The City is committed to protecting your personal information. The City's Protection of Privacy Administration Policy lays out the principles, responsibilities, and practices that guide how The City collects, manages, uses, and protects personal information, data derived from personal information, and non-personal data.

The Policy also includes a Privacy Incident Response Protocol (Appendix 1). This identifies roles, responsibilities, and specific steps that must be followed by employees in the event of a privacy incident.

Privacy Management Program review, assessment and update

This Privacy Management Program is reviewed, assessed, and updated from time to time, at least every two years. The Privacy Officer is responsible for this review. 

Who is responsible for privacy?

We all have an important role in upholding the privacy standards set out in the Protection of Privacy Administration Policy and its accompanying standards. The Policy outlines the general responsibilities by the different roles to ensure The City is compliant with POPA.

Public availability of the Privacy Management Program

The City makes this Privacy Management Program available to the public, as required by the Ministerial Regulation. 

Privacy Officer designation

The City has designated the Privacy Officer position to help ensure compliance with POPA.

• Position title: Privacy Officer
• Department: Law, Legislative Services & Security
• Contact: AccessandPrivacy@calgary.ca

The Privacy Officer is responsible for:

• Overseeing and coordinating The City’s compliance with POPA and this Privacy Management Program;
• Providing advice to business areas about privacy responsibilities, policies, and procedures;
• Reviewing and approving privacy impact assessments;
• Managing the privacy incident response process;
• Overseeing mandatory privacy awareness training;
• Acting as the main contact with the Privacy Commissioner; and
• Maintaining and regularly reviewing this Privacy Management Program.

Requests to correct personal information

If you believe personal information The City holds about you is incorrect, you can ask for it to be corrected by filling out the online form (CC982).

The City has a standard that explains how these requests are received and reviewed under section 7 of POPA.

Incident response

The City has policies and procedures in place to help staff respond to privacy incidents carefully and consistently, as required by section 10(2) of POPA. See page 13 of the Protection of Privacy Policy for further details.

Complaint response

If you have concerns about how The City collected, used, or shared your personal information, you can make a complaint to The City first. This is the first step before asking the Office of the Information and Privacy Commissioner of Alberta (the Commissioner) to review the matter.

To make a complaint, please contact us at AccessandPrivacy@calgary.ca.

We will acknowledge your complaint within two business days. We aim to review and respond within 30 business days of receiving your complaint.

If we are unable to resolve your complaint, we will let you know about your right to make a complaint to the Commissioner under section 38 of POPA.

You may also ask the Commissioner to review the matter if you believe your personal information was collected, used, or shared in a way that does not follow POPA.

Non-personal data

The City is developing documentation on how employees must create, use, and share non-personal data in line with POPA. We also provide guidance and tools to help staff follow these requirements and follow best practices when creating non-personal data.

Artificial intelligence, data derived from personal information, and data matching

The City's Proactive Monitoring and Safeguards for Information Systems document explains how employees must handle personal information used in artificial intelligence systems. Along with how data derived from personal information may be created, and how non-personal data may be created, in line with the POPA.

Automated systems using personal information

The City uses automated systems involving personal information in line with POPA. The Proactive Monitoring and Safeguards for Information Systems explains the safeguards in place to help protect personal information in these systems. Some technical and security details have been removed, as permitted under section 6(4) of the Ministerial Regulation, to help protect the information's security.

Information security classification system

The City maintains an information security classification system that applies to all personal information, data derived from personal information, and non-personal data in the custody or under the control of The City.

Written administrative, technical, and physical safeguards

The City's Proactive Monitoring and Safeguards for Information Systems explains the administrative, technical, and physical safeguards in place to help protect personal information, data derived from personal information, and non-personal data. Some technical and security details have been removed, as permitted under section 6(4) of the Ministerial Regulation, to help protect the security of the information.

As part of our commitment to secure The City’s technology environment and protect The City’s data and information, the Acceptable Use of City Technology Resources Policy outlines the expectations of using City technology resources.

Mandatory employee training

All City employees must complete privacy awareness training.

This training helps employees understand how to protect personal information and meet their responsibilities under POPA. It covers:

• An overview of POPA and what employees are required to do;
• The rules for collecting, using, sharing, and protecting personal information;
• The right to ask for a correction to personal information;
• How to identify and respond to privacy incidents; and
• The City’s privacy policy and the roles employees play in protecting personal information.

New employees complete this training by the end of their first calendar year. Employees complete refresher training every year. The training is offered online through the Corporate Learning & Development portal. Human Resources keeps the training records.

Privacy impact assessment process

The City's Privacy Compliance and Risk Assessment Standard explains when a privacy impact assessment is required and how employees must complete one under section 26(1) of POPA.

Consent policies and procedures

The City has a standard that requires employees to obtain verbal, written, or electronic consent before using or sharing personal information, in line with section 2 of the Protection of Privacy Regulation.

Proactive monitoring of information systems

The City proactively monitors information systems that hold personal information, data derived from personal information, and non-personal data. The Proactive Monitoring and Safeguards for Information Systems explains these monitoring activities and the safeguards in place to help protect this information. Some technical and security details have been removed, as permitted under section 6(4) of the Ministerial Regulation, to help protect the security of the information.