Statement on proposed changes to Ontario’s FIPPA stemming from the production order issued by Ontario’s Information and Privacy Commissioner which was upheld by the Divisional Court.

New podcast episode out now Un-redacted, The Sask IPC Podcast | IPC

New Report Posted: Read Snooping in a Police Database for more information

Check out this new resource that explains the interaction between LA FOIP and The Municipalities Act in the province of Saskatchewan and as it pertains to personal information.

When AI Turns DarkWarning: this blog contains details about suicide. If you are struggling with your mental health, call 988 for 24/7 voice or text support or visit 988.ca

Privacy Commissioner finds that Canadians have a right to have information de-listed from online search engine results in limited circumstances.

Joint investigation of TikTok Pte. Ltd.

How systemic delays, a backlog of overdue requests, and process errors led to UBC having the lowest rate of compliance.

NEW Checklist for Healthcare Organizations Considering the use of an AI Scribe

File Path Frustrations

File Path Frustrations

Good records management assists in compliance with access and privacy obligations. It requires properly identifying and classifying records. For electronic records, files need a meaningful name and categorization. This all seems simple, but what if your system is working against this goal, and you cannot properly name your files?

We encountered this issue after switching to M365. We follow the Administrative Records Management System (ARMS) and the Operational Records System (ORS). Documents are managed using folders and subfolders in Windows file explorer unless they pertain to a case file, as those are stored in a separate system. Windows file explorer has a 255-character limit for file paths. I had never encountered the 255-character limit before. I was frustrated.

How can I manage our records if I cannot name them as I see fit? In some instances, the file path was too long and we could not open files. File explorer cut off file extensions, and neither I nor the system could tell what program opened the document. We tried to name something in a meaningful way and ran out of characters. We made our file names as short as possible as a band-aid solution, but this also made them harder to identify.

After several months of this struggle, we found a solution which reduces the risk of hitting the 255-character limit and I would like to share it. Hopefully a public body, local authority, or trustee will be saved from the 9-month headache I had.

Before we get going here is a typical file path you might see when following ARMS in Windows file explorer.

C:\Users\<username>\<organization/entity name> \<site name> – General\<Folder Name>\<Sub-Folder>\

This uses up about 97 characters, which will vary user to user.

So, what do you do? The answer is, the shorter the better at every step.

What your IT people can control:

  1. Make the username as short as possible – Existing users converting to M365 may end up with unwanted characters in their username. I was unable to find a way to get rid of these. On new installations the name can be exactly what you want it to be but ask your IT people to keep it short.
  2. Organization/Entity Name – If your organization has a shorthand name or acronym, ask your IT people to use that instead of the full name. OIPC vs “Office of the Saskatchewan Information and Privacy Commissioner” saves a bunch of characters.
  3. Site Naming – Do you need “Administration” or is “Admin” fine or HR instead of “Human Resources”?
  4. Folder syncing – You can configure M365 syncing to Windows file explorer to be manual or automatic. I learned that automatic syncing uses up precious characters. For instance, my file path when automatically syncing was C:\Users\<username>\<organization/entity name> \<site name> -Documents\General\<Folder Name>\

when I figured out the manual syncing quirk it became:

C:\Users\<username>\<organization/entity name> \<site name> – General\<Folder Name> which saves a handful of precious characters.

What you can (probably) control:

  1. Subfolders and Beyond Naming – Give your folders and subfolders the shortest usable name possible.
  2. Document Naming – If you followed steps one through 5, you will hopefully have more than enough characters to name your files.

Is it too late for me?

If this issue has been plaguing you and your system has already been configured, there is still hope. Steps 5 and 6 can be done at any time. Steps 1 through 4 may need to be done by your IT Department. You will likely need to re-sync your computer, which requires temporarily logging out of M365 and unlinking your OneDrive account from your computer.

Bonus tip 

Even after you have made your file path as short as possible, you might still forget where things should go. Windows file explorer, backed by M365, can quickly find file names and even document contents for things like .doc and .pdf files. As long as you know something about the document, whether it is the name, or some of the content, you should be able to easily search for and locate it. This may come in handy if you are a new FOIP coordinator responding to an access to information request but are not yet fully acquainted with the filing system.

