Policies & Guidelines

The FOIP Act (section 34) requires that Mount Royal University must do the following:

• Collect personal information directly from the individual the information is about (unless certain limited circumstances otherwise apply that permits the indirect collection of personal information from another third party under the FOIP Act)
• Use a FOIP Notification Statement to inform individuals of the following at the time of direct collection of the personal information:
  (a) The purpose, or reason, for which the information is collected and the uses that the University will make of the personal information.
  (b) The specific legal authority for the collection [typically under section 33(c)].
  (c) Contact information: the title, business address, business telephone number, business email, of a Mount Royal employee who can answer questions about the collection.

Notably, Service Alberta also states that a FOIP Notification Statement can be provided in many different ways prior to the collection of personal information such as through a:

• Printed form
• Brochure
• Pop-up window
• Post-secondary academic calendar
• Registrar web page (or other web page where a link resides to enter information)
• Sign displayed during filming
• Public announcement
• Telephone menu option

Finally, when collecting personal information the University may only collect personal information if that information relates directly to, and is necessary for, an operating program or activity of the University. Service Alberta uses the term "demonstrable need" for needing the personal information or in regards to having the authority of a public body to collect the personal information.

FOIP Notification Statement Example

The personal information that you provide to Mount Royal University is collected under the authority of the Post-Secondary Learning Act and the Freedom of Information and Protection of Privacy (FOIP) Act - section 33(c). The information will be used for the purpose of [blank].

Collected personal information is protected from unauthorized access, collection, use, and disclosure in accordance with the FOIP Act and can be reviewed upon request subject to the provisions under the Act.

Questions regarding the collection of personal information can be directed to:

Title - Department - Mount Royal University - 4825 Mount Royal Gate SW - Calgary AB - T3E 6K6 - Phone - Email - Website (if available)

Note: The following standardized forms are also located in the L:/foip folder in editable format.

• Consent for Disclosure of Personal Information
• Standard FOIP Notification Statement

• Testimonial and Model Release (University Advancement)
• Testimonial and Model Release (General)

Consent under FOIPThe FOIP Act outlines the rules (or provisions) on how a public body may collect, use, and disclose personal information.

Generally, a public body may use and disclose the personal information if it is for a consistent purpose with what has been described for individuals as provided in the original FOIP Notification Statement at the point of collection.

Signed consent is only one of the many other additional legal authorities that a public body may choose to rely on rather than consistent use/disclosure. Providing consent allows individuals to authorize public bodies to use or disclose personal information in a prescribed manner.

Consent is often relied upon in circumstances that involve third party disclosures including, employee references, student references, or when marketing requires that photographs to be posted in a public setting.

Notably, the University (despite consent) must still only collect personal information only if the information relates directly to and is necessary for an operating program or activity of the University.

Valid signed consent (in writing) must include the following based on the FOIP Regulation:

• If collecting personal information - a FOIP Notification Statement
• Identify the personal information at issue
• Specify to whom the personal information may be disclosed and how the personal information may be used
• It must be signed by the person who is giving consent. Notably, a Typed Name submitted by email is not considered a valid signature according to Service Alberta
• The individual providing the signature should be authenticated to ensure they are who they purport to be (check id, security question, login)
• There must be a "record of consent" to serve as a reference that consent was given
• The record of consent should be retained for a "minimum" of 1 year or longer if the use of personal information is required for a longer period of time

Valid consent (in writing) may also include the following:

• Indicate that consent is voluntary
• Outline that consent may be revoked, but identify, where possible any limitations, consequences, or implications that may result from the revocation
• Indicate the period of time during which the consent remains valid

FOIP Consent Example

I hereby consent and authorize that Mount Royal University may disclose my personal information listed as follows [list of personal information] to [organizations/persons] for the purpose of [blank].

I also acknowledge that my consent will be valid for a period of [1 year] after the date signed and that I can withdraw my consent at any time. I also recognize that by withdrawing my consent services provided by the University such as, [blank] will not be available to me.

Name: [blank] - Date: [blank] - Signature: [blank]

FOIP Notification Statement Example (if collecting personal information)

The personal information that you provide to Mount Royal University is collected under the authority of the Post-Secondary Learning Act and the Freedom of Information and Protection of Privacy (FOIP) Act - section 33(c). The information will be used for the purpose of [blank].

Collected personal information is protected from unauthorized access, collection, use, and disclosure in accordance with the FOIP Act and can be reviewed upon request subject to the provisions under the Act.

