Guardrails for Police Use of Investigative Genetic Genealogy in Ontario

Access to Information Act, Protection of Privacy Act implemented in Alberta

Commissioner Dufresne launches exploratory consultation on children’s privacy code

Survey conducted by OPC found that most parents worry about their children’s online privacy

Information and Privacy Commissioner of Ontario and The French Language Services Commissioner discuss your rights of access to information and services in French June 4, 2025

Ontario IPC releases a new independent research report on emerging technology- Emerging Uses of Neurotechnology.

Privacy Commissioner of Canada and UK Information Commissioner’s Office issue a joint letter regarding 23andMe’s bankruptcy proceedings

Instagram still posing serious risks to children, campaigners say

English Information Commissioner issues statement on police use of facial recognition technology (FRT)

BC OIPC provides instruction to delete a user account and DNA on 23andMe

Privacy Impact Assessments

Privacy Impact Assessments

Back in 2015, my office blogged privacy impact assessments (PIA). It has been awhile since then so I thought I would highlight our PIA resources once again!

What is a privacy impact assessment (PIA)?

A PIA is a process that assists organizations in assessing whether a project, program, or process complies with the applicable access and privacy legislation. In Saskatchewan, government institutions are subject to The Freedom of Information and Protection of Privacy Act (FOIP), local authorities are subject to The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), and trustees are subject to The Health Information Protection Act (HIPA).

What is a privacy impact?

A “privacy impact” is when there are inadequate safeguards to protect personal information or personal health information, or FOIP/LA FOIP/HIPA does not authorize the collection, use, and/or disclosure of personal information or personal health information.

When does an organization engage the PIA process?

As projects are designed, developed, implemented, and carried out, privacy impacts may arise and will need to be addressed. Therefore, PIAs should be done at the outset and throughout projects. The PIA process is not a short exercise and it can require a lot of time and effort depending on the complexity of the project. Further, the PIA process is not a stand-alone, one-time exercise.

Who should be a part of the PIA process?

Although an organization’s Privacy Officer often takes the lead on conducting PIAs, employees and representatives from participating program area, branch, division, business unit, other institutions and third parties can expect to be involved in the PIA process. The PIA process can only be effective if it comprehensively reviews the project.

What should the organization do when it identifies a privacy impact?

When a privacy impact is identified, that is an opportunity for organizations to make adjustments to the project to ensure personal information or personal health information is protected to the greatest extent possible and to be in compliance with the FOIP/LA FOIP/HIPA. For example, if the PIA reveals there is no legal authority for the collection, use, or disclosure of certain personal information or personal health information, then the organization should determine if such personal information or personal health information is required for the project. If not, then the exclusion of such personal information or personal health information in the project will assist the organization in eliminating a privacy impact but still carrying forward with the project.

Where can I find more information?

Check out my office’s guidance documents on privacy impact assessments. My office offers both a PDF and Word version of this document. The Word version allows for organizations to fill in the PIA. Organizations should keep in mind that the guidance document is meant to be a guide. It is not a definitive method of conducting a PIA.

You can also check out Chapter 6 of my office’s Guide to FOIP and Guide to LA FOIP for more step-by-step information on how to conduct PIAs.

Can I get feedback on a PIA?

Yes. If your organization has completed a PIA and want my office to review and provide feedback, you may engage in my office’s consultation process. For more information about the consultation process, please check out my office’s Consultation Request Form.

Was this page helpful?

Thieves Steal a Server From a Law Firm

I became aware of a case in Alberta, where thieves stole a computer from a law firm. Law firms hold a lot of information about their clients. Some of the information can be personal information and some can be personal health information, and the rest is usually viewed as highly confidential. Law firms, like any other organization, needs to keep information as secure as possible. We don’t say, “if a breach occurs”, but say “when a breach occurs”. A law firm can do many things to reduce the risk of a breach but how do they protect against a break in and physical theft of their computers.