As electronic records management becomes the norm, I hope this blog assists you in managing your records and meeting your access and privacy obligations by making it easier to search for, locate and access records.

Was this page helpful?

Managing Electronic Records

One of the many challenges an organization may face when transitioning from paper-based to electronic records is ensuring proper records management processes are in place. While paper records can be easily organized and stored while waiting for retention periods to be met, electronic records can take a bit more work.

Our office has succeeded in phasing out paper-based records and now deals strictly with electronic records. These documents are stored until they reach their retention period, at which time an electronic records disposal process is followed.

As saving large volumes of electronic records can easily become disorganized, they should be organized in accordance with the records management schedules that your organization follows to assist in easily locating all documents.

Our office follows the Administrative Records Management System (ARMS) and the Operational Records System (ORS). I have successfully completed organizing our electronic records to be in accordance with ARMS and ORS and continue to complete electronic disposals as needed. As the scope of this project was overwhelming, I decided the best course of action was to split it into two different phases: first, organizing all the electronic documents and then proceeding with completing electronic disposals.

Phase 1:

Before a record can be disposed of, you need to know the retention period that it falls under. Our ARMS and ORS schedules lay out different record series (which are like categories of records), list examples of the types of documents that fit into the series and state what the retention period of each series is. When organizing these records, my first step was to determine whether the record was under ARMS or ORS to know which schedule to follow. I proceeded with creating a folder for each of the different record series under ARMS and went through each existing folder/document to determine which record series folder to move it to. To make it easier to locate information, I created some subfolders within the record series folders and moved related records into those folders. For records management retention purposes, I created fiscal year folders within each record series or subfolder and sorted all documents out by year. For records saved that have no real value and do not fall under a record series but might be good to keep for a short period of time, I created a transitory folder to move those documents to.

Here is an example of what the structure may look like when complete:

ARMS – Name of ARMS Record Series – Subfolder to sort related documents under a record series – year folder – individual documents

During phase 1 we came across one issue with the length of file paths and have a blog titled File Path Frustrations that provides some helpful information.

Phase 2:

The completion of phase 1 made it a lot easier to proceed with electronic disposals as all our records were properly organized. Using our ARMS or ORS schedules, I was able to see what the retention period for each records series was, go to that record series folder and see if there were any year folders with documents up for disposal. I then went through each document a second time to ensure it was placed in the correct folder and followed our electronic disposal process. As our electronic disposals are now all pretty caught up, I will continue to follow this process each fiscal year for the newly eligible electronic records.

Having all organizational information saved electronically is an exciting time and when properly managed, can make records management a very streamlined process. Hopefully this blog can assist some who are starting this process. Happy organizing!

Was this page helpful?

Protecting your Personal Information in Today’s Consumer Landscape

In today’s fast-paced world, there is nothing better than the satisfying task of checking purchases off your never-ending to-do list. Who doesn’t love the delight of browsing for treasures and the weight of a shopping bag full of glorious, new purchases in their hand? A growing trend shows that most Canadian shoppers have returned to brick and mortar stores and are ready to support both local and Canadian businesses again.

While making budgets and planning out shopping excursions, the average consumer might not realize that their personal information is even more valuable to retailers than their cold, hard cash. Any identifiable information you share with a retailer could potentially land in the wrong hands. Examples of this information may include your full name, home address, phone number, and birth date. Once you have given your personal information, created a customer account or opted into a loyalty program, you may have unknowingly consented to share your personal information with data brokers[1] and other third parties. Think about the consequences if the retailer is subject to a cyber breach.  That is the ultimate fear, but we are seeing this occur on a frequent basis these days.

Consider these 3 ways to safeguard your personal information and become a conscious consumer:

  1. Less is always better

The best way to safeguard your personal information is not to share it in the first place if you don’t have to. Shopping can be as easy as 1, 2, 3… choose your item, pay for it at the till and collect your receipt. You do not need to share your name, address or financial information to make an in-store purchase. When making online purchases, carefully read the fine print before entering your personal information when completing your purchase.