Questions regarding the collection of personal information can be directed to:

Title - Department - Mount Royal University - 4825 Mount Royal Gate SW - Calgary AB - T3E 6K6 - Phone - Email - Website (if available)

CASL - Canadian Anti-Spam LegislationConsent under the FOIP Act pertains to providing the legal authority for the University to use or disclose an individual's personal information (often to third parties). In contrast, consent under CASL applies to obtaining permission from individuals to send "Commercial Electronic Messages" (CEMs) to those individuals.

CASL is federal legislation that applies to (CEMs), which are defined as any "electronic messages" having regard to the content of the message, the hyperlinks in the message, that encourage participation in a "commercial activity" regardless of whether there is an expectation of profit.

A "commercial activity" is any particular transaction, act, or conduct or any regular course of conduct that is of "commercial character", whether or not the person who carries it out does so in the expectation of profit.

Notably, messages sent by a registered charity (such as the MRU Foundation) for the primary purpose of raising funds for that charity are not subject to this legislation. However, in order to fit this exemption, the sender must be a registered charity (the University and the Foundation are both registered charities) and the electronic message must be sent out for the primary purpose of raising funds.

In order to send a CEM:

• You must have consent of the individual before the message is sent.
• You must identify the sender and provide the sender's contact information. This contact information must be valid for a minimum of 60 days after the message has been sent.
• You must give the individual a way to "unsubscribe" from further messages. The mechanism must be valid for at least 60 days after the message is sent.

For more information - Go to the CASL webpage via MyMRU under the Employee Resources tab.

Frequently Asked Questions

FOIP notification statements
Public bodies and consent
FOIP and electronic consent
FOIP and oral consent
New use for personal information - consistent purpose
Using collected personal information for a new purpose
Collecting new personal information

FOIP notification statements

Q: When can a public body collect personal information?

A: A public body can collect personal information when it has the legal authority to do so under section 33 of the Alberta FOIP Act, which states that no personal information may be collected by or for a public body unless it is for one of the following requirements:

33(a) - the collection of that information is expressly authorized by an enactment of Alberta or Canada,

33(b) - the information is collected for the purposes of law enforcement,

33(c) - the information relates directly to and is necessary for an operating program or activity of the public body. (most common legal authority)

A public body cannot collect personal information unless it is authorized to do so under one of the sub-sections under section 33 above.

Generally, for the purposes of Mount Royal University, section 33(c) is the most common legal authority for the collection of personal information.

In short, under section 33(c) a public body can only collect personal information if it relates directly to, and is necessary for, an operating program or activity of the public body (unless circumstances indicate that sub-section (a) or (b) apply instead).

Note: Other organizations located in Alberta (that are not defined as public bodies under section 1 of the FOIP Act) must adhere to PIPA or the Personal Information Protection Act (Private Body Privacy Legislation).

PIPA (in contrast with FOIP) states that an organization cannot collect, use, or disclose personal information unless "consent" is obtained from that individual based on section 7 of that Act notwithstanding specific and limited circumstances such as if the information is required to respond to an emergency.

FOIP relies on legal authority under that Act to collect, use and disclose personal information. However, consent can grant the legal authority for the public body to use 39(1)(b) and disclose 40(1)(d) personal information in certain circumstances. Consent does not give the public body the authority to collect personal information.

Q: What is required of a public body before collecting personal information?

A: Section 34(1) of the FOIP Act provides that a public body must collect personal information directly from the individual the information is about notwithstanding limited exceptions provided in section 34(1).

For example, a public body may indirectly collect limited personal information under the Act if it is for the purpose of collecting a fine or a debt owed to the public body as in section 34(1)(h).

When a public body collects personal information directly from the individual the public body must inform the individual of the following regarding the collection in accordance with section 34(2):

34(2)(a) - the purpose for which the information is collected,

34(2)(b) - the specific legal authority for the collection, such as 33(c), and

34(2)(c) - Relevant contact information: Title, Business Address and Business telephone number of an employee of the public body who can answer the individual's questions about the collection.

This required notification under 34(2) is called a FOIP Notification Statement, which is the main tool used by public bodies to inform individuals why their personal information is being collected directly from them by a public body.

Notably, a Department may not necessarily require a FOIP Notification Statement if individuals the information is about have already been notified by the public body at an earlier point of collection.

For example, the Mount Royal University Registrar's Office FOIP Notification Statement promptly notifies students during the application process that collected information under the authority of 33(c) will be used for academic administration, for support services, and financial aid to provide a only few examples of purposes for the collection of personal information.