Well, it is difficult. Apart from the obvious, secure doors, an alarm system, and special security on the computer room door, it is hard to know what else they can do. There is one thing, they can consider storing all their client information in the cloud. That way, the information is not on site and not available to thieves. Of course, they, like any organization, needs to do due diligence to ensure that the cloud service provider has a security system that is equal to or better than the law firm has right now.

Advice for all organizations – protecting personal information is important and you need to think about your physical security at your office; and consider the pros and cons of storing that information in the cloud.

 

Was this page helpful?

Employers Hiring Persons of Indigenous Ancestry

I was asked about an employer’s ability to ask a candidate about their indigenous ancestry. This is a difficult question in light of media coverage of situations where claims of indigenous ancestry turned out not to be true. I first noted section 19 of the Saskatchewan Human Rights Code that prohibited asking questions about race. I was asked whether an employer could have a policy on this. Whether an employer has policy on this issue or not is a decision of the employer and it is not for me to comment whether they should or should not have a policy.

Before deciding on a policy, an employer needs to determine whether they are going to develop an Employment Equity plan and seek approval from the Human Rights Commission or whether subsection 16(10) of the Saskatchewan Human Rights Code allows them to have preferential hiring on the basis of race. If an employer does not have an approved Employment Equity plan or is not an employer under subsection 16(10), I would assume asking about indigenous ancestry should not occur. If an employer has an approved Employment Equity plan with a target for hiring persons of indigenous ancestry or is an employer under subsection 16(10), then either as part of the plan, or part of a policy, the employer should outline the degree to which it will require supporting evidence of indigenous ancestry.

If an employer decides to have a policy, then I have some advice for that employer from a protection of privacy point of view.

First, if you are covered by privacy legislation provincially or federally, you can collect personal information with authority (legislated or consent), but it is best to determine ahead of time if it is necessary and declare the purpose for which you are collecting the information before collecting it. So, the first step in developing a policy is to indicate why you are requesting evidence of indigenous ancestry, which should be authorized by the Saskatchewan Human Rights Code.

Next you need to determine when the policy applies. If you are recruiting without giving a preference to a person of indigenous ancestry, the policy should not apply. If you are recruiting and giving a preference to a person of indigenous ancestry, then the policy should state that the policy applies. Put another way, if the job vacancy does not require or give preference to a person of indigenous ancestry, then one should not ask any question regarding ancestry.

If the job requires or gives preference to a person of indigenous ancestry, then the employer can determine to what extend they will verify the statement of that applicant that they are indigenous and should then put that in their policy. My suggestion is the policy indicate that when a candidate declares they are of indigenous ancestry, the employer request they sign a consent which allows the employer to take certain steps to verify indigenous ancestry. Consents make it clear to the applicant that verification will occur, and the employer knows it can take the steps referred to in the consent to verify.

Finally, the policy should indicate what will be done with information collected to verify indigenous ancestry. For example, with criminal record checks, some policies indicate that all that has to occur is the proof is shown to an HR person and nothing has to be recorded. Alternatively, the employer might indicate that the documents showing indigenous ancestry be copied and placed on a confidential HR file. Again, from a privacy perspective, the data minimization principle should be followed.

If there is a need to maintain documentation, then the policy should indicate who has access to those records (i.e., restricted to those with a need-to-know) and when those records can be and should be destroyed. The document should only be destroyed in accordance with the organization’s retention policy.

To repeat, it is not my place to determine whether an employer has a policy on proving indigenous ancestry, but if an employer decides when giving preference to indigenous ancestry to have a policy, I would encourage them to consider the above in developing that policy.

Was this page helpful?

Correction Request – What you Need to Know!

So, you are an individual who believes that a public body has an error/omission regarding your personal information/personal health information in a record – what do you do? Subsection 32(1) of The Freedom of Information of Information and Protection of Privacy Act (FOIP), subsection 31(1) of The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), and section 13 of The Health Information Protection Act (HIPA) provide an individual with the right of correction (FOIP and LA FOIP) or right to request amendment (HIPA).