  1. Paper is perfection

Grab that lovely paper receipt and rest assured that your privacy has been protected. What about the oh-so-convenient e-receipt? It may not be as innocuous as you think. In 2023, the Office of the Privacy Commissioner of Canada completed an investigation into the disclosure of customer data collected by Home Depot of Canada Inc. to a third party (Facebook)[2]. In a subsequent press conference, the Privacy Commissioner of Canada, Philippe Dufresne, addressed the seemingly innocent choice between paper or e-receipt by stating:

Most customers likely understand that this [option] is for their benefit and convenience in this increasingly digital world. Canadians would likely not expect or accept that their personal information would be shared with a third party, like Facebook, simply because they opted for an email receipt.[3]

When in doubt, take the paper receipt.

  1. Creating a customer account? Be cautious!

Does one need to create a customer account full of personal information just to buy a scarf or to snag that new Lego set for your kids? Definitely not. The popular franchise Toys R Us Canada recently confirmed a privacy breach of its customer database during which vast amounts of customer information was breached by an unauthorized third party and posted on the dark web.

Carefully weigh the pros and cons when you consider creating a customer account, whether that’s in person or online. Can you adjust your privacy settings once you’ve created that account? Have you read through the company’s privacy options? These are all great questions to consider. Check out a previous OIPC blog titled 5 Ways to Protect Your Privacy for more ways to protect your privacy in general.

Do you have young shoppers in your family who are ready to dive into the consumer landscape? Teach them “STOP”, an easy acronym to help them safeguard their own personal information (and perhaps yours) during the shopping process.

S – share nothing

T – take only my hard cash

O – opt out

P – paper receipt, please

Hopefully this blog helps you create a safe and fun shopping experience for you and your family.

[1] Data brokers are companies whose primary business involves the trading and analysis of personal information. Specifically, data brokers are focused on the gathering and selling of consumer data for targeted marking purposes. OIPC Guide to FOIP, Ch 6 p. 357, also see Tracking the Surveillance and Information Practices of Data Brokers: A Report

[2] PIPEDA Findings #2023-001, January 26, 2023

[3] Statement by the Privacy Commissioner of Canada following an investigation into Home Depot of Canada Inc.’s compliance with PIPEDA, January 26, 2023

Was this page helpful?

Snooping in a Police Database

OIPC recently issued Investigation Report 123-2025 into a case where Constable Clinton Duquette of the Regina Police Service (RPS) snooped into the personal information of six individuals over a period of three years.

The RPS is subject to The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP). Penalties for contravening LA FOIP include a fine of not more than $50,000, to imprisonment for not more than one year or to both.

There are several factors that must be considered when OIPC determines if it will recommend the matter be conveyed to the Attorney General of Saskatchewan for an opinion with respect to a prosecution under LA FOIP. The factors include (1) overall strength of the case; (2) public interest in a prosecution; (3) harm to the community as a result of the privacy breach; (4) number of complainants from the community; and (5) available litigation resources.

In Investigation Report 123-2025, OIPC determined that every factor listed above can be adequately addressed by the factual matrix of the case. As such, the Commissioner recommended that this matter be conveyed to the Attorney General of Saskatchewan for an opinion with respect to prosecution pursuant to section 56(2) of LA FOIP.

In October, OIPC issued Investigation Report 103-2025, 104-2025 into a case where a employee of the Saskatchewan Health Authority (SHA) snooped into the personal health information of 323 patients without legal authority. Employees of SHA must abide by The Health Information Protection Act (HIPA). Penalties for individuals contravening HIPA are the same as the penalties under LA FOIP. In that case, the Commissioner considered the factors but did not recommend that matter be referred to the Attorney General of Saskatchewan. However, the Commissioner decided to name the snooper in that case: Fahmida Shipa. For a more detailed explanation, you can read the blog Health Care Personal Information Snooping: When Will People Learn?

 

 

Was this page helpful?

Avoiding Abandoned Patient Records

After being with this office for more than 21 years, I had hoped that we had finished hearing about abandoned patient records. While there should never be a circumstance where patient records containing the personal health information of individuals are abandoned, such instances unfortunately continue to occur. There was a big push years ago to come up with strategies to address this problem, including the Ministry of Health (Ministry) establishing the Health Records Protection Working Group that released 11 recommendations. [1] Unfortunately, and shockingly, the problem persists.

