Alberta’s public sector just got a major privacy upgrade.

As of June 11, 2025, the new Protection of Privacy Act (POPA) has officially replaced the privacy provisions of the FOIP Act. It’s a big step forward for how public bodies like municipalities, schools, and health organizations manage personal information.

If your team uses Microsoft 365 (Outlook, Teams, SharePoint), this isn’t just legal fine print. It’s a real operational shift that affects how you collect, store, share, and protect data every day.

Let’s break down what’s changed and what you need to do about it.

POPA Brings a New Era of Privacy Expectations

Here’s what POPA introduces:

• Privacy by Design: Privacy must be considered from day one not added later.

• Automated Systems Disclosure: If your systems use AI or automated decision-making, you must inform users.

• Mandatory Breach Notifications: If a breach could cause significant harm, you must notify the affected individuals.

• Privacy Management Program: By June 2026, all public bodies must have formal, documented privacy programs.

• Privacy Impact Assessments (PIAs): Required for all new programs or major changes.

• Stronger Penalties: Fines can now reach $50,000 for non-compliance.

  
  

In short? Privacy isn’t a checkbox. It’s a built-in requirement and one that needs proactive planning and execution.

What POPA Means for Microsoft 365

Microsoft 365 is packed with productivity features, but many of them collect or process personal data often in ways that aren’t obvious to end users.

Here’s where to focus your attention:

1. Microsoft Teams

Meeting Recordings & Transcriptions

Recording a meeting? You're collecting personal data including names, voices, video, and chat content.

Example: A school board records a parent consultation via Teams. The recording includes identifiable student information and personal commentary.

Solution:

• Add a consent notice before recording begins either in the calendar invite or the meeting chat.

• Verbally remind participants at the start of the meeting.

• Review your retention policies to ensure recordings are deleted when no longer needed.

Live Captions & AI Tools

Real-time captioning and translation use AI to process participants' spoken words and display them as text.

Example: A municipal committee enables live captions during public meetings, creating a real-time transcript of what participants say including names, opinions, and context.

Solution:

• Inform participants that AI features like live captions and translation are enabled.

• Include a brief disclosure in your meeting invite or verbally at the start of the session.

• Consider whether captions or transcripts are being stored and treat them as personal data if so.

2. Outlook

Suggested Replies & Insights

Features like Suggested Replies, Scheduling Insights, and Meeting Reminders are powered by AI and rely on behavioral data such as how often you email someone, meeting patterns, or your calendar availability.

Example: A government department uses Outlook across teams. Staff begin seeing automated email suggestions based on internal communication history and work habits.

Solution:

• Update your organization's privacy notice to explain how Outlook processes behavioral data.

• Let users know these features are AI-powered and may surface based on personal patterns.

  
  

Email Retention

Under POPA, organizations must avoid retaining personal information longer than necessary. Email can easily become a long-term repository for sensitive data if not managed intentionally.

Example: An educational institution stores staff and parent correspondence indefinitely in Outlook, including personal information about students and families.

Solution:

• Set retention rules in Microsoft 365 to automatically delete or archive emails after a defined period.

• Apply data classification labels where necessary to manage sensitive communications more carefully.

• Regularly review retention settings to ensure compliance with data minimization principles.

3. SharePoint

Sensitive Information in Document Libraries

SharePoint libraries often store documents containing personal information including forms, applications, or internal records. Without clear controls, this data can be accessed too broadly or stored in the wrong location.

Example: A municipality stores employee onboarding forms in a general-purpose SharePoint library with open access, exposing personal addresses and Social Insurance Numbers to unintended viewers.

Solution:

• Apply sensitivity labels to flag and protect personal data.

• Use permission controls to restrict access to only those who need it.

• Store sensitive documents in designated libraries with clear security configurations.

Version History

SharePoint’s versioning feature tracks edits and stores previous document versions which can sometimes retain outdated or incorrect personal information.

Example: An HR department edits a performance review document but old versions still contain sensitive comments that should no longer be accessible.

Solution:

• Regularly review and limit version history for sensitive libraries.

