Guardrails for Police Use of Investigative Genetic Genealogy in Ontario

Access to Information Act, Protection of Privacy Act implemented in Alberta

Commissioner Dufresne launches exploratory consultation on children’s privacy code

Survey conducted by OPC found that most parents worry about their children’s online privacy

Information and Privacy Commissioner of Ontario and The French Language Services Commissioner discuss your rights of access to information and services in French June 4, 2025

Ontario IPC releases a new independent research report on emerging technology- Emerging Uses of Neurotechnology.

Privacy Commissioner of Canada and UK Information Commissioner’s Office issue a joint letter regarding 23andMe’s bankruptcy proceedings

Instagram still posing serious risks to children, campaigners say

English Information Commissioner issues statement on police use of facial recognition technology (FRT)

BC OIPC provides instruction to delete a user account and DNA on 23andMe

Statement from the Office of the Information and Privacy Commissioner of Saskatchewan on eHealth Saskatchewan Potential Privacy Breach

Statement from the Office of the Information and Privacy Commissioner of Saskatchewan on eHealth Saskatchewan Potential Privacy Breach

The Office of the Information and Privacy Commissioner of Saskatchewan is investigating a cyberattack affecting eHealth and potentially health care information

The Office of the Information and Privacy Commissioner of Saskatchewan (IPC) is undertaking an investigation into a cyberattack on the computer systems of eHealth. eHealth is Saskatchewan’s main service provider of health information in the province.

The office is working closely with eHealth.

On January 10, 2020, eHealth reported a ransomware attack on their computer systems to the IPC. eHealth has confirmed publicly that it was subject to a ransomware attack.

The IPC investigation will, among other things, examine whether there was a breach of personal information or personal health information, and if so, the scope of the breach, the circumstances leading to it, and what, if any, measures eHealth could have taken to prevent and contain the breach. My office will also investigate ways eHealth can help ensure the future security of personal health information and avoid further attacks.

If anyone has any questions, they can contact eHealth at privacyandaccess@eHealthSask.ca  or you can Phone: 1-855-eHS-LINK (347-5465)

Alternatively, persons who have questions or wish to file a complaint can contact my office at 306-787-0488 or 1-877-748-2298.

Note to media: My office will not discuss the details of the investigation while it is ongoing.  My office will issue a public report once the investigation is complete.

Ronald J. Kruzeniski, Q.C.
Information and Privacy Commissioner of Saskatchewan

Media contact: Kim Mignon-Stark, Executive Assistant

Office of the Information and Privacy Commissioner of Saskatchewan
kmignon-stark@oipc.sk.ca 306-798-0173

503 – 1801 Hamilton Street, Regina SK S4P 4B4
Telephone: 306-787-8350 / Toll Free Telephone (within Saskatchewan): 1-877-748-2298
Email: webmaster@oipc.sk.ca / Twitter: @SaskIPC

Statement from IPC on eHealth Potential Privacy Breach

Was this page helpful?

Statement from Office of the Information and Privacy Commissioner of Saskatchewan on LifeLabs Privacy Breach

The office of the Commissioner is investigating a cyberattack affecting health care information of millions of customers in Canada and approximately 93,000 residents in Saskatchewan

 Thursday, December 19, 2019 – The Office of the Information and Privacy Commissioner of Saskatchewan (IPC) is undertaking an investigation into a cyberattack on the computer systems of Canadian laboratory testing company LifeLabs. The office is working closely with the Information and Privacy Commissioner of British Columbia and the Information and Privacy Commissioner of Ontario who are also undertaking investigations.

LifeLabs is Canada’s largest provider of general diagnostic and specialty laboratory testing services. The company has four core divisions – LifeLabs, LifeLabs Genetics, Rocky Mountain Analytical, and Excelleris.

On December 13, 2019, LifeLabs reported a cyberattack on their computer systems to the IPC. On December 17, 2019, they confirmed they were the subject of an attack affecting the personal information of millions of customers, in Ontario, British Columbia and Saskatchewan. They told us that the affected systems contain information of approximately 15 million LifeLab customers across Canada, including name, address, email, customer logins and passwords, health card numbers, and lab tests.

The IPC investigation will, among other things, examine the scope of the breach, the circumstances leading to it, and what, if any, measures LifeLabs could have taken to prevent and contain the breach. My office will also investigate ways LifeLabs can help ensure the future security of personal information and avoid further attacks.

If you have visited a LifeLabs for a test or received a test/service from LifeLabs Genetics and Rocky Mountain Analytical, then it is likely your information is in LifeLabs database.

LifeLabs has set up a dedicated phone line and information on their website for individuals affected by the breach. To find out more, the public should visit customernotice.lifelabs.com or contact LifeLabs at 1-888-918-0467.