Below is an example of a FOIP Notification Statement that fulfills the requirements of section 34(2) of the Alberta FOIP Act.

FOIP Notification Statement

The personal information that you provide to Mount Royal University is collected under the authority of the Post-Secondary Learning Act and the Alberta Freedom of Information and Protection of Privacy (FOIP) Act - Section 33(c). The information will be used for the purpose of [blank] .
Collected personal information is protected from unauthorized access, collection, use, and disclosure in accordance with the FOIP Act and can be reviewed upon request subject to the provisions under the Act. Questions regarding the collection of personal information can be directed to: Title - Department - Mount Royal University - 4825 Mount Royal Gate SW - Calgary, AB - T3E 6K6 - Email - Website (if applicable)

Q: What can a public body use personal information for?

A: According to section 39(1) of the FOIP Act, a public body may use personal information only if the use meets one of the three requirements under sub-sections (a), (b), or (c), which are:

39(1)(a) - for the purpose for which the information was collected or compiled or for a use consistent with that purpose,

39(1)(b) - if the individual the information is about has identified the information and consented, in the prescribed manner, to the use, or

39(1)(c) - for a purpose for which that information may be disclosed to that public body under section 40, 42, or 43.

Additionally, section 39(4) states that a public body may use personal information only to the extent necessary to enable the public body to carry out its purpose in a reasonable manner.

For the use 39(1)(a) and disclosure 40(1)(c) of information to be deemed as consistent with the purpose for which it was collected for, the use or disclosure must:

41(a) - have a reasonable and direct connection to the original purpose for which the information was originally collected for and,

41(b) - it must be necessary for performing the statutory duties, or for an authorized program, of the public body.

For use that has legal authority under section 39(1)(c) of the Act, the public body is authorized (consent not required) to disclose limited/reasonable personal information to a Third Party only under the allowances or legal authority set out under section 40(1) of the Act. For example, a public body may use/disclose limited personal information to a law enforcement agency in accordance with 40(1)(q) of the Act.

Back to top

Public bodies and consent

Q: When should a public body use consent?

A: If a proposed use or disclosure of the personal information does not meet the criteria outlined in either:

39(1)(a) - in that the use or disclosure will be consistent with the purpose described in the FOIP notification statement at the point of collection or,

39(1)(c)- in that that the use or disclosure will follow the allowances to disclose to a Third Party prescribed in section 40 of the Act (Example: the public body needs to use/disclose to a Third Party outside of the allowances under section 40(1);

Then consent from the individual for use and disclosure should be sought at the point of collection in order to adhere to section 39(1)(b) of the Act instead. Section 39(1)(b) will be the legal authority to use identified personal information by a public body. Notably, section 40(1)(d) is the corresponding legal authority to disclose identified personal information based on the individual's consent.

REMEMBER: A public body only has the legal authority to collect personal information under section 33 of the FOIP Act. Put another way, obtaining consent does not give the public body the legal authority or right to collect personal information outside of what is required for the business activities or programs belonging to the public body.

Q: What are the common standards for public bodies that use consent?

A: According to the Government of Alberta - Service Alberta FOIP Bulletin No. 17 whether consent is given in writing, in electronic form or orally, there are certain requirements that are common to all three forms of consent:

• There must be a record of the consent over which the public body has control
• The identity of the person giving consent must be authenticated (Example: a signature)
• There must be a reliable link between the person giving the consent and the consent itself (Example: the text and the signature appear together on the form)

Q: How does a public body authenticate identity?

A: Based on the Government of Alberta - Service Alberta FOIP Bulletin No. 17, protecting privacy requires verifying or "authenticating" the identity of the individual giving consent.

Notably, if an individual contacts a public body by telephone or over the Internet, the level of assurance is lower. Assurance is increased if the office has processes in place to authenticate the individual's identity.

Authentication typically relies on one or more of the following:

• Something you know (Example: password, security question, PIN, mother's maiden name)
• Something you have (Example: smart card, key, hardware token)
• Something you are (Example: fingerprints, voice patterns)

The level of authentication should always be appropriate to the nature of the use or disclosure and the sensitivity of the personal information involved.

Q: What are the requirements for a public body to obtain consent (in writing)?

A: The written consent of an individual grants the legal authority for a public body to use or disclose an individual's personal information under section 39(1)(b) or 40(1)(d) of the FOIP Act.