Trustees have clear responsibilities to protect and appropriately collect, use and disclose personal health information under their custody or control, subsection 22(1) of The Health Information Protection Act (HIPA). That section of the Act clearly states that those duties continue to apply to a former trustee until they transfer custody and control of the personal health information to another trustee or to an information management service provider that is a designated archive. Various events including retirement, relocation, leaving the profession, termination of employment, bankruptcy, incapacity and death can result in situations where the obligations of the former trustee are legally mandated to continue until proper transfer of custody and control – but this is not always the case.

When the OIPC receives complaints regarding abandoned patient records, our primary concern is to ensure the records are secure while we investigate to determine where responsibility lies. In the event the responsible party is out of our reach, and depending on the circumstances, we may turn to the Ministry or other health stakeholders (e.g., appropriate health regulatory body or the Saskatchewan Health Authority) for assistance.

In a recent case involving abandoned personal care home records left behind at a spot that had been vacated, we worked with the Partnership, Privacy and Legislative Services branch of the Ministry. The personal care home in question, the former trustee, had ceased operating. Boxes of abandoned patient records were discovered after the home was closed. In this particular case, to ensure the protection, management and eventual disposal of the records of the patients of the former trustee, the Ministry requested a Minister’s Order under subsection 22(2) of HIPA to appoint a third party to act in the place of the former trustee. The Minister’s Order was required to legally transfer the personal health information in the records found on the premises to the third party or to an information management service provider that is a designed archive. The wording of section 22(2) of HIPA is as follows:

 22(2)  Where a former trustee fails to carry out the duties continued pursuant to subsection (1), the minister may appoint a person or body to act in place of the former trustee until custody and control of the personal health information is transferred to another trustee or to an information management service provider that is a designated archive.

Why do trustees abandon the health care records of the people who have placed their trust in them? There is no single answer to this problem. The best we can do is to focus on solutions.  Our primary goal should be to ensure that there are effective processes in place to prevent records from becoming abandoned. Such processes should include trustees and their staff being educated to have a clear understanding of their responsibilities and legal obligations as a trustee.  Trustees need to understand that those responsibilities do not end when they cease to be a trustee.

Having a succession plan in place in the event of unforeseen changes in circumstances also goes a long way in preventing abandoned patient records. That succession plan should clearly identify what will happen to personal health information of patients which will ensure ongoing security of those records and a process for patients to gain access to their records up until those records are up for destruction.

As noted as far back as 2017, our office has been providing the following guidance to those closing a practice, which is still relevant:

  1. If you have not done so already, create an inventory of all records (paper and digital) in your custody or control;
  2. If you do not have one, create a record retention/disposition schedule for all records;
  3. Custody or control of patient records must be clearly established before taking action;
  4. Before transferring patient records, enter into a written agreement with the successor trustee or IMSP (that is a designated archive, see HIPA Regs s. 4);
  5. Ensure that any multi-function devices that may contain personal health information are sufficiently wiped/erased or hard drives are destroyed;
  6. Provide advance, adequate notice (letters to patients, notice on doors, voicemail message and details in the newspaper and/or online) to patients and others to prevent personal health information from becoming misdirected;
  7. Securely transfer patient records; and
  8. Leave no records behind including securely destroying any records that are up for disposition.

If a member of a regulated profession, the trustee can also seek advice from its health professional body which also happens to be prescribed as designated archives in the HIPA Regs. Or, at any time, you may reach out to our office for further advice.

[1] Health Records Protection Report April 2014, Report of Saskatchewan’s Records Protection Working Group to the Deputy Minister of Health

 

Was this page helpful?

Explaining Cookies in the Internet Age

The other night I overheard my daughter say, “I don’t know what cookies are. I just accept them whenever they come up.” This got me to thinking. I, too, blindly accept the offer of cookies (real or digital) without giving it a second thought. But what are we really doing when we just accept cookies to get the pop-up to go away?