Alternatively, persons who have questions or wish to file a complaint can contact my office at 306-787-0488 or 1-877-748-2298.

Note to media: My office will not discuss the details of the investigation while it is ongoing. My office will issue a public report once the investigation is complete.

Ronald J. Kruzeniski
Information and Privacy Commissioner of Saskatchewan

Media contact:
Office of the Information and Privacy Commissioner of Saskatchewan
Kim Mignon-Stark
kmignon-stark@oipc.sk.ca 306-798-0173

Download PDF

Was this page helpful?

Canada’s access to information and privacy guardians urge governments to modernize legislation to better protect Canadians

Information and Privacy Ombudspersons and Commissioners from across Canada are urging their governments to modernize access to information and privacy laws.

In a joint resolution, Canada’s access to information and privacy guardians note that along with its many benefits, the rapid advancement of technologies has had an impact on fundamental democratic principles and human rights, including access to information and privacy. They further point out that Canadians have growing concerns about the use and exploitation of their personal information by both government and private businesses.

“Most Canadian access and privacy laws have not been fundamentally changed since their passage, some more than 35 years ago,” the resolution says. “They have sadly fallen behind the laws of many other countries in the level of privacy protection provided to citizens.”

While there have been legislative advances made in some Canadian jurisdictions, work is still required to ensure modern legislation is in place across the country in order to better protect Canadians.

The resolution notes that privacy and access to information are fundamental to self-determination, democracy and good government. It calls for:

  • a legislative framework to ensure the responsible development and use of artificial intelligence and machine learning technologies
  • all public and private sector entities engaged in handling personal information to be subject to privacy laws
  • Enforcement powers, such as legislating order-making powers and the power to impose penalties, fines or sanctions
  • the right of access should apply to all information held by public entities, regardless of format

Canada’s Information and Privacy Commissioners and Ombudspersons reaffirmed their commitment to collaborate, make recommendations to government, and to continue to study and make public how access and privacy laws impact all Canadians.

Related Documents

Joint statement – Modernizing Access and Privacy Laws

Was this page helpful?

Saskatchewan IPC Tables 2018-2019 Annual Report

Saskatchewan Information and Privacy Commissioner, Ronald J. Kruzeniski, Q.C., has submitted his office’s 2018-2019 Annual Report to the Legislative Assembly. In his Report, the Commissioner stated:

“The rest of this Report and the next five years of my term will really be focused on modernizing this legislation to take into account the database/internet world we now live in.”

In this year’s Report, he is calling for modernization of our access and privacy legislation to ensure new threats to privacy are sufficiently addressed and citizens are able to access public records with greater ease.  Some of those threats and process improvements identified in the Report are as follows:

  • Trustees to require express consent before using recording or video devices to collect personal health information;
  • Clarify that an access to information request may be made on the prescribed form, in writing or electronically;
  • Mandate trustees when using electronic means to collect, use or disclose personal health information to create, maintain and regularly audit records of user activity of those systems;
  • Explicitly state that access to manuals, policies, guidelines or procedures, if not on a government institution’s or local authority’s website, is provided free of charge;
  • Require all personal health information be stored in Canada;
  • Provide the ability of the Commissioner to comment on the privacy implications of new technology;
  • Include a section making access easier for those with disabilities; and
  • Streamline the fee structure and provide that no citizen pays if the costs are under $200.

Was this page helpful?

Opinions and Views about Opinions and Views

When it comes to figuring out whether opinions and views qualify as personal information under The Freedom of Information and Protection of Privacy Act (FOIP) or The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), it can get confusing!!

Subsections 24(1)(f) of FOIP/23(1)(f) of LA FOIP indicate that “the personal opinions or views of the individual except where they are about another individual” qualifies as personal information.

Subsections 24(1)(h) of FOIP/23(1)(h) of LA FOIP indicate that “the views or opinions of another individual with respect to the individual” qualifies as personal information.

Finally, subsections 24(2)(c) of FOIP/23(2)(b) of LA FOIP indicate that the personal opinions or views of an individual employed by a public body given in the course of employment, other than personal opinions or views with respect to another individual DOES NOT qualify as personal information.

So what is the FOIP universe trying to tell us about opinions and views?

First thing to know is that subsections 24(1)(f) of FOIP/23(1)(f) indicate that personal opinions or views of an individual are personal information.  The key is that the opinion or view has to be personal – in other words information that reveals something about the individual.

In contrast, opinions or views that are expressed in a professional context would be considered work product.    Work product which is information generated by or otherwise associated with an individual in the normal course of performing professional or employment responsibilities, whether in a public or private setting. Work product is not considered personal information.  This is supported by subsections 24(2)(c) of FOIP/23(2)(b) of LA FOIP.

