IPC

Act on your “Right to Know”

As taxpayers, it can feel like you write blank cheques to the public institutions that serve you. But Saskatchewan citizens represent more than a mere well-spring of funds; they bear the responsibility of holding public bodies to account.

To achieve this end, you might be interested to know:

why a particular contract was awarded by a ministry,
what factored into a new zoning decision in your town,
who has accessed your medical records, and more.

Saskatchewan citizens have a legislated right to know.

“Right to Know” Week is celebrated from September 22 to 28, 2025. Central to the celebration of citizens’ right to know are the following principles:

1. Access to information is a right of everyone.

In Saskatchewan, there are three Acts that govern access to information and privacy:

The Freedom of Information and Protection of Privacy Act (FOIP), which applies to government institutions, from the Ministry of Environment to Executive Council.
The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), which applies to local authorities like school divisions, police services, and universities.
The Health Information Protection Act (HIPA), which applies to trustees like the Saskatchewan Health Authority, family physicians, and pharmacists. Access to information rights are only to personal health information in the trustee’s custody or control.

For copies of the prescribed forms, refer to OIPC’s How do I get access to information?

2. Access is the rule. Secrecy is the exception.

FOIP, LA FOIP, and HIPA provide for a public body to withhold information in limited and specific circumstances. A public body can refuse to disclose part of (or all) of the information only if an Act provides for it in what is referred to as an “exemption.” Some exemptions are mandatory, which means that a public body must withhold that information, such as Cabinet confidences, third party business information, and personal information. Other exemptions are discretionary, which means that a public body may withhold that information, such as information related to law enforcement and investigations, advice from officials, and solicitor-client privilege.

3. The right applies to all public bodies.

In Saskatchewan, FOIP applies to provincial government institutions and LA FOIP applies to provincial local authorities only. OIPC has no authority over the federal government, unions, not-for-profit organizations, or the private sector, other than organizations that are health information “trustees.”

4. Making requests should be simple, speedy, and free.

FOIP, LA FOIP, and HIPA all require a public body to respond to an access to information request within 30 calendar days. If a public body is unable to fulfill the request within 30 calendar days, that public body is obligated to communicate its need of a time extension within those same 30 calendar days.

Although applications for access to information under FOIP are entirely free, there is a $20 application fee if making application under LA FOIP. It also merits mentioning that, under FOIP and LA FOIP, fees may be charged for search, preparation, and reproduction of records, though fees may be waived in certain circumstances. In the case of HIPA, a trustee also may charge a reasonable fee to recover costs in providing access to a record containing personal health information. For more information, check out OIPC’s Understanding Fees with Ease.

5. Officials have a duty to assist requesters.

Each public body has a duty to assist. This means that each public body and trustee must respond openly, accurately, and completely to requests and explain terminology, processes, actions, and decisions taken to fulfill an access request. For more information, see OIPC’s Understanding the Duty to Assist.

6. Refusals must be justified.

A public body is obligated respond to the access to information request. If exemptions were applied to the information provided, the public body should tell the applicant, in writing, what specific exemptions applied to the information.

7. The public interest takes precedence over secrecy.

When considering whether it may withhold information, a public body needs to balance the right of access with denying it in order to protect other interests. It is of note, however, that FOIP, LA FOIP, and HIPA do not contain overarching “public interest overrides,” which would require that information be disclosed in all cases where the general public interest in disclosure outweighs the specific interest which is intended to be protected by the exemptions. The only exception to this is in the case of two exemptions in FOIP and LA FOIP, both which address the treatment of third party business information and personal information.

8. Everyone has the right to appeal an adverse decision.

Your right to appeal a public body’s or trustee’s decision is by requesting a review by OIPC. For more information, consider OIPC’s Guide to Requesting a Review from the OIPC. The FOIP “Request for Review Form” is available here, the LA FOIP “Request for Review Form” is available here, and the HIPA “Request for Review Form” is available here.