The right of correction/amendment provides individuals a mechanism for requesting the correction of personal information/amendment to personal health information, about themselves when they believe that there is an error or omission in the information. If the public body declines to make the requested correction, it is required to make a notation in its records reflecting the correction that was requested but not made (Guide to FOIP, Chapter 6, Protection of Privacy, Updated 18 January 2023 (Guide to FOIP, Ch. 6), p. 290).

“Notation” is a note made on the individual’s record by the personal information/personal health information at issue or in an electronic record indicating that the individual has requested correction of the personal information/amendment of personal health information. A notation should also include the date, who requested the correction/amendment, what the requested correction/amendment was and a signature or name of the decision-maker (Guide to FOIP, Ch. 6, pp. 292).

Please note that a request for correction/amendment from an individual must, at a minimum:

  • Identify the personal information/personal health information the individual believes is in error. That personal information/personal health information must be the personal information/personal health information of the individual and not of a third party.
  • The alleged error must be a factual error or omission.
  • The request must include some evidence to support the allegation of error or omission (e.g., documents to show correct birth date/medical condition). Mere assertions will not suffice.
  • The proposed correction must be clearly stated and cannot be a substitution of opinion.

(Guide to FOIP, Ch. 6, pp. 292)

When our office receives a request for review regarding correction/amendment of personal information/personal health information, our office will rely on the evidence provided by the individual, but also request a submission from the public body or trustee before making a final determination.

 

 

Was this page helpful?

The Role of an Intake Officer

When you contact the Saskatchewan Information and Privacy Commissioner’s office with a request for review, breach of privacy complaint, or a general inquiry, you will first be dealing with us, the Intake Officers.

Since the Intake Officer is generally your first point of contact with our office, I feel that it is important to spread the word on what we actually do. The three main areas that we deal with are;

  1. Request for Reviews
  2. Breach of Privacy Complaints
  3. Summary Advice

For a request for review, we want to try to solve the dispute to avoid going to the review stage, if possible, as that can take a lot of time, energy and resources. Our role is to analyze all incoming requests to clearly identify and sort out reviewable issues. We will look to confirm items such as when and where an access request was made, and what the Applicant’s main concerns or goals are, so we may need to contact you to discuss. If we see an opportunity for early resolution, we will contact the public body or trustee where you made the access request and will attempt—to the best of our ability—to come to an “early resolution”; whether that be seeing if more information may be released to the applicant than what was previously released or discovering the reasons why nothing was released at all and share that detail with the applicant to see if it makes a difference. If we are unable to find resolution at the intake stage, we will proceed with the formal review. Once the formal notice of review is issued, our role as Intake Officer is complete and the file is assigned to an Analyst.

When it comes to a breach of privacy complaint, our goal is to determine jurisdiction and grounds which will involve gathering as much necessary information as possible before proceeding to a formal investigation. We begin by asking a few questions:

  • Has the complainant gone to the public body or trustee responsible for the breach to report it?
  • Has the breach been contained?
  • When did the breach occur? (We generally do not investigate a breach that is older than two years from the date of discovery)
  • If it is a proactively reported breach, have the affected individuals been notified?
  • Has an investigation and investigation report been completed by the public body or trustee?

It is important to note that we remain an unbiased neutral party in our reviews and privacy breach investigations—this doesn’t just go for Intake Officer’s, it goes for everyone in the office that you will deal with. We will, at no time, take sides. We go where the evidence takes us. The Intake Officer’s goal is to ensure we have the proper documentation and information required, and to streamline the process as much as we possibly can before having to get an Analyst, or possibly the Commissioner involved.

Have an access to information inquiry, privacy related question, or would like general information about our office? Don’t be shy! Give us a call. These questions fall under the “summary advice” category of our position—and believe me, there is no such thing as a “stupid question”. We have heard it all. We can give general, non-binding advice to those seeking information regarding access requests and privacy breach complaints. We can also provide information about the role of our office, when we can become involved with an access to information concern or a privacy complaint, and what sort of findings and recommendations you may expect from our office. If your question is out of our jurisdiction or expertise, we are happy to point you in the right direction.