Before we go into the science of cookies – we first have to know what they are. Cookies are a small text file that is passed from a website to your computer. This is often done without your knowledge or consent. The cookie is used to save information about your interaction with the website. Cookies prevent you from having to re-enter your information over and over again.[1] Cookies are like digital post-it notes to make your web experience much more personalized and efficient.

This can be super convenient because no one wants to enter their username, password, location or language preference each time they open a website on a browser. Who else fills up their online shopping cart, finds a little restraint, closes the site and then returns to said website finding their cart full and ready to hit purchase?

Just like real cookies – some are good and some are bad. “Good” cookies allow a website to function smoothly. “Bad” cookies can track your information across multiple sites.  They do this to build a profile of your habits and interests with the distinct purpose of directing advertising your way. This is referred to as a third-party cookie. As noted in one resource available on the Office of the Privacy Commissioner of Canada’s website:

“When an advertisement is on a web page supplied by a first party, the advertising content and a cookie are passed from the advertising company (the third party) to the end user’s (your) computer. Later, when you revisit that same first-party website, or another site that uses the same advertising company, the third-party cookie can be retrieved by the advertising company. If the cookie contains a unique identifier, then information about your visits to different websites can be linked together.”[2]

Information tracking for “behavioural advertising” is usually done covertly. This raises concerns about privacy because if we don’t know we are being tracked we lose control of our personal information.[3]

Web browsers provide some tools to control cookies. Be sure to check your browser and make sure the default setting isn’t to store all cookies indefinitely. You can set your browser to block cookies, but many websites insist users accept cookies to use their service. Blocking cookies can affect your overall user experience by making things tedious and repetitive.[4]

As with the case of real cookies, restraint must be practiced by carefully accepting only the ones we want or need.  Blindly accepting cookies permits companies to obtain a great deal of information about us. To better navigate which cookies should be accepted and how to protect yourself, check out the blog, What to Know about Internet Cookies posted on the Government of Canada website. And remember: Be careful which cookies you accept; it could affect more than your waistline.

[1] Web tracking with cookies, Office of the Privacy Commissioner of Canda, November 23, 2025, https://www.priv.gc.ca/en/privacy-topics/technology/online-privacy-tracking-cookies/cookies/02_05_d_49/.

[2] Web tracking with cookies, Office of the Privacy Commissioner of Canada, November 23, 2025, https://www.priv.gc.ca/en/privacy-topics/technology/online-privacy-tracking-cookies/cookies/02_05_d_49/.

[3] Frequently asked questions about online behavioral advertising, Office of the Privacy Commissioner of Canada, November 25, 2025, https://www.priv.gc.ca/en/privacy-topics/technology/online-privacy-tracking-cookies/tracking-and-ads/02_05_d_52_ba_01/.

[4] Frequently asked questions about cookies, Office of the Privacy Commissioner of Canada, November 25, 2025, https://www.priv.gc.ca/en/privacy-topics/technology/online-privacy-tracking-cookies/cookies/frequently-asked-questions-about-cookies/.

 

Was this page helpful?

Canada’s privacy regulators call for strong protection of children’s privacy in the development and use of educational technologies

As Canada marks National Child Day, privacy authorities from across the country have issued a joint resolution to help ensure that privacy rights and the best interests of children are paramount in the development, procurement, and deployment of educational technologies (EdTech). The resolution, was unanimously adopted at the annual meeting of Canada’s information and privacy regulators in Banff, Alberta, on October 8, 2025, hosted by the Information and Privacy Commissioner of Alberta.

Educational technologies have become deeply embedded in the way that education is delivered. They are now a central feature of Canadian classrooms particularly since their adoption increased exponentially during the COVID-19 pandemic.

EdTech includes technologies that support curriculum delivery, content engagement, attendance, and testing and assessment of students in elementary, secondary and post-secondary institutions.

However, they can also introduce new risks to privacy — especially for children and young people who have no choice but to use educational platforms that collect and use their personal information in the classroom. Such risks include significant data breaches, student profiling, biometric surveillance, and manipulative design.

The joint resolution affirms that the right to education and the right to privacy are fundamental and interdependent rights. It calls on governments to assume their responsibility for ensuring student privacy when assessing or authorizing EdTech; education institutions to protect privacy throughout the procurement process; and vendors, to design privacy protective tools that take the best interests of children into account.