9. Public bodies should proactively publish core information.

Public bodies are strongly encouraged to enhance transparency and public participation by maximizing the ongoing proactive release of information to the public. In some cases, like with local authorities, other statutes like The Municipalities Act require that town councils, for example, make agendas and council meeting minutes publicly available.

10. The right to know should be guaranteed by an independent body.

That independent body, in Saskatchewan, is OIPC, which oversees FOIP, LA FOIP, and HIPA. OIPC is pleased to answer general and process related questions by phone at 306-787-8350 or via email at intake@oipc.sk.ca.

As part of “Right to Know” Week 2025, OIPC is hosting a free, public presentation called “Know Your Access to Information Rights” on Thursday, September 25 from 7pm-8:30pm at the Regent Place Library Branch in Regina, Saskatchewan. At the event, attendees will learn about their rights to access information held by public bodies and trustees in the province, how to exercise those rights, and how the OIPC serves citizens who are dissatisfied with the outcomes of their access requests. To attend, register at the link here or just drop in!

The term “show the receipts” has become a common colloquial expression. May this “Right to Know” Week 2025 remind you that you are entitled to ask for the receipts.

Influencing Source

“Right to Know.” Information Commissioner of Canada. https://www.oic-ci.gc.ca/en/right-know.

School is in Session

Are you:

New to the access and privacy field?
Working in access and privacy but looking for additional training?
Completing access and privacy tasks such as access to information requests or complaints into alleged breaches of privacy as a “side of the desk” job but have no real experience in it?

Navigating the access and privacy world can be challenging, particularly when there is a lack of training and educational resources provided, or you don’t know where to turn when you have questions. That’s why, with your help, we hope to continue to develop our education page on our website with a list of training resources that can help you gain a better understanding of the access to information and privacy breach complaint process.

In order to get this started, our office sent out a mass email to various organizations to collaborate on this education initiative. The response was extremely positive with some organizations offering links to their own access and privacy training modules or training they found to be particularly useful for their own organization. Even though there were several organizations that did not have anything to contribute, many of them were really excited about the prospect of coming back and accessing the list in the future. This just goes to show how valuable something like this is.

It is our hope that providing a list of additional training will assist those in the access and privacy field and help them better understand their obligations under The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) and The Health Information Protection Act (HIPA).

To review the list of training and education material, please see our education page here. The information is posted under the heading External Educational Resources.

Please note that the Office of the Saskatchewan Information and Privacy Commissioner does not endorse any of the training listed on our website but rather aims at providing helpful solutions to those looking for additional training. If you know of any training that may be helpful for those working in this field, please feel free to email webmaster@oipc.sk.ca and we will review your submission for publication on our website.

AI and Children’s Privacy Podcast

In Commissioner Hession David’s first episode of Un-redacted, the Sask IPC Podcast, she discusses with Diane Aldridge, the Deputy Commissioner, an extremely important topic regarding children’s privacy and generative artificial intelligence (AI).

“The real concern in terms of children is that these models can be used to create the deep fakes that are becoming very common in the cyber world at present. This is where a person’s voice or persona can be poached from an available social media platform, and their voice can be re-created so they seem to say something that they never said in a situation that never was.”

Technology continues to evolve rapidly, so much so that it can be hard for adults to keep up and fully understand the risks, let alone children. You might be asking yourself, so how can I protect my children? I think we can all agree that supervision and monitoring goes a long way but there is more to it than that as “there are no AI specific controls or visibility options to oversee or control how your child interacts with Gemini or most chatbots so you need to have the direct conversation with your child about the need to keep personal information private.”

For more information on what exactly generative AI is, its history, and guidance on how you can take steps to protect your loved ones, listen to the full episode here.

If you have found this podcast helpful, let us know by clicking on the YES icon at the bottom of this blog or let us know on X or LinkedIn what topics you would like us to explore in the future. Thanks for listening!