We understand that being involved in a review or breach investigation with our office may be overwhelming or stressful; therefore, we try our best to make the process as smooth as possible.

 

Was this page helpful?

Managing Electronic Records

One of the many challenges an organization may face when transitioning from paper-based to electronic records is ensuring proper records management processes are in place. While paper records can be easily organized and stored while waiting for retention periods to be met, electronic records can take a bit more work.

Our office has succeeded in phasing out paper-based records and now deals strictly with electronic records. These documents are stored until they reach their retention period, at which time an electronic records disposal process is followed.

As saving large volumes of electronic records can easily become disorganized, they should be organized in accordance with the records management schedules that your organization follows to assist in easily locating all documents.

Our office follows the Administrative Records Management System (ARMS) and the Operational Records System (ORS). I am currently in the process of organizing our electronic records to be in accordance with ARMS and ORS and conducting electronic disposals. As the scope of this project is overwhelming, I decided the best course of action was to split this into two different phases; organizing the documents and completing an electronic disposal. I am currently finishing up phase 1 and hope to start phase 2 soon.

Phase 1:

Before a record can be disposed of, you need to know the retention period that it falls under. Our ARMS and ORS schedules lay out different record series (which are like categories of records), list examples of the types of documents that fit into the series and state what the retention period of each series is. When organizing these records, my first step was to determine whether the record was under ARMS or ORS to know which schedule to follow. I proceeded with creating a folder for each of the different record series under ARMS and went through each existing folder/document to determine which record series folder to move it to. To make it easier to locate information, I created some subfolders within the record series folders and moved related records into those folders. For records management retention purposes, I created fiscal year folders within each record series or subfolder and sorted all documents out by year. For records saved that have no real value and do not fall under a record series but might be good to keep for a short period of time, I created a transitory folder to move those documents to.

Here is an example of what the structure may look like when complete:

ARMS – Name of ARMS Record Series – Subfolder to sort related documents under a record series – year folder – individual documents

During phase 1 we did come across one issue with the length of file paths and have a blog titled File Path Frustrations that provides some helpful information.

Phase 2:

Once phase 1 is complete and the electronic records are organized, it will be easier for me to proceed with electronic disposals. Using our ARMS or ORS schedules, I will be able to see what the retention period for each records series is, go to that record series folder and see if there are any year folders with documents up for disposal. I will then need to go through each document a second time to ensure it was placed in the correct folder and then follow our disposal process. When I get started on this phase, I am hopeful the work from phase 1 assists in making this a smooth process.

Having all organizational information saved electronically is an exciting time and when properly managed, can make records management a very streamlined process. Hopefully this blog can assist some who are starting this process. Happy organizing!

Was this page helpful?

Ontario – Using Faxes in Health Care

In Saskatchewan, my office has done numerous reports on misdirected faxes. See our blog Raising Awareness of the Facts about Fax.

The access and privacy commissioners across Canada have passed a resolution encouraging the discontinuance of fax machines in the health care sector. See the resolution. The Federal Privacy Commissioner has issued an updated guidance on faxing personal information.

The Ontario government has taken a step toward eliminating the fax machine in the health care sector. The Ontario Information and Privacy Commissioner issued its review of the high number of privacy breaches at St. Joseph’s Healthcare Hamilton due to misdirected faxes. In a blog for Privacy Day, the Ontario Commissioner Patricia Kosseim commented further regarding misdirected faxes in Ontario.

The Ontario government has announced that it would put in place a plan to support phasing out fax machines and that fax machines will be phased out over the next five years. For details see this CBC article.

I am hopeful that the progress in Ontario will help cause the heath sector across Canada, and particularly in Saskatchewan, to accelerate plans to phase out faxes.

Was this page helpful?

Live Streaming a Public Meeting

The Legislative Assembly broadcasts its proceedings over the internet. Each word spoken by an MLA is recorded and published in HansardHansard is available to the public. Similarly, committees of the Legislative Assembly are public, sometimes broadcasted and recorded in Hansard. Both video and text are available on the Legislative Assembly website at (www.legassembly.sk.ca/). Committees can decide to go in-camera but motions and decisions are made in the public portion of the meeting.

