Privacy Management Program

Maintaining public trust is fundamental to the Calgary Police Service (CPS). We are committed to operating with transparency, complying with legal and regulatory requirements and managing information responsibly. Protecting the privacy and confidentiality of the information entrusted to us is a priority, and this responsibility is carried out through all aspects of our work. This is additionally reflected in our policies, procedures and practices related to secure data management.

The CPS’ Privacy Management Program outlines how the Service collects, uses, discloses, secures and stores personal information and the various programs and practices designed to maintain the confidentiality and security of that information.

Privacy Management Program

The CPS Privacy Management Program ensures that confidential information entrusted to the CPS remains secure. This program provides transparency and accountability to Calgarians and is pursuant to section 25(1) of the Protection of Privacy Act (POPA). It also establishes how the CPS protects and safeguards personal information.

The CPS is entrusted with large volumes of highly sensitive information related to public safety, law enforcement, emergency response and community services. Protecting this information is essential to maintain public trust and ensure the integrity of policing operations.

The program ensures compliance with the Access to Information Act (ATIA) and the POPA. It reinforces the CPS’ commitment to public safety while respecting the privacy rights of Calgarians. This is accomplished by safeguarding all personal information collected during investigations and community interactions, along with digital evidence and policing systems.

Privacy by Design principles are embedded into our privacy governance through daily operations, technology use, intelligence programs and investigative practices. Privacy considerations are integrated in all planning stages of projects and expectations are reinforced during recruitment and throughout members’ careers.

As the Privacy Management Program evolves and is reviewed within the CPS, updates and additions will be found on this page.

The periodic review process is intended to:

  • Confirm ongoing compliance with the POPA and applicable ministerial regulations
  • Assess the effectiveness and adequacy of privacy policies, procedures and controls
  • Identify gaps, emerging risks or areas for improvement
  • Ensure the Privacy Management Program reflects changes in programs, services, technologies and information practices

CPS Roles and Responsibilities

The CPS’ Access and Privacy Section is responsible for access requests, privacy impact assessments (PIAs), incident management, reviews, advice and education.

Access and Privacy Section Roles:

Privacy Officer: The delegated authority by the Head of the Public Body to ensure overall compliance with Privacy legislation. Director, Access and Privacy Section: Jill Merrett, access@calgarypolice.ca

  • The role of the Director is to champion and advocate for access and privacy internally and externally by managing, auditing and implementing the privacy management program.

Access to Information Coordinator: Director, Access and Privacy Section: Jill Merrett, access@calgarypolice.ca

  • The role of the Director is to oversee the request for access and request for correction process within the CPS and collaborate and respond to reviews and inquiries with the Office of the Information and Privacy Commissioner (OIPC).

All CPS employees

  • Every employee across the Service is required to ensure compliance with privacy legislation, policies, procedures and complete privacy training, report privacy incidents and submit PIAs for review. Doing so confirms their practices and actions have privacy in mind.

Legal frameworks, Polices and Procedures Related to Access and Privacy

  • Access to Information Act
  • Protection of Privacy Act
  • Police Act
  • Police Service Regulations
  • Criminal Code of Canada
  • Youth Criminal Justice Act
  • CPS’ policies and standard operating procedures 

Confidentiality and Access Controls

The CPS limits access to personal information on a strict need-to-know basis, ensuring employees can only view the minimum information required to perform their duties. All sworn and civilian members are made aware of their privacy obligations during the recruitment and probation process and are continually reminded throughout their careers of the importance and necessity of protecting personal information.

Access to sensitive systems is governed by role-based permissions, audits and additional safeguards, supported by established security measures and policies.

Oversight and Auditing

Effective privacy management requires strong governance mechanisms to ensure accountability, continuous improvements and timely response to privacy risks and incidents. The CPS is formalizing a structured approach to oversight, auditing and escalation to monitor compliance with applicable privacy laws, internal policies and contractual obligations

Part of the formalized structure is completing random audits of users of any CPS system. This Includes audits of team access and use of information to ensure they are accessing only the things they need to do their jobs. These will be conducted on a periodic basis to ensure all users are accessing what is required for their duties.