“Bin” There, Shouldn’t Have Done That: When Medical Records End Up in the Wrong Bin

“Medical records found in Regina recycling bin” reads a CBC News headline from March 2011, where former Commissioner Dickson and members of our office were seen climbing into a paper recycling bin in Regina after personal health information was found inside. This case was, and still is, “the largest breach involving personal health information since The Health Information Protection Act (HIPA) was proclaimed on September 1, 2003” as stated by former Commissioner Dickson. Still, in October 2024, medical records were found blowing in the wind through an alley in Regina (Investigation Report 251-2024, 004-2025 – Elphinstone Medical Clinic).

While our office has only issued seven investigation reports involving personal health information being found in dumpsters or recycling bins[1], we have received at least 15 proactively reported breaches involving the same issue. This is likely only the tip of the iceberg in terms of the volume of personal health information that isn’t disposed of in a secure manner.

Saskatchewan is not alone in this problem of improper disposal of personal health information. In November of 2024, the Ontario Information and Privacy Commissioner (ON IPC) issued PHIPA Decision 266 and classified it as a “case of note” on its website, where personal health information was found in a recycling bin, and developed key takeaways from this case. Further, a study conducted in Ontario in 2018 that assessed the presence of personal health information through a recycling audit of five hospitals in the Toronto area, found that all five hospitals had established policies for disposal of personal health information including secure shredding bins. Of the nearly 2700 documents found, 31% were classified as medium sensitivity (personal health information including diagnosis), and 39% were classified as high sensitivity (personal health information including a description of the patient’s medical condition). Of the types of documentation improperly discarded, clinical notes, summaries, and medical reports were the most frequent type of information (31%).

Many other jurisdictions across Canada have seen similar incidents of improper disposal of personal health information some having made the news. Some examples of similar incidents are listed below.

CBC News, British Columbia
- Lost and dumped medical records spark privacy investigation | CBC News
Edmonton Journal, Alberta
- Alberta health records being abandoned and misused: report | Edmonton Journal
Manitoba Ombudsman
- News – Manitoba Ombudsman
CBC News, Nova Scotia
- Cape Breton doctors reprimanded for misdiagnosis, improper record disposal | CBC News
CTV News, Prince Edward Island
- Health PEI records blown away by strong winds
CNC News & CTV News, Ontario
- Patient horrified after medical information left at curb outside London walk-in clinic | CBC News
- Confidential medical records found abandoned

As demonstrated, the issue of personal health information being improperly disposed of for a variety of reasons poses a challenge within Saskatchewan and across Canada. Trustees must ensure the security of records in their custody or control through the records entire lifecycle, including the destruction phase. When they fail, the result is a privacy breach.

A privacy breach may occur if the trustee’s employees do not securely dispose of personal health information, but in some cases, particularly seen in the Elphinstone Medical Clinic case (Investigation Report 251-2024, 004-2025), can occur when its cleaning company caused the breach instead. Section 2(1)(a)(i) of the The Health Information Protection Regulations, 2023 (HIPA Regulations) defines an employee as “an individual who is employed by a trustee, including an individual retained under a contract to perform services for the trustee, but does not include a health professional who is retained under a contract.” It is also necessary for the trustee to establish if the party fits the definition of information management service provider as requires both parties to enter into a written agreement. In either case, the responsibility for these privacy breaches remains with the trustee as PART III of HIPA outlines the duty of a trustee to protect personal health information, and sections 16 and 17 are particularly relevant in these scenarios regarding duty to protect and retention and destruction policies when it comes to personal health information.

Section 5 of HIPA Regulations was added in 2023. This section places the onus on a trustee to ensure that the trustee provides orientation on HIPA to its employees and sign a pledge of confidentiality. Section 6 of HIPA Regulations is also new and requires trustees to have a written policy concerning the retention and destruction of personal health information.