Taking children’s best interests into account when procuring, designing or implementing EdTech means, among other things:

  • Embedding privacy by design into products and services;
  • Following data-minimization principles;
  • Ensuring that safeguards are proportionate to the sensitivity of collected information;
  • Avoiding design practices that would influence, manipulate or coerce users into making decisions that go against their privacy interests;
  • Building in appropriate access controls and encryption;
  • Establishing privacy settings to their most protective level by default;
  • Prioritizing privacy protection when selecting educational technologies; and
  • Funding and implementing digital education and privacy training and digital literacy skill development.

Quick facts

  • Canada’s privacy authorities include federal, provincial and territorial information and privacy commissioners and ombuds responsible for privacy law oversight.
  • National Child Day is celebrated in Canada and many countries around the world on November 20 to acknowledge the importance of children’s rights. It commemorates the day in 1989 when children’s human rights were recognized in the United Nations Convention on the Rights of the Child.

 Related links

Media contact

Julie Ursu
Manager of Communication
Office of the Saskatchewan Information and Privacy Commissioner
jursu@oipc.sk.ca

Was this page helpful?

How do I Request a Correction of my Personal Information or an Amendment of my Personal Health Information?

The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) provide individuals with a right of correction to their personal information. The Health Information Protection Act (HIPA) provides individuals with a right of amendment to their personal health information.

Our office has received calls and emails from individuals who, after accessing a record from a government institution, local authority or a trustee containing their personal information or personal health information, believe that it contains errors or omissions.

An error is mistaken or wrong information that doesn’t reflect the true state of something – it is an error to something factual.

An omission is information that is incomplete, missing or overlooked.

An opinion is not an error or omission if it accurately reflects the views of the individual who recorded the information at the time.

If you believe a record containing your personal information or your personal health information contains an error or omission, you can request a correction or amendment under FOIP, LA FOIP or HIPA. Such requests are made to the government institution or local authority (for personal information), or to the trustee (for personal health information) with possession/custody or control of the record.

Our office has prepared the following resource, Steps to Request a Correction of Personal Information or Amendment of Personal Health Information.  The resource outlines the steps that an individual can take to request a correction of their personal information or an amendment to their personal health information. It also includes information on the obligation of the government institution, local authority, or trustee, to respond to your request and what the possible outcomes are. As well as advising on what you can do if you are not satisfied with the response to your request for correction or amendment.

Steps to Request a Correction of PI or Amendment of PHI (Flipbook)

Steps to Request a Correction of Personal Information or Amendment of Personal Health Information (PDF)

Was this page helpful?

When AI Turns Dark

Warning: this blog contains details about suicide. If you are struggling with your mental health, call 988 for 24/7 voice or text support or visit 988.ca

Sewell Setzer III is a name you may not know. He was a Florida youth who took his life in February 2024 at age 16. Shortly after he turned 14, he became increasingly obsessed with a Character.AI chatbot he created, modeling it after a Game of Thrones character. His mother, Megan Garcia, stated in a lawsuit against Character.AI that the more time Setzer spent engaged with his chatbot, the more he withdrew from family and friends, and the more his schoolwork and self-esteem suffered.[1]

Garcia saved messages between her son and his chatbot that demonstrate the depth of the relationship that developed between the two. Just prior to his death, the chatbot asked Setzer if he had considered suicide. When Setzer responded that he wouldn’t want to die a painful death, the chatbot responded that it wasn’t a good enough reason to not want to go through with it. Garcia noted that not only did the chatbot continue a conversation about self-harm with her son, but it kept directing him; at no point did the chatbot suggest her son should seek help.

Character.AI describes itself as an “infinite playground for your imagination, creativity and exploration.”[2] It allows users to create custom chatbots using Artificial Intelligence (AI) that speak and act the way you want that you can interact with. Human-like responses are designed to be realistic, and to allow you to become involved in the character’s world. It’s an artificial relationship that may feel real to some. It did to Setzer.