Annual audits are currently underway of access by all users through Information Sharing Agreements (ISA), ensuring the right people have the right access to CPS systems. Detailed ISA agreements advise users of their responsibilities and the consequences for non-compliance.

Training and Awareness

All CPS employees are required to take mandatory training and then continue with ongoing training and education to ensure awareness and understanding of privacy obligations.

Training is regularly reviewed and updated to ensure the information learned is relevant and up to date. The CPS is currently in the process of updating training modules to incorporate new legislation.

Training and education includes, but is not limited to:

  • Training modules offered by the Chief Crowfoot Learning Centre
  • All new employees attend orientation where the introduction to privacy at the CPS is presented
  • All new recruits have a training module in their schedule
  • Area-specific training for teams to have a clear understanding of what they can and cannot do under privacy legislation
  • Topic-specific training and presentations to educate on systems and processes related to privacy
  • Implementing a culture of privacy through awareness and understanding of how it is applied every day in the workplace and the world
  • Regular follow-ups with individuals who have specific questions
  • Ongoing awareness campaigns

Privacy Impact Assessments

Privacy impact assessments (PIAs) are completed when new technology, initiatives, services or processes are implemented or if any significant changes are made to current practices. These include significant software updates, changing vendors and creating new systems or workflow processes. It also includes working with external partners and any sharing of information and data.

PIAs document the authority for the collection, use and disclosure of personal information. It identifies the privacy risks associated with a project and explains the mitigation measures to avoid any potentially identified risk. PIAs also govern how the information is used, retained, secured and accessed within the CPS.

CPS employees are required to engage with the Access and Privacy Section at the outset of a project to begin collaborative work throughout the review. The PIA documents all the policies, systems, processes and then tests them to ensure what is expected to happen actually happens. They are designed to work alongside and advise, adjust and review. Once the CPS is satisfied that all aspects have been covered, documented and reviewed for risk, it is submitted to the OIPC for review.

Most PIAs that the CPS is required to complete will be submitted to the OIPC for review. Once PIAs are accepted by the OIPC, summaries will be publicly shared on the CPS website and will be available free of charge.

Automation, Artificial Intelligence and Algorithmic Decision-making

Automated systems, artificial intelligence (AI) and algorithmic tools may be used to support decision-making, risk assessment prediction, organizational operations or recommendations involving personal information. The CPS is committed to ensure the use of such technologies is transparent, accountable, fair and compliant with the POPA.

When these systems are used, the CPS will ensure:

  • Transparency
  • Human oversight
  • Safeguards are in place
  • Bias and fairness monitoring
  • Risk assessment through PIAs

The AI Governance Committee within the CPS reviews all requests for the use of automated decision-making technology including technology that uses AI. All projects and requests must be made through this committee before any significant steps are taken towards the use of it. The role of the committee is to review requests and proposals and provide governance over the responsible use of AI within the Service.

With mandatory PIAs and new guidance from government and Privacy Commissioners, the CPS is continually reviewing its processes and systems in relation to procurement, security, access and responsible use in relation to artificial intelligence. The CPS will continue to monitor and review new information to ensure that the highest level of attention, review and implementation is done with the highest possible standards of privacy.

Privacy Complaints

The CPS maintains a formal, accessible and documented privacy complaint process pursuant to section 38(2) of the POPA to ensure privacy concerns are addressed fairly, consistently and in a timely manner.

To file a complaint or concern, email the CPS Privacy Officer at access@calgarypolice.ca.

The complaint process enables early resolution of identified concerns and issues and provides individuals with the ability to seek clarification and address their concerns prior to submitting a complaint to the OIPC. If concerns are not settled, individuals can contact the OIPC at their website here: https://oipc.ab.ca/

Request for Corrections

Requests to correct personal information are made in accordance with the ATIA and section 6 and section 7 of the POPA. Requests must be submitted to CPS’ Access and Privacy Section where they will be reviewed by the Access to Information Co-ordinator.