Section 7 of the Alberta FOIP Regulation, outlines that for a public body to obtain the legal authority to use or disclose personal information through consent from the individual the consent:

7(2)(a) - must meet the requirements of subsection 7(4)

7(2)(b) - must specify to whom the personal information may be disclosed and how the personal information may be used.

7(4) - must be signed by the person who is giving the consent.

Note: A signature is a form of authentication that lets a public body identify the person purporting to sign a document, shows the signatory's intent to be bound by the document and links the signatory with the text of the document - Government of Alberta - Service Alberta FOIP Bulletin No. 17

Additionally, the consent of an individual for a public body using or disclosing an individual's personal information under section 39(1)(b) or 40(1)(d) of the FOIP Act should ensure that:

39(1)(b) - the individual the information is about has identified the information and consented, in the prescribed manner, to the use, or

40(1)(d) - the individual the information is about has identified the information and consented, in the prescribed manner, to the disclosure

Notably, because the public body will be collecting personal information directly from the individual the public body must also inform the individual of the following regarding the collection in accordance with section 34(2):

34(2)(a) - the purpose for which the information is collected,

34(2)(b) - the specific legal authority for the collection, such as 33(c), and

34(2)(c) - Relevant contact information: Title, Business Address and Business telephone number of an employee of the public body who can answer the individual's questions about the collection.

Back to top

FOIP and electronic consent

Q: What are the requirements for a public body to obtain electronic consent?

A: The electronic consent of an individual grants the legal authority for a public body to use or disclose an individual's personal information under section 39(1)(b) or 40(1)(d) of the FOIP Act.

Electronic consent can take many forms, such as sending an e-mail, clicking on an icon or button on a website, or submitting a file on a computer disk. However, the consent will only be valid if it meets all of the requirements under section 7(5) of the Alberta FOIP Regulation.
- Government of Alberta - Service Alberta FOIP Bulletin No. 17

Section 7 of the Alberta FOIP Regulation, outlines that for a public body to obtain the legal authority to use or disclose personal information through consent from the individual the consent:

7(2)(a) - must meet the requirements of subsection (4) and (5)

7(2)(b) - must specify to whom the personal information may be disclosed and how the personal information may be used.

7(4) - must be signed by the person who is giving the consent.

Note: The Alberta FOIP Regulation section 7(1)(b) defines an electronic signature as electronic information that a person creates or adopts in order to sign a record and that is in, attached to or is associated with the record.

Additionally, consent in electronic form is valid if:

7(5)(a) - the head of the public body has established rules respecting the purposes for which consent in an electronic form is acceptable,

Section 7(5)(a) requires the public body to establish a policy or "rules" that set out the purposes for which it will accept electronic consent. A public body will need to examine their programs and services and determine how they use or disclose information, the sensitivity of the personal information involved, the parties to whom the information will be disclosed (Examples include, another public body, private organization, or another individual, and the associated risks for accepting electronic consent in those circumstances - Government of Alberta - Service Alberta FOIP Bulletin No. 17

7(5)(b) - the purpose for which the consent is given falls within one or more of the purposes set out in the rules mentioned in clause (a),

7(5)(c) - the public body has explicitly communicated that it will consent in an electronic form.

Express communication could include posting a notice on a website or publishing a statement in a program guide, brochure or newsletter.
- Government of Alberta - Service Alberta FOIP Bulletin No. 17

7(5)(d) - the consent in electronic form must be:

(i) accessible by the public body so that it is usable for subsequent reference,
(ii) capable of being retained by the public body, and
(iii) meets the information technology standards (if any) established by the public body,

7(5)(e) - the consent in electronic form includes the electronic signature of the person giving the consent,

7(5)(f) - the electronic signature

(i) Is reliable for the purposes of identifying the person giving consent, and
(ii) Meets the information technology standards and requirements as to the method of making the signature and as to the reliability of the signature, if any, established by the public body

7(5)(g) - the association of the electronic signature with the consent is reliable for the purpose for which consent is given.

Note #1: Alberta FOIP Regulation section 7(1)(b) defines an electronic signature as electronic information that a person creates or adopts in order to sign a record and that is in, attached to or is associated with the record .