The American Psychological Association (APA) suggests that youth are increasingly turning towards chatbots for friendship and emotional, educational and recreational support.[3]The APA cited research showing that as children develop, they seek reciprocal friendships to cope and build self-esteem. The positive reinforcement offered through friendships helps them to better understand their social environment and to build empathy. The more time youth spend interacting online, however, the more their social development may be negatively impacted, and the more they may experience depression and anxiety. Marginalized youth are especially vulnerable, with the online world easing their fear of social interaction. Such youth may turn to AI-powered chatbots to fill the need for social support, the concern being that they have not fully developed a sense of impulse control. In other words, they are highly impressionable and easily suggestible and may be left guided by the influence of AI, as Setzer was.

Beyond this, there are other troubling aspects of AI. AI allows disinformation to spread or be quickly disseminated. Deepfake videos, pictures and audio clips that appear real can fuel the spread of disinformation. They can also be used to cyberbully, as was the case for a high school student who was subjected to fake nudes of herself being distributed through social media.[4] Legal experts argue that such activity goes beyond cyberbullying and into sextortion, where attempts may be made to financially extort youth and their families to prevent faked content from being shared online. Youth subjected to this not only suffer embarrassment, but may also suffer depression and anxiety, or a growing sense of distrust of those around them. Because of the algorithms built into AI, youth can also be fed information that reinforces fringe or unacceptable views, thereby further pushing them to seek out those who agree with those views or that perpetuate biased thinking.[5] In so doing, they may develop a warped sense of reality or be led into dangerous or illegal activities.

Character.AI recently stated that it will ban anyone under the age of 18 from using its chatbots.[6] While it is a step forward, it leaves many questions unanswered, such as how companies will verify ages. Considering cases such as Setzer’s, Canada’s Artificial Intelligence Minister, Evan Solomon, stated publicly that an upcoming privacy bill could introduce age restrictions on access to chatbots. [7] Chatbots might seem to be imparting empathy or acting like friends to youth who use them, but what they lack is responsibility for what they say or how they engage, which is something the privacy bill seeks to change. An age restriction may not release companies from culpability, but it at least recognizes that those under the age of 18 may not, because of their lack of social development, be able to separate reality from fantasy.

In the meantime, it’s important for parents to help their kids use AI responsibly. The APA suggests the following:[8]

  1. Help your kids understand that AI responses are programmed, and that interactions and relationships with chatbots are not genuine. Help kids understand the difference between an artificially created relationship and a human one that has emotional depth.
  2. If your kids are using AI for health purposes, including for their mental health, or to seek health information on themselves, remind them that it is not a substitute for professional medical advice. Health advice or information should always be verified by a real, human professional.
  3. Review the privacy settings on the devices and apps your kids use. Know what data is collected or help your kids understand how their data is being collected and used.
  4. Tell your kids to question AI-generated content rather than accepting it as real. While AI can be a useful tool to aid learning, it should not replace traditional learning and research. Challenging AI can help build critical thinking skills.

Garcia channeled the grief over losing her son into warning others about the dangers of chatbots and AI. She wants parents to know and understand how sophisticated AI is, and how youth may not be able to distinguish AI from reality.[9] Youth may be manipulated or deceived into believing things that are not real or true. Undoubtedly, Garcia may wish she paid more attention to how deeply her son was being drawn into a relationship with a chatbot character that did not really exist, but that held a lot of emotional control over him. No parent would anticipate the outcome that Garcia experienced, but it serves as a cautionary story about the fast evolution of AI, and how crucial it is for parents to learn about the dark side of AI and how to help their kids navigate around it.

[1] Yang, A. “Mom who sued Character.AI over son’s suicide says the platform’s new teen policy comes ‘too late’.” 30, October 2025, https://www.nbcnews.com/tech/tech-news/characterai-bans-minors-response-megan-garcia-parent-suing-company-rcna240985. Accessed November 3, 2025.

[2] https://play.google.com/store/apps/details?id=ai.character.app&hl=en_CA. Accessed November 3, 2025.

[3] Andoh, E. “Many teens are turning to AI chatbots for friendship and emotional support.” 1, October 2025, https://www.apa.org/monitor/2025/10/technology-youth-friendships. Accessed November 3, 2025.