All cities, towns and municipalities are required to have public meetings. Regina, Moose Jaw, and Saskatoon live stream their council meetings and Regina and Moose Jaw broadcast through the local cable company. The cities post their agenda and minutes on their website and allow access to archived council meetings. Saskatoon live streams some of its committee meetings. Of course, council or a committee can have an in-camera session, but motions are required to be passed in a public meeting. Other cities and towns post their agendas and minutes to their website.

School boards are also required to hold their meetings in public. The minutes of these meetings are available for inspection. The Regina Public School Board live streams its meetings, and its agendas and minutes are available on its website. Other school boards do post their agendas and minutes on their website.

All of the above leads to greater transparency of our elected officials. For those public bodies whose meetings are required to be public, I would encourage they look at live streaming of their Board or council meetings. Technology is now available that makes live streaming relatively easy and inexpensive. The geography of our province makes it beneficial to citizens when public bodies live stream their meetings. I would encourage those cities, towns, villages or school boards to develop policies and practices that would facilitate the live streaming of all of their public meetings.

Was this page helpful?

The Legislation Act- Things to Know

I had formerly prepared a blog that discussed The Interpretation Act, 1995 and some things to look out for as it relates to FOIP and LA FOIP.  However, The Interpretation Act, 1995 was replaced in May 2019 by The Legislation Act (Legislation Act), so this blog has been updated to reflect those changes.

There are countless numbers of statutes in Saskatchewan governing everything from animal protection to workers compensation. But, the Legislation Act is a very unique statute that I would like to draw your attention to.   What makes the Legislation Act so special?  Well for one, it applies to every enactment in Saskatchewan (unless otherwise noted in the Legislation Act).  Secondly, the Legislation Act essentially guides us in how to interpret Saskatchewan statutes.

Let’s take a look at two areas where the Legislation Act guides us in interpreting Saskatchewan’s access and privacy laws – calculation of time and repealed statutes.

Calculation of Time

Subsections 7(2) of The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) provide, “The head shall give written notice to the applicant within 30 days after the application is made…” [emphasis added]. Based on the Legislation Act, the following can be applied for calculating 30 days under FOIP and LA FOIP:

  • The first day the access request is received is excluded in the calculation of time [subsection 2-28(3) of the Legislation Act]
  • If the due date falls on a holiday, the time is extended to the next day that is not a holiday [subsection 2-28(5) of the Legislation Act]
  • If the due date falls on a weekend, the time is extended to the next day the office is open [subsection 2-28(6) of the Legislation Act]
  • As FOIP expresses the time in a number of days, this is interpreted as calendar days, not business days.

It’s important to note that the Legislation Act does not allow for additional time when it is your personal holiday, scheduled day off or if you were away from the office due to illness.

For more information on the calculation of time in FOIP and LA FOIP, please see Chapters 3: Access to Records of IPC Guide to FOIP and IPC Guide to LA FOIP.

Repealed Statutes

There are countless numbers of statutes referenced in FOIP, LA FOIP and The Health Information Protection Act (HIPA).  So, what happens when one of those laws is repealed and replaced by a new statute, but FOIP, LA FOIP or HIPA (or any other Saskatchewan statute for that matter) has not been amended to reflect the new statute?

Here is an example to help. In LA FOIP, subsection 2(f) outlines bodies that are local authorities, and therefore subject to LA FOIP.  Subsection 2(f)(vi) of LA FOIP includes a local authority as being, “… the board of a public library within the meaning of The Public Libraries Act, 1984.”  There is one problem – The Public Libraries Act, 1984 was repealed and replaced with The Public Libraries Act, 1996.