If you believe your personal information is incorrect, please contact access@calgarypolice.ca and we will provide you with the form to complete. You may also send an email to the above email address outlining the following: 

  • Your contact information
  • A copy of your identification and verified identification (“selfie” with your ID)
  • The record that contains the incorrect information along with the proof that shows that the information is incorrect. For example, your name is spelled wrong and you provide your driver’s licence with the correct spelling

Incident Management

Privacy incidents involve the unauthorized access, collection, use and/or disclosure of personal information.

When an incident occurs, it is mandatory to be reported to the Access and Privacy Section to be investigated. Depending on the nature of the incident other areas of the Service may be engaged to address the incident.

After every incident, a privacy review is completed to ensure that the Service has implemented best practices and make any adjustments if needed.

The ramifications of a privacy incident can be severe, as it can lead to the erosion of trust in the public body, emotional distress, reputational harm, financial loss and/or identity theft.

All privacy incidents will be reviewed and assessed for real risk of significant harm (RROSH) in accordance with section 4(1) of the Protection of Privacy (Ministerial) Regulation. If a review identifies that RROSH exists then the affected individuals, OIPC and Minister will be notified.

In some cases, the CPS will pursue charges against individuals who breach personal information under section 60(1) of the POPA. Charges can amount to individual fines up to $125,000 per instance and for organizations upwards of $1 million.

Personal Information Banks

The CPS maintains a comprehensive personal information inventory in accordance with section 57 of the POPA to identify, document and understand the personal information held within the Service.

The CPS will be undertaking a Service-wide review of the current list and update it as needed. Once the personal information inventory review is complete, it will support the creation and maintenance of a publicly accessible directory of our personal information banks (PIBs).

PIBS are formal descriptions of personal information in the custody and/or control of the CPS. PIBs explain what personal information is being collected, how it is used and under what legal authority. The existence of PIBs ensure transparency, accountability and easy access for individuals who want to know what personal information the public body holds about them. It is important to note that a PIB does not provide direct access to individual records, they simply describe the existence and purpose of each information bank.

Research at CPS

The CPS supports collaboration with post-secondary institutions, government bodies and accredited researchers to responsibly share data and support evidence-based analysis. This process is outlined in section 15 of the POPA.

The Research Advisory Committee was developed to objectively review research proposals and provide written recommendations to the Chief of Police about which research initiatives the CPS should support or participate in.

Researchers are required to submit proposals along with an ethics review and can find those requirements here 

Records Management

Information within the CPS must be created, maintained, used and decommissioned in a way that supports privacy and accountability. The CPS maintains a structured lifecycle for all records to ensure they are protected throughout their retention period. In accordance with section 2 of the Protection of Privacy (Ministerial) Regulation, a security classification system is required. CPS has implemented the ISC classification system that identifies the following areas of classification:

Unclassified – If compromised will not result in harm to individuals, government, private sector and any financial loss will be insignificant.

Protected A– Sensitive information; if compromised may cause harm to an individual or organization.

Protected B – Personal and or sensitive information; if compromised may cause serious injury to an individual or organization or may negatively impact public trust and credibility.

Protected C – Extremely sensitive and/or restricted information; if compromised may cause grievous bodily harm or jeopardize public safety

Key practices include:

  • Classification of all records – Security Classification System (Protected A, B, C)
  • A retention schedule that specifies how long a record is kept for and the proper and secure destruction of records when they have reached their lifecycle
  • Access and disclosure controls to limit who requires the information to perform an authorized duty
  • Secure storage and safeguards – using administrative, technical and physical safeguards to protect personal information
  • Regular review of access and security controls

Accountability and Reporting

To promote transparency and accountability, the CPS is committed to regularly reporting on its performance through clearly defined metrics. These metrics help demonstrate how effectively the Service is meeting strategic priorities and serving the community. This ongoing reporting process supports informed decision-making and reinforces public trust by making performance data accessible and understandable.