No. D2L (Desire2Learn) is a Canadian company headquartered in Kitchener, Ontario. It is not subject to the CLOUD Act. Your PIA for Brightspace would note this as a Canadian-controlled tool.
If the app collects personal information about students or parents — names, contact details, attendance, grades — yes, it requires a PIA under POPA.