What is a Privacy Management Program under POPA?

A Privacy Management Program (PMP) is a documented set of policies and procedures that promote a public body's compliance with POPA. Under Section 25(1), every Alberta public body must establish and implement a PMP. This requirement comes into effect on June 11, 2026 — one year after POPA's proclamation. The PMP must be made publicly available upon request.

What must a PMP include?

The Ministerial Regulation specifies requirements including: designating a privacy officer, establishing internal procedures for handling personal information, training employees on their obligations under POPA, documenting privacy risks and safeguards, and establishing processes for completing Privacy Impact Assessments. For public bodies handling high volumes of personal information or highly sensitive data, additional documented safeguards are required.

How do PIAs fit into the PMP?

PIAs are a core component of the PMP. The Ministerial Regulation requires public bodies that handle high volumes or highly sensitive personal information to establish an internal process for completing and submitting PIAs. Every time your organization deploys or substantially changes a SaaS tool that processes personal information, a PIA must be completed — and potentially submitted to the OIPC.

What is the penalty for not having a PMP by June 2026?

POPA introduced penalties of up to $1 million for certain offences. While the PMP requirement itself doesn't carry a specific fine, failure to have a PMP means your organization cannot demonstrate compliance with POPA — which exposes you to Commissioner orders and enforcement action if a privacy incident occurs. The PMP is the foundation that all other POPA obligations build on.

How should public bodies prepare now?

Start with your SaaS inventory. Identify every tool that processes personal information. Complete PIAs for each one — the OIPC template is now available. Designate a privacy officer. Document your safeguards. Build your breach notification procedures. The PMP is not a single document — it's an operating framework. PIAs for your SaaS tools are the most concrete, actionable place to start.

Start with your SaaS PIAs

PIAs are the most concrete component of your PMP. Select your SaaS tools — our PIA Research Tool generates the jurisdictional research for Sections F, G, and H2 of the mandatory OIPC template. $199.

Start PIA Research Tool →
Related guides

Alberta POPA overview → · CLOUD Act & Canadian data → · Data residency vs sovereignty → · PIA Research Tool →

Frequently asked questions

Does every public body need a PMP?

Yes. Every public body in Alberta — from large government departments to small municipalities — must establish a PMP by June 11, 2026.

Can I build a PMP without completing PIAs first?

Technically yes, but your PMP must include a process for completing PIAs. Starting with PIAs for your existing SaaS tools gives you concrete documentation to build your PMP around.

Where can I find the PMP requirements?

The requirements are set out in the Protection of Privacy (Ministerial) Regulation, Section 6. The OIPC is also developing a PMP guideline.

Sources: OIPC PIA resources · PIA template & guide · Upper Harbour classification methodology.