For more guidance on this topic, below is a list of resources which have been authored by our office or by other individuals or organizations which may be beneficial:

The Health Information Protection Regulations, 2023 Questions and Answers (OIPC)
Blog: Closing a Practice (OIPC)
Avoiding Abandoned Health Records: Guidance for Health Information Custodians Changing Practice (Ontario Information and Privacy Commissioner)
Podcast: Lessons in health privacy: key takeaways from 2024 beginning at [31:41] (Ontario Information and Privacy Commissioner)

[1] See Investigation Report 251-2024, 004-2025 (Elphinstone Medical Clinic), Investigation Report 158-2022 (Metis Addictions Council), Investigation Report 154-2022 (Dr. Malhotra), Investigation Report 107-2015 (Spruce Manor Special Care Home), Investigation Report H-2013-003 (Dr. Monea), Investigation Report H-2013-002 (Regina Qu’Appelle Regional Health Authority), Investigation Report H-2011-001 (Dr. Ooi).

Saskatchewan Information and Privacy Commissioner Tables 2024-2025 Annual Report

Saskatchewan Information and Privacy Commissioner, Grace Hession David, has tabled the Office of the Information and Privacy Commissioner’s (OIPC) 2024-2025 Annual Report with the Legislative Assembly.
The Commissioner discusses the rapidly developing consequences of technology and the impact this has in every area of life in the province.

“The people of Saskatchewan should be able to freely participate in the digital world and not worry about overreach with respect to the collection of personal information or the fact that their personal information will be ransomed and perhaps available on the Dark Web after a cyber breach.”

The team of dedicated professionals at the OIPC are committed to fighting for the access and privacy rights of Saskatchewan residents and will continue providing relevant, up-to-date information on access and privacy legislation made available to the public.
Commissioner Hession David outlined the top priorities of the office for the next five years. More information on these priorities can be found in the Annual Report.

• Continued accessibility to the public
• Prioritizing youth privacy
• Raising awareness around cyber security and cyber breaches
• Privacy concerns with Generative AI

The 2024-2025 Annual Report includes: last years’ accomplishments, the strategic plan for 2025-2026, a thorough review of the statistics from the past year’s efforts, and a new section on appeals. The appeals section includes a review of four OIPC rulings by the Kings Bench, and one important appeal ruling from the Saskatchewan Court of Appeal.

The annual report can be viewed here.
A video containing the Commissioner’s comments on the Annual Report can be viewed here.

Media contact:
Julie Ursu, Manager of Communication
Telephone: 306-798-2260
Email: jursu@oipc.sk.ca

How do I Request a Correction of my Personal Information or an Amendment of my Personal Health Information?

The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) provide individuals with a right of correction to their personal information. The Health Information Protection Act (HIPA) provides individuals with a right of amendment to their personal health information.

Our office has received calls and emails from individuals who, after accessing a record from a government institution, local authority or a trustee containing their personal information or personal health information, believe that it contains errors or omissions.

An error is mistaken or wrong information that doesn’t reflect the true state of something – it is an error to something factual.

An omission is information that is incomplete, missing or overlooked.

An opinion is not an error or omission if it accurately reflects the views of the individual who recorded the information at the time.

If you believe a record containing your personal information or your personal health information contains an error or omission, you can request a correction or amendment under FOIP, LA FOIP or HIPA. Such requests are made to the government institution or local authority (for personal information), or to the trustee (for personal health information) with possession/custody or control of the record.

Our office has prepared the following resource, Steps to Request a Correction of Personal Information or Amendment of Personal Health Information. The resource outlines the steps that an individual can take to request a correction of their personal information or an amendment to their personal health information. It also includes information on the obligation of the government institution, local authority, or trustee, to respond to your request and what the possible outcomes are. As well as advising on what you can do if you are not satisfied with the response to your request for correction or amendment.

Steps to Request a Correction of PI or Amendment of PHI (Flipbook)

Steps to Request a Correction of Personal Information or Amendment of Personal Health Information (PDF)

What Does it Mean if a Proactively Reported Privacy Breach is Informally Resolved?