Note #2: The definition makes it clear that the electronic signature does not have to resemble a handwritten signature. The electronic signature is simply required to be electronic information created or adopted by the signatory as their signature. However, it must also be reliable for verifying the signatory is who he or she purports to be.
- Government of Alberta - Service Alberta FOIP Bulletin No. 1

Additionally, the consent of an individual for a public body using or disclosing an individual's personal information under section 39(1)(b) or 40(1)(d) of the FOIP Act must ensure that:

39(1)(b) - the individual the information is about has identified the information and consented, in the prescribed manner, to the use, or

40(1)(d) - the individual the information is about has identified the information and consented, in the prescribed manner, to the disclosure

Notably, because the public body will be collecting personal information directly from the individual the public body must also inform the individual of the following regarding the collection in accordance with section 34(2):

34(2)(a) the purpose for which the information is collected,

34(2)(b) the specific legal authority for the collection, such as 33(c), and

34(2)(c) Relevant contact information: Title, Business Address and Business telephone number of an employee of the public body who can answer the individual's questions about the collection.

Back to top

FOIP and oral consent

Q: What are the requirements for a public body to obtain oral consent?

A: The oral consent of an individual grants the legal authority for a public body to use or disclose an individual's personal information under section 39(1)(b) or 40(1)(d) of the FOIP Act.

Oral consent provisions in the Alberta FOIP Regulations section 7(6) can be considered as encompassing consent given in speech, whether in person, by telephone or some other means of spoken communication.
- Government of Alberta - Service Alberta FOIP Bulletin No. 17
Section 7 of the Alberta FOIP Regulation, outlines that for a public body to obtain the legal authority to use or disclose personal information through obtaining oral consent the process:

7(2)(a) - must meet the requirements of subsection (4) [*consent in writing only] and (6)

7(2)(b) - must specify to whom the personal information may be disclosed and how the personal information may be used.

Additionally, oral consent is valid if:

7(6)(a) - the head of the public body has established rules respecting the purposes for which consent that is given orally is acceptable,

Section 7(6)(a) requires a public body to establish "rules" that define the purposes for which it will accept consent given orally. Oral consent must be appropriate for the purpose for which the public body is using or disclosing the personal information under Part 2 of the Act. Factors to be considered include the circumstances under which the information is to be use or disclosed, the nature of the personal information involved, the party to whom the information will be disclosed and the risks associated with permitting oral consent - Government of Alberta - Service Alberta FOIP Bulletin No. 17

7(6)(b) - the purpose for which the consent is given falls within one or more of the purposes set out in the rules mentioned in clause (a),
7(6)(c) - the public body has explicitly communicated that it will accept consent that is given orally,

Section 7(6)(c) requires the public body to expressly communicate to the public the purposes for which it will accept oral consent. For example, a public body could post a notice on a website or at its front counter, include a statement in a newsletter to its clients, or have the service representative at the call centre confirm that oral consent is acceptable for the caller's purpose.
-Government of Alberta - Service Alberta FOIP Bulletin No. 17

7(6)(d) - the record of consent:
(i) Is accessible by the public body so as to be usable for subsequent reference, and
(ii) Is capable of being retained by the public body,

Sections 7(6)(d)(i) and (ii) provide that oral consent will be valid only if a record can be made of the consent and the public body has access to and control over the record for future reference.
-Government of Alberta - Service Alberta FOIP Bulletin No. 17

7(6)(e) - the public body has authenticated the identity of the individual giving consent, and

Based on the Government of Alberta - Service Alberta FOIP Bulletin No. 17, protecting privacy requires verifying or "authenticating" the identity of the individual giving consent.

Notably, if an individual contacts a public body by telephone or over the Internet, the level of assurance is lower. Assurance is increased if the office has processes in place to authenticate the individual's identity.

Authentication typically relies on one or more of the following:

• Something you know (Example: password, security question, PIN, mother's maiden name)
• Something you have (Example: smart card, key, hardware token)
• Something you are (Example: fingerprints, voice patterns)

The level of authentication should always be appropriate to the nature of the use or disclosure and the sensitivity of the personal information involved.

7(6)(f) - the method of authentication is reliable for the purposes of verifying the identity of the individual and for associating the consent of the individual.

7(7) - For the purposes of subsection 6(d), a record of the consent must be:

(a) An audio recording of the consent created by or on behalf of the public body
(b) In the form of documentation of the consent created by an independent third party, or
(c) In the form of documentation of the consent created by the public body in accordance
with the rules established by the head of the public body.