[4] Wong, J. “Amid rise in AI deepfakes, experts urge school curriculum updates for online behaviour.” 9, January 2025, https://www.cbc.ca/news/canada/education-curriculum-sexual-violence-deepfake-1.7073380. Accessed November 3, 2025.

[5] Marr, B. “7 Terrifying AI Risks That Could Change The World.” 18, August 2025, https://www.forbes.com/sites/bernardmarr/2025/08/18/7-terrifying-ai-risks-that-could-change-the-world/. Accessed November 3, 2025.

[6] Folk, Z. “Character.ai Will Ban Children From Speaking With Chatbots After Facing Regulatory Pressure And Lawsuits.” 2025 October, https://www.msn.com/en-us/money/companies/characterai-will-ban-children-from-speaking-with-chatbots-after-facing-regulatory-pressure-and-lawsuits/ar-AA1PrdiC?ocid=BingNewsVerp. Accessed November 4, 2025.

[7] Karadeglija, A. “Age restrictions for AI chatbots may be in new privacy bill, minister says.” 24, October 2025, https://globalnews.ca/news/11493930/ai-chatbots-age-restrictions-privacy-bill-solomon/. Accessed November 3, 2025.

[8] American Psychological Association. “Four ways parents can help teens use AI safely.” 3, June 2025, https://www.apa.org/topics/artificial-intelligence-machine-learning/tips-to-keep-teens-safe. Accessed November 3, 2025.

[9] Chow, A. “Megan Garcia, Activist against chatbot harms.”, 2025, https://time.com/collections/time100-ai-2025/7305805/megan-garcia/. Accessed November 3, 2025.

Was this page helpful?

Canada’s Information Regulators call on their respective governments to promote a more robust information ecosystem

Gatineau, Québec, November 5, 2025 – In an era where false and misleading information can spread rapidly and influence public discourse, Canada’s Federal, Provincial, and Territorial Information Commissioners and Ombuds (FPT Information Regulators) are urging governments and public institutions to modernize access to information laws, proactively disclose records, and ensure the integrity of public information.

The FPT Information Regulators responsible for overseeing access to information adopted a joint resolution at their annual meeting in Banff, Alberta, earlier this fall titled “Trust, transparency, and democracy in an era of misinformation”. This resolution calls upon their respective governments to promote a more robust information ecosystem.

Misinformation thrives in environments where transparency is lacking. “By embracing transparency and proactively making accurate information available to the public, public institutions can play a crucial role in strengthening our collective information ecosystem, countering misinformation, enhancing trust, and preserving the integrity and resilience of democratic societies”, states the resolution.

Access to government-held information matters to Canadians. Whether it’s understanding how public health decisions are made, accessing environmental data, or verifying the facts behind government policies, reliable information empowers Canadians to make informed choices. When institutions are transparent and information is easy to access, citizens are better equipped to engage in public life, challenge misinformation, and hold decision-makers accountable. Transparency is key to a healthy democracy.

The resolution outlines specific recommendations, including:

  • Codifying a duty to document and setting minimum standards for proactive disclosure;
  • Ensuring public institutions have the resources to effectively run their access and transparency programs;
  • Supporting media and civil society in promoting the public’s right to know, and
  • Enhancing digital and media literacy and regulating online platforms for greater transparency.

The regulators also commit to improving their own transparency practices, collaborating with other oversight bodies, and reducing delays in access to information processes.

In recent years, related joint resolutions focused on restoring trust through access to government records (2023) and promoting transparency by default in public service delivery (2024).

Related documents:
Joint resolution: Trust, transparency, and democracy in an era of misinformation

News Release: Canada’s information and privacy regulators wrap up meeting that focused on critical access and privacy issues facing Canadians

For more information:

Julie Ursu
Manager of Communication
Office of the Saskatchewan Information and Privacy Commissioner
jursu@oipc.sk.ca

 

Was this page helpful?

Google Translate Disclaimer

Translations on the IPC Website are performed by Google Translate. Please note that not all text may be translated accurately or be translated at all. The IPC is not responsible for incorrect or inaccurate translations. The IPC will not be held responsible for any damage or issues that may result from using Google Translate.

For more information, read our full disclaimer.