FOIPPA in Canada: A Plain-English Guide (and What It Means for You)

Canadian Internet Law

What “FOIPPA” Actually Means

FOIPPA-style laws cover a province’s public sector (ministries, agencies, municipalities, universities, school boards, hospitals and other public bodies). Each province names its law a little differently. For example, British Columbia often uses FIPPA/FOIPPA; Ontario uses FIPPA (and MFIPPA for municipalities); Manitoba uses FIPPA; Nova Scotia uses FOIPOP. Alberta modernized its framework in 2025—splitting the former FOIP Act into the Access to Information Act (ATIA) and the Protection of Privacy Act (POPA).

What FOIPPA-Style Laws Guarantees

  1. Access to records: You can request government records and your own personal information (with limited, listed exceptions). Public bodies have a duty to assist and respond on time.
  2. Privacy rules: Public bodies must follow rules for collecting, using, disclosing, retaining and safeguarding personal information—and document privacy decisions.
  3. Independent oversight: Provincial commissioners/ombuds investigate complaints and publish guidance.

B.C. Update: Data Residency Evolved

B.C. removed the old blanket residency rule in 2021. If sensitive personal information will be stored outside Canada, public bodies must complete a supplementary assessment in their PIA to evaluate risks and mitigations. The province provides step-by-step guidance on when and how to do this.

Alberta Update: FOIP → ATIA + POPA (2025)

On June 11, 2025, Alberta brought into force two new laws: the Access to Information Act (ATIA) for access rights and the Protection of Privacy Act (POPA) for privacy protections. These replace the former FOIP Act. If you operate in Alberta’s public sector—or supply services to it—expect contracts and policies to reference ATIA/POPA going forward.

FOIPPA vs. PIPEDA vs. Health Privacy (Quick Comparison)

FeatureFOIPPA-style (Public-sector)PIPEDA (Private-sector)PHIPA (Ontario health sector example)
Who it coversPublic bodies + service providers acting for themPrivate-sector orgs in commercial activityHealth information custodians + their agents
Core rightsAccess to government records; privacy protectionsAccess/correction of your personal information; consent rulesAccess/correction of personal health information; consent & limitations
Data residencyVaries by province (e.g., B.C. allows out-of-Canada storage with supplementary assessment)No Canada-only rule; must ensure “comparable protection” with service providersNo Canada-only rule; strong security/limitation requirements for PHI
OversightProvincial Information & Privacy CommissionersOffice of the Privacy Commissioner of CanadaInformation and Privacy Commissioner of Ontario (for PHIPA)

Simple Compliance Checklist (for Public Bodies & Vendors)

  1. Map your data: what personal information you hold, where it’s stored/processed, and who touches it.
  2. Minimize & secure: collect only what you need; restrict access; encrypt; log.
  3. Clarify roles: contracts must include FOIPPA-level safeguards (location, retention, breach notice).
  4. Document decisions: complete PIAs—especially for cloud/cross-border processing (B.C.: add the supplementary assessment when needed).
  5. Train your team: duty to assist, redaction, breach response, and record retention.

FAQ

1) Do FOIPPA-style laws apply to private companies?
Generally no. FOIPPA laws apply to public bodies. Private companies are usually under PIPEDA (plus sectoral laws like PHIPA). Private vendors serving public bodies still must meet FOIPPA-level contract terms.

2) Does FOIPPA force me to store data in Canada?
Not automatically; requirements vary by province. In B.C., storage outside Canada is allowed if you complete the required assessment and apply appropriate safeguards.

  1. British Columbia: FOIPPA manual & guidance; OIPC BC guidance and resources.
  2. Alberta: Access to Information Act (ATIA) and Protection of Privacy Act (POPA) hubs; OIPC of Alberta POPA page.
  3. Ontario: FIPPA manual; IPC Ontario guidance (FIPPA/MFIPPA & health privacy).
  4. Manitoba: FIPPA overview and Ombudsman guide.
  5. Nova Scotia: FOIPOP overview and the statute.
  6. Federal context: Summary of privacy laws in Canada (PIPEDA vs. provincial).