So does that mean library boards are caught in a loophole and not subject to LA FOIP?  Not the case.  Again, we turn to the Legislation Act to help us out.  Subsection 2-8(10) of the Legislation Act provides:

2-8(10) After an enactment is repealed and a new enactment is substituted for it, a reference in an unrepealed enactment to the former enactment is, with respect to any subsequent transaction, matter or thing, deemed to be a reference to the provisions of the new enactment relating to the same subject-matter as the former enactment, but, if there are no provisions in the new enactment relating to the same subject-matter, the former enactment is to be interpreted as being unrepealed insofar as is necessary to maintain or give effect to the unrepealed enactment.

Confused yet? A helpful way to work through this is by actually inserting the names of the statutes:

2-8(10) After an enactment is repealed [The Public Libraries Act, 1984] and a new enactment is substituted for it [The Public Libraries Act, 1996], a reference in an unrepealed enactment [The Local Authority Freedom of Information and Protection of Privacy Act] to the former enactment [The Public Libraries Act, 1984] is, with respect to any subsequent transaction, matter or thing, deemed to be a reference to the provisions of the new enactment [The Public Libraries Act, 1996] relating to the same subject-matter as the former enactment [The Public Libraries Act, 1984], but, if there are no provisions in the new enactment [The Public Libraries Act, 1996] relating to the same subject-matter, the former enactment [The Public Libraries Act, 1984] is to be interpreted as being unrepealed insofar as is necessary to maintain or give effect to the unrepealed enactment [The Public Libraries Act, 1996].

For the purposes of LA FOIP, even though The Public Libraries Act, 1984 was repealed and replaced in 1996, the Legislation Act takes care of that gap and public libraries are still subject to the provisions of LA FOIP because of subsection 2-8(10) of the Legislation Act.

 

Was this page helpful?

How to Complain (Effectively)

Before our office can investigate a privacy complaint, the concern needs to be raised in writing to the public body or health trustee that you believe breached your privacy.  A thoughtfully crafted complaint makes it easier for the health trustee or public body to work with you to find a solution to your concerns. It also makes it easier for our staff to understand the situation if you need to engage our office as a last resort.  Here are a few things to keep in mind:

Send it to the Right Place and the Right Person 

Your complaint should be addressed to the health trustee or public body that you believe breached your privacy.  If possible, try to send it directly to their Privacy Officer.  This might mean doing an internet search or making a telephone call to get the right contact information.  For a list of access and privacy contacts in the Government of Saskatchewan, please click here.

If you can’t find contact information for a Privacy Officer, you can direct your letter to the “head” of the public body or health trustee, as they are responsible for compliance with privacy laws. 

Be Specific and Include Evidence

Tell the public body or health trustee exactly what personal information or personal health information of yours has been breached, by whom, and when. Explain why you think the collection, use, or disclosure of your information was inappropriate, and what you would like to see happen to rectify the situation. If you have any evidence of the privacy breach, you can provide copies to substantiate your claims.

Be Clear that this is a Formal Complaint and Give a Timeline

It is not your responsibility to support your complaint with references to specific sections of the legislation – you certainly can, but you don’t have to.  That said, including a statement that you are making a formal privacy complaint under The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), or The Health Information Protection Act (HIPA), and requesting a response within 30 days should make it clear to the public body or health trustee that your complaint requires a timely response that complies with the legislation.

Retain a Copy and Keep Track of the Date

If you ask our office to investigate a privacy concern because you are dissatisfied with the health trustee or public body’s response to your complaint, we will ask for a copy of the complaint you sent and proof of the date it was submitted.  If you submit your complaint as an email, request a read-receipt and hang onto a copy.  If you send it as a letter, we recommend using registered mail, and again, keep a copy for your records.

For more information about the complaint process, please visit our webpage How do I resolve a privacy complaint?

For more tips and a sample letter, the Office of the Privacy Commissioner of Canada has a helpful page – their office covers a different jurisdiction, but their process is similar.  Visit Tips for raising your privacy concern with a federal government institution.

Was this page helpful?

Google Translate Disclaimer

Translations on the IPC Website are performed by Google Translate. Please note that not all text may be translated accurately or be translated at all. The IPC is not responsible for incorrect or inaccurate translations. The IPC will not be held responsible for any damage or issues that may result from using Google Translate.

For more information, read our full disclaimer.