What is Alberta's POPA and what just changed?
On March 26, 2026, the Office of the Information and Privacy Commissioner (OIPC) of Alberta released a mandatory Privacy Impact Assessment template and completion guide under the Protection of Privacy Act (POPA). Any Alberta public body submitting a PIA to the OIPC must now use this template. POPA replaced Alberta's previous FOIP Act in 2025.
Alberta is now the third province to formalize PIA requirements that directly affect how public bodies select and use SaaS tools — joining British Columbia (FIPPA) and Quebec (Law 25). The trend is clear: provincial regulators are increasingly demanding documented privacy assessments for cloud-based tools that process personal information.
Does POPA apply to my organization?
POPA applies to Alberta public bodies: provincial government ministries, municipalities, school boards, post-secondary institutions, health authorities, police services, and other bodies defined under the Act. If your organization is an Alberta public body and you use SaaS tools that collect, use, or disclose personal information, you are likely required to complete PIAs.
Private sector organizations in Alberta are governed by the Personal Information Protection Act (PIPA), not POPA. However, OIPC Commissioner Diane McLeod has indicated that similar PIA resources for PIPA will follow once amendments are proclaimed in force. Private sector organizations should be tracking this development.
Do Alberta public bodies need PIAs for SaaS tools?
Under POPA, a Privacy Impact Assessment is required for projects involving the collection, use, or disclosure of personal information. Deploying a new SaaS tool — or renewing an existing one — qualifies as a "project" if it processes personal information. Key requirements:
The OIPC's PIA template is mandatory for any PIA submitted to the Commissioner. The template and completion guide are available on the OIPC website. The completion guide aligns with the template question-by-question and provides additional context on what is expected.
What the PIA must address
The OIPC template requires public bodies to document the purpose and scope of the project, the types of personal information collected, how it flows through the system, who has access, and — critically for SaaS tools — where data is stored, who controls it, and what jurisdiction governs the company managing it.
For any US-parented SaaS tool, this means the PIA must address CLOUD Act exposure. Under the CLOUD Act, US authorities can compel a US-incorporated company to produce data regardless of where it is stored — including data hosted in Canadian data centres. A PIA that does not address this jurisdictional risk is incomplete.
Does the CLOUD Act affect Alberta POPA compliance?
Most SaaS tools used by Alberta public bodies are US-parented. Microsoft 365, Google Workspace, Salesforce, Zoom, Slack, Dropbox — all are US-incorporated and subject to the CLOUD Act. The Upper Harbour Sovereignty Index tracks 753 tools by parent jurisdiction, and approximately 67% are US-owned.
When completing a PIA under POPA, public bodies must evaluate the risks of cross-border data access. The CLOUD Act is the mechanism by which that access can occur — and it applies regardless of whether the public body has configured Canadian data residency. Data residency is not data sovereignty.
How does POPA compare to FIPPA and Law 25?
Three provinces now have formalized privacy assessment requirements that affect SaaS procurement and use:
| Alberta (POPA) | BC (FIPPA) | Quebec (Law 25) | |
|---|---|---|---|
| Assessment type | Privacy Impact Assessment | Privacy Impact Assessment | Transfer Impact Assessment |
| Mandatory template | Yes (OIPC) | No standard template | No standard template |
| Regulator submission | Required (some PIAs) | Not required | Not required |
| Applies to | Public bodies | Public bodies | All organizations |
| Penalties | Commissioner orders | Commissioner orders | $25M or 4% turnover |
| Upper Harbour guide | This page | FIPPA guide → | Law 25 guide → |
Alberta's approach is the most demanding in the country. It is the only province that requires both a mandatory template and regulator submission. BC and Quebec require assessments but don't mandate a specific format, and neither requires filing with the commissioner. In Alberta, the OIPC will read your PIA. If the jurisdictional analysis is incomplete — if you haven't addressed CLOUD Act exposure for your US-parented tools — they will know.
This makes Alberta public bodies the highest compliance pain point in Canada for SaaS sovereignty right now. Every municipality, school board, health authority, and provincial body using Microsoft 365, Google Workspace, Zoom, or Salesforce needs to document the jurisdictional exposure of those tools in a mandatory format and submit it to a regulator who will review it.
What should Alberta public bodies do now?
1. Inventory your SaaS tools. Identify every tool your organization uses that collects, uses, or discloses personal information. This includes email (Microsoft 365, Google Workspace), CRM (Salesforce), file storage (Dropbox, OneDrive, SharePoint), video conferencing (Zoom, Teams), HR systems, finance tools, and any specialized applications.
2. Map each tool to its parent jurisdiction. For each tool, determine the parent company and its country of incorporation. A tool with a Canadian brand name may have a US parent — and that changes the jurisdictional analysis entirely. Upper Harbour's free exposure scan maps your entire stack in 10 minutes.
3. Complete PIAs using the OIPC template. For each tool that requires a PIA, complete the mandatory OIPC template. The jurisdictional analysis — particularly CLOUD Act exposure for US-parented tools — is the hardest part. Upper Harbour's PIA Research Tool generates pre-written answers for Sections F, G, and H2 from our 753-tool database — $199.
4. Document your risk assessment. Even for tools that don't require OIPC submission, maintaining a documented risk assessment demonstrates due diligence. If a privacy incident occurs, having a PIA on file shows your organization evaluated the risks before deploying the tool.
5. Review existing deployments. POPA applies to new projects, but public bodies should also review existing SaaS deployments. If you've been using a US-parented tool without a PIA, now is the time to complete one. The OIPC template provides the framework.
Auto-fill your OIPC PIA template
Select your SaaS tools from our 753-tool database. We generate pre-written answers for Sections F, G, and H2 of the mandatory OIPC template — ready to copy directly into your submission. Free exposure check, $199 for the full package.
Start PIA Research Tool →What's coming next for Alberta privacy law?
The OIPC has indicated this is the first of three sets of PIA resources. Similar templates will be released for Alberta's health information law and private sector privacy law (PIPA) once amendments are proclaimed. Private sector organizations in Alberta should be preparing now — the framework is coming.
At the federal level, the proposed Consumer Privacy Protection Act (CPPA) would introduce similar requirements nationally if enacted. The direction across Canada is clear: privacy assessments for SaaS tools are becoming mandatory, not optional.
BC FIPPA SaaS compliance guide → · Quebec Law 25 SaaS compliance guide → · The CLOUD Act and Canadian data → · Data residency vs data sovereignty →