Public bodies or trustees can proactively report a privacy breach to the IPC when it has a reasonable basis to suspect or confirm a privacy breach has occurred. While not required by law, the IPC encourages public bodies and trustees to proactively report, to our office, if there is a suspected or confirmed privacy breach. For public bodies and trustees wanting to proactively report a privacy breach, they can complete the Proactively Reported Breach of Privacy Form and submit it to the IPC, ideally within seven days of discovery of the breach. For more information on what happens when a public body or trustee proactively reports a privacy breach, please refer to the Rules of Procedure, as well as the IPC resources: Privacy Breach Guidelines for Government Institutions and Local Authorities or Privacy Breach Guidelines for Trustees.

Some of the benefits of proactively reporting include:

May reduce the need for the IPC to issue a public investigation report on the matter, if the public body or trustee has appropriately responded to the breach including taken necessary steps to prevent future breaches.
Receive timely, expert advice from the IPC – the IPC can help guide the public body or trustee on what to consider, what questions to ask and what parts of the relevant legislation may be applicable. Depending on the legislation that the public body or trustee is subject to and the specific circumstances of the proactively reported privacy breach, the applicable parts of the legislation may vary. However, some examples may include:
- provisions related to the definitions of personal information and personal health information.
- provisions related to the collection, use and disclosure of personal information or personal health information.
- provisions related to the duty to protect personal information or personal health information.
- provisions related to the requirement to notify affected individuals where there is a real risk of significant harm.
When engaging with the media, the public body or trustee can advise the public that it is working with the IPC to address the matter.
Should affected individuals contact the IPC, we can advise the individuals that we are working with the public body or trustee to address the breach which may prevent a formal complaint to the IPC. The IPC also redirects affected individuals back to the public body or trustee to address any questions they may have about the information involved and the steps a public body or trustee has taken to respond to the privacy breach.

After a public body or trustee proactively reports a privacy breach to the IPC, our office will notify the public body or trustee of our intention to undertake an investigation and request the public body or trustee complete the Privacy Breach Investigation Questionnaire and submit any other relevant supporting documentation by the deadlines outlined in our notice.

The IPC will review the Privacy Breach Investigation Questionnaire and any other supporting documentation and consider if the public body or trustee appropriately managed the breach and took the following steps in responding to the privacy breach:

Contained the breach (as soon as possible)
Notified affected individuals (as soon as possible)
Investigated the breach
Taken steps to prevent future breaches

The Rules of Procedure provides that after investigating the reported privacy breach and the actions taken by the trustee, the IPC will make a decision about how to resolve the file. The possible outcomes include:

If the IPC is satisfied with most or all of the steps taken, the file may be closed without the issuance of a public investigation report, and if applicable, with recommendations for the public body or trustee to consider implementing.
If the IPC is not satisfied with the steps taken, an affected individual has filed a complaint with the IPC, the privacy breach is egregious, there is a systemic issue involved, there is significant educational value or where it involves a large number of affected individuals, the commissioner may direct that a public investigation report be issued.

The IPC takes all privacy breaches seriously, as every breach comes with an associated risk to the affected individuals (such as identity theft, credit card fraud, humiliation, damage to reputation, etc.). Staff at the IPC make efforts to attempt to reach early resolution for all files before a formal review or investigation is undertaken and staff are encouraged to explore any opportunities to informally resolve all files. As noted earlier, one of the benefits of proactively reporting is that the IPC may not need to issue a public investigation report, provided the Commissioner is satisfied that the public body or trustee has appropriately responded to the breach and taken steps to prevent future breaches. When a proactively reported breach of privacy is informally resolved, this reflects the efforts of the public body or trustee to appropriately respond to the breach and take steps to prevent future breaches.

Saskatchewan Business and Privacy (updated)

The Office of the Privacy Commissioner of Canada (OPC) has issued a guidance document entitled Privacy Guide for Businesses. You may ask, “Does it apply to businesses or organizations in Saskatchewan?” The answer is yes, it does. The Personal Information Protection and Electronic Documents Act (PIPEDA) is a federal statute that applies to businesses in Saskatchewan. If you are in business in Saskatchewan, I recommend you read the Privacy Guide for Businesses.