Also, subsections 24(1)(f) of FOIP/23(1)(f) indicate that an individual’s personal opinion or view is their personal information except where the opinion or view are about another individual.  That is an excellent segue to subsections 24(1)(h) of FOIP/23(1)(h) of LA FOIP…

Subsections 24(1)(h) of FOIP/23(1)(h) of LA FOIP indicates that the views or opinions of another individual with respect to the individual is personal information. This means that an opinion or view about an individual is the personal information of the subject individual.

I hope at this point in my blog that you are not more confused than when you started.  It might be easier to classify opinions and views into three categories:

Professional Opinions

Example:  Sue works for the public body and it’s her job to provide advice and analysis on a proposed program.  Sue’s opinion is that the public body should fund the proposed program.

Is it personal information?  No!  This is not Sue’s personal information as it is her professional opinion, not a personal opinion.  It is work product.

Example:  The public body consults with PrivacyCo, a not for profit organization and a stakeholder, on the proposed program.  Jill, the Director of PrivacyCo volunteers a written submission expressing opinions about the program on behalf of the organization.

Is it personal information?  No. Jill provided the opinions in her professional capacity as Director of PrivacyCo.

Personal Opinions

Example: Bob is a concerned member of the public and Bob writes a letter to the local authority expressing his opinion that the proposed program is flawed.

Is it personal information?  Yes.  This is Bob’s personal information pursuant to subsections 24(1)(f) of FOIP/23(1)(f) of LA FOIP.  The opinion is not about another individual.  There was no indication that Bob gave this opinion in a professional context.

Opinions about another individual

Example:  Lisa is a professional employed by the local authority and is reviewing Marc’s file.  Lisa believes Marc is struggling and could benefit from the program.

Is it personal information?  Yes.  The opinion is about Marc.  This is the personal information of Marc.

Example:  Sue tells Lisa’s boss that Lisa is doing a great job managing the program.

Is it personal information?  Yes, it is the personal information of Lisa.

My professional opinion is that this topic can be confounding but I hope I have clarified it for you a little bit.

By the way, for more information about work product, read the following blog:  Work Product vs. Personal Information.

Was this page helpful?

Best practices when using USB drives

When thinking about this topic I decided to research how big of a USB drive I could actually purchase. I was surprised to see you can purchase one that stores 2 terabytes (TB) of data. Just think about that – something the size of a car key can 2 TB of data. With the ability to store that much data in a very small and portable way, it is important to be super vigilant when using memory sticks.

In January 2018, the IPC developed a resource – Helpful Tips: Mobile Device Security. This resource offers many tips and considerations that are helpful when using memory sticks, including administrative safeguards, technical safeguards and physical safeguards. However, here is a quick list of some things to keep in mind when using USB Drives:

  • Encryption/password protected devices: Only purchase USB drives that have encryption or password protection functionality.
  • Strong passwords: If you have a need to store personal information (pi), personal health information (phi) or other forms of sensitive or confidential information on a USB drive, be sure to have it locked by a strong password.
  • De-identify: When storing pi/phi on a USB, de-identify the information wherever possible.
  • Delete data: Immediately delete the data from the USB once it is no longer needed.
  • Unattended USBs: Do not leave USB’s in vehicles or unattended in public. If absolutely necessary, lock it in the trunk or glove box where it would be out of site. When not in use in your office, be sure to lock it up.
  • Access on a Need-to-Know Basis: When storing data on a device, access to that data should be on a need-to-know basis.
  • Lost or stolen USBs: Report lost or stolen USB’s immediately to your supervisor and the Privacy Officer.
  • Disposal: At the end of its lifecycle, be sure that all the data has been wiped from the USB. Once that is done, safely dispose of or destroy the USB before disposal.

For more applicable information on USB drive use, please see the following resources:

 

Was this page helpful?

Can Public Bodies be a Third Party?

As you probably know, section 19 of The Freedom of Information and Protection of Privacy Act (FOIP) and section 18 of The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) are intended to protect the business interests of third parties and to ensure that public bodies are able to maintain the confidentiality necessary to effectively carry on business with the private sector.

A third party is defined separately in both FOIP and LA FOIP.

Subsection 2(1)(j) of FOIP provides a definition of third party as follows:

2(1) In this Act:

(j) “third party” means a person, including an unincorporated entity, other than an applicant or a government institution.

Subsection 2(k) of LA FOIP provides:

2 In this Act:

(k) “third party” means a person, including an unincorporated entity, other than an applicant or a local authority.

You will note that a government institution cannot be a third party for the purposes of FOIP and a local authority cannot be a third party for the purposes of LA FOIP.

So the question is: does this support a principle that a public body cannot qualify as third party for the purposes of access to information legislation?  In other words, can a local authority be a third party for the purposes of FOIP and visa-versa?

