When is a PIA required under POPA?
Under POPA, a Privacy Impact Assessment is required whenever a public body introduces or substantially changes an administrative practice, program, project, or service that involves the collection, use, or disclosure of personal information. This includes deploying new SaaS tools — if the tool processes personal information, a PIA is required. Some PIAs must also be submitted to the OIPC for review under Section 7 of the Ministerial Regulation, particularly when highly sensitive information is involved.
Does deploying a SaaS tool trigger a PIA?
Yes. If the SaaS tool collects, uses, or discloses personal information — which virtually all business software does — a PIA is required. This applies to tools like Microsoft 365, Slack, Zoom, Salesforce, Google Workspace, and any other cloud-based platform that processes employee, student, patient, or citizen data. The OIPC template explicitly includes a section on service providers (Section G) that requires jurisdictional analysis of each vendor.
What happens if I don't complete a PIA?
POPA requires PIAs in prescribed circumstances. Failure to complete one when required means the public body is not in compliance with the Act. The OIPC can request a copy of any PIA under Section 27(1)(j), and non-compliance can result in Commissioner orders. Alberta also introduced fines of up to $1 million for certain offences under POPA. Beyond penalties, operating without a PIA means your organization has not documented its privacy risks — a serious gap if a breach occurs.
Which PIAs need to be submitted to the OIPC?
Not all PIAs require submission. The Ministerial Regulation specifies when submission is mandatory — generally when a project involves highly sensitive information, data matching, or common or integrated programs across multiple public bodies. The OIPC provides a PIA Submission Assessment Tool to help determine if your PIA must be submitted.
How do I complete the mandatory PIA template?
The OIPC released a mandatory PIA template in March 2026. Any PIA submitted to the OIPC must use this template. The template has sections A through H, covering everything from organizational details to service provider jurisdictional analysis to cloud computing risks. Sections F, G, and H2 require jurisdictional research about your SaaS vendors — parent company, CLOUD Act exposure, data residency, and encryption.
Auto-fill the hardest sections of the template
Sections F, G, and H2 require jurisdictional research about your SaaS vendors. Our PIA Research Tool generates pre-written answers from a 753-tool database. Select your tools, get your answers. $199.
Start PIA Research Tool →Alberta POPA overview → · CLOUD Act & Canadian data → · Data residency vs sovereignty → · PIA Research Tool →
Frequently asked questions
Not directly. POPA applies to public bodies. Private sector organizations are governed by PIPA (Personal Information Protection Act). However, the OIPC has indicated that similar PIA templates will be released for PIPA once amendments are proclaimed.
POPA applies to new projects and substantial changes. However, if you've deployed SaaS tools without a PIA, best practice is to complete one retrospectively — especially if the tool processes highly sensitive information.
The jurisdictional research for Sections F, G, and H2 typically takes 20–40 hours per SaaS tool. Upper Harbour's PIA Research Tool generates these answers instantly from a 753-tool database.