First let me summarize the main issues from the guide:

PIPEDA sets out the ground rules for businesses in Saskatchewan.
The OPC oversees compliance with PIPEDA by conducting independent and impartial investigations and audits.
Businesses covered by PIPEDA must generally obtain an individual’s consent when they collect, use or disclose that individual’s personal information.
People have the right to access their personal information held by a business. They also have the right to challenge its accuracy.
Personal information can only be used for the purposes for which it was collected.
Generally, personal information must be protected by appropriate safeguards.
PIPEDA applies to private-sector businesses across Canada and Saskatchewan that collect, use or disclose personal information in the course of a commercial activity.
The law defines a commercial activity as any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.
All businesses that operate in Canada and handle personal information that crosses provincial or national borders in the course of commercial activities are subject to PIPEDA.
Under PIPEDA, personal information includes any factual or subjective information, recorded or not, about an identifiable individual.
PIPEDA includes mandatory breach reporting requirements. Businesses must report to the OPC any breaches of security safeguards that pose a real risk of significant harm.
Businesses must follow the 10 fair information principles to protect personal information, which are set out in Schedule 1 of PIPEDA. The principles are:
- Accountability
- Identifying purposes
- Consent
- Limiting collection
- Limiting use, disclosure and retention
- Accuracy
- Safeguards
- Openness
- Individual access
- Challenging compliance

For more information on PIPEDA and Businesses, see the Privacy Guide for Businesses.

When the federal government makes changes (amendments), those changes will affect Saskatchewan businesses, whether Saskatchewan businesses like those changes or not. Alberta, British Columbia and Quebec have passed legislation provincially, which applies to businesses in their province and replaces the operation of PIPEDA to a certain extent.

I pose the question whether Saskatchewan should, like Alberta and British Columbia, develop its own legislation to ensure privacy protections are extended to all employees in Saskatchewan regardless of the type of employer they work for.

Templates for Section 7 Decisions

One of many steps in processing an access to information request is preparing the “section 7 decision.” Section 7 of FOIP and section 7 of LA FOIP requires the government institution or local authority to give written notice to the individual who submitted the access to information request. This written notice is the “section 7 decision.” The section 7 decision informs the individual of whether the government institution or local authority is granting or refusing access to records.

My office has received many calls and emails from government institutions or local authorities requesting help on how to prepare section 7 decisions. Therefore, we have prepared templates that government institutions and local authorities can use to help prepare their section 7 decisions. Government institutions can access the templates here and local authorities can access the templates here.

Section 7 Response | IPC

AI’s Double-Edged Sword: Balancing Innovation and Privacy of Information

Canada enacted the first federal privacy protection in 1977 as part of Part IV of the Canadian Human Rights Act. The right to privacy was further supported in the enactment of the Canadian Charter of Rights and Freedoms in 1982 and when the federal Privacy Act and Access to Information Act were proclaimed in 1983. The first forms of Artificial Intelligence (AI) have been around for many decades; however, AI as we know it now, only began to emerge more recently. With further developments continuing in AI, it is natural that people’s concerns about how their privacy will be affected has had to evolve as well. As technology continues to advance, so do the risks of improperly collecting, using and disclosing individuals’ personal information and/or personal health information (pi/phi).

What is AI?

Bill C-27 (not passed) – Subsection 39(2) defines AI as a “technological system that, autonomously or partly autonomously, processes data related to human activities through the use of a genetic algorithm, a neural network, machine learning or another technique in order to generate content or make decisions, recommendations or predictions.”

The Department of National Defence and Canadian Armed Forces (DND/CAF) recognizes there is no single accepted definition of AI, however, defines AI as “the capability of a computer to do things that are normally associated with human cognition, such as reasoning, learning, and self-improvement.”