One hint of this principle is section 13 of both FOIP and LA FOIP. These sections allow both government institutions and local authorities to withhold records obtained from both government institutions and local authorities in some cases. Further, these sections do not contemplate a formal notification process.

A former Commissioner of this office promoted this principle. In Review Report F-2012-001/LA-2012-001, he found that FOIP and LA FOIP should be read together and as such a local authority could not be a third party for the purposes of FOIP and a government institution could not be a third party for the purposes of LA FOIP. This report cited various sources to support this view.

The current Commissioner recently released Review Report 080-2018. He also agrees with this principle. However, he was not persuaded that it is supported by the wording of the current legislation. He recommended that the Minister of Justice consider an amendment to the definition of third party in both FOIP and LA FOIP that excludes both government institutions and local authorities in both Acts.

So for now, at least, a government institution can treat a local authority as a third party for the purposes of an access to information request. Also, you guessed it, a local authority can treat a government institution as a third party for the purposes of an access to information request.

Party on!

Was this page helpful?

Search Checklist

One government institution that we work with often has developed a search checklist “Responsive Records Search Log”, which has really assisted them and my office knowing that a thorough search was made. I asked permission and permission was given to take their search checklist and modify it so that it might be applicable to any government institution or local authority.

I encourage Access and Privacy coordinators to take a look at the sample search checklist and decide whether such a search checklist would help in ensuring thorough searches. Certainly, one should feel free to adapt the search checklist to the circumstances in one’s organization.

The search checklist could be distributed by the Access and Privacy coordinator to those that he or she has identified as part of his or her search strategy. Along with the search checklist, the Access and Privacy coordinator should give the recipient a timeline to complete the search and indicate whether he or she is only seeking a representative sample for building a fee estimate or a full search for responsive records.

I believe the search checklist is helpful when multiple employees in an organization have to do searches. I believe it assists the Access and Privacy coordinator in determining whether the organization has done a thorough search.

Please take a look at the sample search checklist on our website here. Of course if you have any suggests to improve this search checklist, please email my office.

Was this page helpful?

News Release for Review Report 204-2018 Northern Village of Pinehouse

Saskatchewan Information and Privacy Commissioner, Ronald J. Kruzeniski Q.C., has issued his Review Report 204-2018 involving the Northern Village of Pinehouse. Kruzeniski stated:

My office will have now issued 13 Review Reports between 2013 and 2018 involving the Village. 12 of these reports deal with section 7 responses not being provided, delays in providing it or responses being inadequate. In addition, the Village did not cooperate with requests by my office in 10 of these cases.

And he further stated:

My office is concerned that the Mayor and the Village Administrator are obstructing the application of LA FOIP and believe that no town or village should be able to flagrantly disregard or obstruct the operation of a provincial statute. … The Minister of Government Relations has the power to direct an inspection or inquiry. I am recommending that the Minister direct an inspection or inquiry into the Village’s obstruction of LA FOIP.

Was this page helpful?

Canada’s access to information and privacy guardians call for privacy regulation and oversight of political parties

In a joint resolution, Canada’s Information and Privacy Ombudspersons and Commissioners have called on governments to pass legislation requiring political parties to comply with globally recognized privacy principles, to provide Canadians with access to the personal information they hold about them, and to provide for independent oversight to verify and enforce privacy compliance.

Recent events have illuminated how political parties collect and use personal information to target individuals in specific and unique ways for political gain. Digital tools amass extensive amounts of personal information from diverse sources, frequently without the knowledge or consent of the individual.  These increasingly sophisticated big data practices raise new privacy and ethical concerns and the need for greater transparency is evident.

Further, Privacy Commissioner of Canada Daniel Therrien noted: “Recent investigations in various countries have revealed that political parties are gathering significant amounts of personal information on voters as they adopt new targeting techniques. Information about our political views is highly sensitive and it’s clearly unacceptable that federal and provincial political parties are not subject to privacy laws. The federal government’s response to public concern about how personal information is being used in the political process – Bill C-76 – adds nothing of substance in terms of privacy protection. It’s time to act to better protect the rights of Canadians.”

“Political parties access and use sensitive personal information of nearly all Canadians, but only in British Columbia are they subject to privacy legislation. These standards should be applied across the country so all Canadians have the same privacy protections,” says Michael McEvoy, Information and Privacy Commissioner for British Columbia.

The joint resolution, Securing Trust and Privacy in Canada’s Electoral Process, was agreed to at the annual meeting of federal, provincial, territorial Information and Privacy Ombudspersons and Commissioners. The full text is available on their respective websites.

Was this page helpful?

Google Translate Disclaimer

Translations on the IPC Website are performed by Google Translate. Please note that not all text may be translated accurately or be translated at all. The IPC is not responsible for incorrect or inaccurate translations. The IPC will not be held responsible for any damage or issues that may result from using Google Translate.

For more information, read our full disclaimer.