For section 7(7)(c) the head of the public body must establish rules on the purposes and circumstances in which the public body may document consent given orally. The head may also wish to establish rules regarding the method by which this documentation is to be made. For example, the public body may require employees receiving consent to make a contemporaneous written and signed entry in a log detailing the text of the consent, who gave the consent, how identity was verified and date/time the consent was given - Government of Alberta -Service Alberta FOIP Bulletin No.17

Notably, because the public body will be collecting personal information directly from the individual the public body must also inform the individual of the following regarding the collection in accordance with section 34(2):

34(2)(a) the purpose for which the information is collected,

34(2)(b) the specific legal authority for the collection, such as 33(c), and

34(2)(c) Relevant contact information: Title, Business Address and Business telephone number of an employee of the public body who can answer the individual's questions about the collection.

Back to top

New use for personal information - consistent purpose

If the public body encounters a new use for the personal information already collected, the public body is not required to notify the individual the information is about as long as the use remains consistent with the purpose outlined in the original issued FOIP Notification Statement 34(2) pursuant to section 39(1)(a) which states:

39(1)(a) A public body may use personal information only for the purpose for which the information was collected or compiled or for a use consistent with that purpose.

According to section 41 of the FOIP Act, a use 39(1)(a) or disclosure 40(1)(c) of personal information is consistent with the purpose for which the information was collected or compiled if the use or disclosure:

41(a) - has a reasonable and direct connection to that purpose, and

41(b) - is necessary for performing the statutory duties of, or for operating a legally authorized program of, the public body that uses or discloses the information.

REMEMBER: A public body only has the legal authority to collect personal information under section 33 of the FOIP Act. Put another way, a public body only has the legal authority to collect what is required for the business activities or programs belonging to the public body under section 33(c) of the FOIP Act.

Additionally, a public body is not required to supply a FOIP Notification Statement 34(2), if the use of the personal information falls under 39(1)(c), which requires that the information be disclosed by that public body under section 40, 42 (Disclosure for statistical purposes), and 43 (Disclosure of information in archives). Section 39(1)(c) of the Alberta FOIP Act states that:

39(1)(c) - A public body may use personal information only for a purpose for which that information may be disclosed by that public body under section 40, 42 or 43.

Back to top

Using collected personal information for a new purpose

If a public body needs to use or disclose collected personal information for a new purpose that is either:

• not consistent with the purpose the personal information was originally collected as described in the FOIP Notification Statement according to 39(1)(a) or
• not for a purpose for which that information may be disclosed to that public body under section 40, 42 or 43 according to section 39(1)(c).

Then the public body would need to obtain consent from the individual the information is about to obtain the legal authority to use 39(1)(b) or disclose 40(1)(d) the personal information under the FOIP Act.

The consent of an individual for a public body using or disclosing an individual's personal information under section 39(1)(b) or 40(1)(d) of the FOIP Act must ensure that:

39(1)(b) - the individual the information is about has identified the information and consented, in the prescribed manner, to the use, or

40(1)(d) - the individual the information is about has identified the information and consented, in the prescribed manner, to the disclosure

Notably, section 40 in Part 2 of the Alberta FOIP Act outlines the allowances or circumstances when a public body may disclose limited personal information.

Additionally, section 7 the Alberta FOIP Regulation outlines the requirements under the Act regarding obtaining consent from the individual the information is about prior to the use or disclosure of their personal information.

A detailed summary regarding the requirements regarding obtaining consent from an individual by a public body is provided on page 3 of this Guide.

REMEMBER: A public body only has the legal authority to collect personal information under section 33 of the FOIP Act. Put another way, obtaining consent does not give the public body the legal authority or right to collect personal information outside of what is required for the business activities or programs belonging to the public body.

Back to top

Collecting new personal information

If the public body requires new information to be collected from an individual (that is, above and beyond what information was originally collected) for the same purpose the public body must take the following steps in accordance with the Alberta FOIP Act.

1. Prior to collection, check that the public body has the legal authority to collect the new personal information under section 33 of the FOIP Act as:

33 No personal information may be collected by or for a public body unless:

33(a) - the collection of that information is expressly authorized by an enactment of Alberta or Canada,

33(b) - the information is collected for the purposes of law enforcement

33(c) - the information relates directly to and is necessary for an operating program or activity of the public body.

2. Create a New FOIP Notification Statement for the individuals the information is about in accordance with the requirements in section 34(2) of the Alberta FOIP Act for direct collection, which states the notification must include:

34(2)(a) - the purpose for which the information is collected,

34(2)(b) - the specific legal authority for the collection, such as 33(c), and

34(2)(c) - Relevant contact information: Title, Business Address and Business telephone number of an employee of the public body who can answer the individual's questions about the collection.

3. Identify the individuals involved and provide those effected with a new notice using appropriate distribution avenues, which may include by letter, in person, e-mail or by phone.

Back to top