AI and Privacy

As AI continues to transform industries and workflows worldwide, with some formal investigations underway, we are learning more about AI and its potential negative impacts on privacy. For instance, AI software may “scrape” pi/phi from websites without the requisite authority. The Privacy Commissioner of Canada (PCC) launched a joint investigation with three provincial Commissioners on OpenAI, which runs ChatGPT, to determine if their practices comply with Canadian privacy laws.

New Legislation

The Artificial Intelligence and Data Act (AIDA) as part of Bill C-27 is dead because parliament has prorogued. Bill C-27 or AIDA itself will have to be reintroduced into the House of Commons. If Bill C-27 were to pass, AIDA would be one of the first national frameworks specific to the creation and use of Artificial Intelligence in Canada.

The PCC notes that, while privacy laws require modernization, the current laws apply regarding the misuse of pi/phi in the AI space. The PCC also notes that if an organization or public body is considering adopting AI tools in their work, to complete a Privacy Impact Assessment (PIA) to determine if privacy rights are complied with in implementing new tools.

Even without specific legislation here in Saskatchewan governing AI, if a public body or trustee bound by FOIP, LA FOIP or HIPA uses AI in a way that creates a privacy breach, we could review or investigate the matter. More information as to who we have oversight on can be found in the Acts or on my office’s blog posts: “When We Cannot Help You | IPC” and “Why some reviews and investigations cannot pass go (updated) | IPC.”

Moving Forward

The risks of the misuse of AI and corresponding privacy implications have been raised by the PCC and several provincial privacy commissioners in Canada, including the Saskatchewan Information and Privacy Commissioner.

As a result, the Federal, Provincial and Territorial Information and Privacy Commissioners proposed 9 principles for the “development, provision, and use of generative AI systems” listed in the Principles for responsible, trustworthy and privacy-protective generative AI technologies document.

Legal authority and consent: ensure consent for collection, use or disclosure and is as specific as possible.
Appropriate purposes: collection, use and disclosure of pi/phi should only be for appropriate purposes.
Necessity and proportionality: use of data to achieve intended purposes.
Openness: open and transparent on the collection, use and disclosure of personal information and the potential privacy risks
Accountability: establish accountability for compliance with privacy legislation.
Individual access: individuals have the right to access their personal information collected during use of an AI software.
Limiting collection, use, and disclosure: limit to only what is needed to fulfill the explicitly specified, appropriate identified purpose.
Accuracy: ensure personal information is as accurate, complete, and up to date as necessary for the purposes it is used.
Develop safeguards: to protect personal information and mitigate potential privacy risks.

Recommendations:

Avoid using confidential data in AI software, including pi/phi.
Implement data masking techniques such as replacing names or redaction to reduce privacy risk.
Balance transparency of use with confidentiality with data and ensure controlled disclosure of information.
Review and update policies to re-evaluate AI data privacy policies as AI standards are updated.
Educate staff on the importance of data protection.
Monitor and audit AI systems for potential vulnerabilities.
Complete a PIA: My office has published a PIA Guidance Document which can support organizations in determining if AI has an impact on privacy.

AI can be a helpful tool to help automate the work that organizations and individuals do, but it does not come without risks. Anyone who plans to use AI tools in their work should review the recommendations from my office, and when in doubt, contact us.

Further Resources

The Artificial Intelligence and Data Act: Video

The Artificial Intelligence and Data Act (AIDA) – Companion document

References

A Regulatory Framework for AI: Recommendations for PIPEDA Reform – Office of the Privacy Commissioner of Canada

Principles for responsible, trustworthy and privacy-protective generative AI technologies – Office of the Privacy Commissioner of Canada

Government Bill (House of Commons) C-27 (44-1) – First Reading – Digital Charter Implementation Act, 2022 – Parliament of Canada

Exploring privacy issues in the age of AI | IBM

Legislative Summary of Bill C-27: An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts

Statement on Generative AI – Office of the Privacy Commissioner of Canada

Protecting privacy in a digital age – Office of the Privacy Commissioner of Canada

A regulatory roadmap to AI and privacy | IAPP