Works Cited (MLA)

  1. Government of British Columbia. “Data Residency Changes.” Gov.bc.ca, 25 Nov. 2021. Accessed 12 Aug. 2025.
  2. Government of British Columbia. “Guidance on Disclosures Outside of Canada.” Gov.bc.ca, 13 Feb. 2025. Accessed 12 Aug. 2025.
  3. Office of the Information and Privacy Commissioner for British Columbia. “Guidance Documents.” OIPC.bc.ca, 2025. Accessed 12 Aug. 2025.
  4. Government of Alberta. “Access to Information Act (ATIA).” Alberta.ca, 11 June 2025. Accessed 12 Aug. 2025.
  5. Government of Alberta. “About the Protection of Privacy Act (POPA).” Alberta.ca, 11 June 2025. Accessed 12 Aug. 2025.
  6. Office of the Information and Privacy Commissioner of Alberta. “Protection of Privacy Act (POPA) Overview.” OIPC.ab.ca, 2025. Accessed 12 Aug. 2025.
  7. Government of Ontario. “Freedom of Information and Protection of Privacy Manual.” Ontario.ca, 9 Mar. 2023. Accessed 12 Aug. 2025.
  8. Information and Privacy Commissioner of Ontario. “All Guidance and Resources.” IPC.on.ca, 2025. Accessed 12 Aug. 2025.
  9. Manitoba Ombudsman. “Your Information Rights Under FIPPA.” Ombudsman.mb.ca, Mar. 2025. Accessed 12 Aug. 2025.
  10. Government of Nova Scotia. “Freedom of Information and Protection of Privacy (FOIPOP).” NovaScotia.ca, 2025. Accessed 12 Aug. 2025.
  11. Office of the Privacy Commissioner of Canada. “Summary of Privacy Laws in Canada.” Priv.gc.ca, 31 Jan. 2018. Accessed 12 Aug. 2025.
  12. Information and Privacy Commissioner of Ontario. “Health Privacy in Ontario (PHIPA).” IPC.on.ca, 2025. Accessed 12 Aug. 2025.

Need help applying this? Book a free 20-minute FOIPPA consult or grab the Vendor Go/No-Go Matrix to evaluate cloud tools for public-sector use.

  • BC Guidance on Disclosures Outside Canada: https://www2.gov.bc.ca/gov/content/governments/services-for-government/information-management-technology/privacy/privacy-impact-assessments/guidance-on-disclosures-outside-of-canada
  • BC Data Residency Changes (2021): https://www2.gov.bc.ca/…/foippa_amendments_data_residency.pdf
  • OIPC BC Guidance: https://oipc.bc.ca/resources/guidance-documents/
  • Alberta ATIA: https://www.alberta.ca/access-to-information-act
  • Alberta POPA overview: https://www.alberta.ca/about-the-protection-of-privacy-act
  • OIPC AB POPA page: https://oipc.ab.ca/legislation/popa/
  • Ontario FIPPA Manual: https://www.ontario.ca/document/freedom-information-and-protection-privacy-manual
  • IPC Ontario Resources: https://www.ipc.on.ca/en/resources/guidance
  • Manitoba Ombudsman FIPPA Guide: https://www.ombudsman.mb.ca/documents_and_files/brochures-fact-sheets-and-guides.html
  • Nova Scotia FOIPOP overview: https://novascotia.ca/tran/hottopics/FOIPOP.asp
  • OPC Canada privacy laws summary: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/02_05_d_15/
  • Ontario PHIPA overview: https://www.ipc.on.ca/en/health-privacy-ontario
The diverse experience Sue Sutcliffe has gained as one of Canada’s digital marketing pioneers, will help your business or brand dominate the digital.
WORK WITH SUE
Twitter LinkedIn Instagram Contact Us
DOMINATE THE DIGITAL

BLOG

VIRTUAL EVENT

SOLUTIONS

SALES & MARKETING

TRAINING

BOOK A DISCOVERY CALL

1 (800) 579-9253