• Configure version retention settings to avoid indefinite storage of personal data.

• Include versioning practices in your Privacy Impact Assessments (PIAs).

4. Power Automate

Automated Flows & Decision-Making

Power Automate enables workflows that collect, process, and act on personal data often without human intervention. These flows can analyze input, assign tasks, and send communications automatically.

Example: A resident submits a Microsoft Form to request a permit. A Power Automate flow reviews the form content, assigns it to a department based on keywords, and sends an automatic approval or rejection email all without staff reviewing it first.

This kind of automated decision-making based on personal input may fall under POPA’s Automated Systems Disclosure requirement.

Solution:

• Clearly disclose your use of automation either in your privacy notice or directly on the form or submission page.

• Document any flows that handle personal information or make decisions without human input.

• Avoid fully automated processing for high-impact decisions (like benefits, eligibility, or complaints) without a human review step.

• Include Power Automate workflows in your Privacy Impact Assessments (PIAs) if they handle personal or sensitive data.

If a workflow gathers information and takes action without manual review, transparency is not optional  it’s both a legal and ethical requirement.

5. Admin & Compliance Center

The Microsoft 365 compliance tools give IT teams powerful ways to protect data but under POPA, they must be used with care and transparency.

Audit Logs

Audit logs track who accessed what and when a key requirement for accountability.

Example: An IT administrator accesses files during a legal investigation. Without audit logs, there’s no way to confirm whether this access was appropriate or authorized.

Solution:

• Turn on audit logging in Microsoft Purview.

• Regularly review logs for suspicious or unauthorized access.

• Include access logs in breach response plans.

Data Loss Prevention (DLP)

DLP policies prevent sensitive personal data from being shared inappropriately.

Example: A staff member attempts to email a spreadsheet containing health numbers to an external partner. The DLP policy blocks the message and alerts the privacy officer.

Solution:

• Set DLP rules in Exchange, SharePoint, and Teams to detect and block protected data types (e.g., SINs, Credit Card Number, Bank Account Number).

• Customize alerts to notify privacy teams of potential incidents.

• Test your DLP policies to ensure they catch real-world risks.

Retention & Deletion Policies

Retention policies control how long data is kept and when it is deleted aligning with POPA’s requirement for data minimization.

Example: A municipality creates a policy to auto-delete draft files older than 90 days unless flagged for retention.

Solution:

• Define how long you need to keep different types of content.

• Apply retention labels and auto-deletion rules across M365.

• Review and document your retention schedules to meet legal obligations.

Why It Matters: POPA Isn’t Just About Legal Risk

Yes, there are fines. But the bigger risk is reputational and operational.

Without proper privacy practices:

• Your staff may lose trust in the system

• You may collect more data than needed, increasing exposure

• You may not be ready to respond in the event of a breach

  
  

The good news? Microsoft 365 includes many of the tools you need you just need to configure and manage them with intention.

What To Do Next

Getting POPA-ready doesn’t mean overhauling everything overnight. But it does require a clear plan.

Start here:

• Update your privacy policy to reflect new disclosure and AI transparency requirements.

• Train staff on how everyday Microsoft 365 actions may involve personal data

• Conduct a PIA before launching new features or tools.

• Enable compliance features like DLP, audit logs, and sensitivity labels in your tenant.

• Review Power Automate workflows for potential automation disclosures.

Echo Transformation Helps You Turn Compliance into Capability

At Echo Transformation, we help public sector teams align Microsoft 365 with real-world needs including compliance with privacy laws like POPA.

Privacy doesn’t have to be overwhelming and it shouldn’t slow down your team. With the right approach, it becomes part of a well-governed, high-performing digital workplace.

Need help navigating POPA in your Microsoft 365 environment?

Contact us today to book a privacy-readiness session.

Coming Next Week:

In next week’s ECHO session, we’ll explore how ATIA changes access and transparency requirements, and what it means for digital record-keeping in Microsoft 365.

Disclaimer:

This article is for informational purposes only and does not constitute legal advice. Organizations should consult their legal counsel to ensure compliance with POPA and other applicable legislation before making any decisions based on this content.