Commissioner Dufresne launches exploratory consultation on children’s privacy code

Survey conducted by OPC found that most parents worry about their children’s online privacy

Information and Privacy Commissioner of Ontario and The French Language Services Commissioner discuss your rights of access to information and services in French June 4, 2025

Ontario IPC releases a new independent research report on emerging technology- Emerging Uses of Neurotechnology.

Privacy Commissioner of Canada and UK Information Commissioner’s Office issue a joint letter regarding 23andMe’s bankruptcy proceedings

Instagram still posing serious risks to children, campaigners say

English Information Commissioner issues statement on police use of facial recognition technology (FRT)

BC OIPC provides instruction to delete a user account and DNA on 23andMe

Alberta, update to access and privacy legislation, passed in December and in force this spring

Federal Privacy Commissioner launches new online privacy breach risk self-assessment tool

Demystifying the Right to Privacy

Demystifying the Right to Privacy

Privacy is a deeply personal concept, and it means something a bit different to everyone – so how does Saskatchewan’s privacy legislation protect your personal information and personal health information?

Saskatchewan’s public sector access and privacy laws, The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) govern how public bodies (government institutions and local authorities) interact with your personal information. Saskatchewan’s health sector privacy law, The Health Information Protection Act (HIPA), for the most part controls how certain health professionals (called trustees under HIPA) interact with your personal health information.

The protection of privacy under these Acts includes setting rules for the collection, use and disclosure of the personal information or personal health information in question, and whether the public body or trustee’s actions are allowable under their respective Act.

Collection is when an organization assembles or obtains information about an individual.

Use is when an organization uses the information internally – the information is still under the control of the organization.

Disclosure is when information is shared with a separate entity outside of the organization, so the information passes out of the possession and control of the organization.

In order to fulfill their roles, public bodies and trustees may need to collect, use and/or disclose information about you. The legislation protects your privacy by placing boundaries around when collection, use and disclosure is appropriate, and by establishing obligations for organizations.  Some of these obligations include:

  • Collecting only as much of your information as is necessary to fulfill an authorized purpose (data minimization principle).
  • Where possible, collecting information directly from you.
  • Ensuring that the information they collect about you is as accurate and complete as possible.
  • Taking reasonable steps to safeguard the information under their control – this means having technical, physical or administrative safeguards in place to protect the information from unauthorized access, use, modification, etc.

If you feel that your personal information or personal health information has been collected, used or disclosed inappropriately by a public body or trustee in Saskatchewan, you have the right to make a complaint. The first step will be to make a written complaint to the organization that you feel breached your privacy – for more on this, please see our webpage How do I resolve a Complaint? and our previous blog post, How to Complain (Effectively). If you don’t receive a response from the organization, or if you are not satisfied with the response, you can make a complaint to our office.

Alternatively, when a breach occurs, you may receive notification from the public body or trustee. For more on this, please see our previous blog post What to do if you Receive a Privacy Breach Notification.

If you have questions about how your privacy is protected in Saskatchewan, you can contact our office for more information.

 

Was this page helpful?

Confidentiality Clauses in Contracts (updated)

A lot of our work centers around a citizen wanting a contract that a ministry, city, town or municipality has entered into. The public body does not want to release it, for among other reasons, the contract has a confidentiality clause.

The Cities Act and The Municipalities Act specifically provides that a citizen can inspect a contract entered into. See Review Report 049-2021 at paragraph [89]. The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) both provide that a citizen has access to records unless a particular section exempts the public body having to release some of the clauses.  Section 19 of FOIP and section 18 of LA FOIP provide certain exemptions but there is no exemption just based on the parties wanting to keep the information confidential.  A confidentiality clause in a contract might bind the parties but the clause cannot override the law of the land.

Third parties and businesses need to know when they deal with public bodies supported by tax dollars that their contract will probably be released. No confidentiality clause, however well drafted, can override the law. See Review Report 205-2019, 255-2019 at paragraph [95].

Now I have mentioned there are some exemptions. Section19 allows for information regarding trade secrets; financial, commercial or labor relations information can be withheld.

If an exemption applies, like trade secrets information, that information can be withheld but that does not justify withholding the entire contract. The public body might be entitled to sever the exempted information but would be obliged to disclose the rest.

So I hope over time businesses dealing with public bodies come to accept that being transparent in a democracy is important and their contracts will be available to be examined by citizens.

 

 

Was this page helpful?

3 Minutes for a Search (updated)

As public bodies have gone to doing the majority of their communicating by email, access requests for records of emails have increased. I expect such requests will continue. If the access request is for recent records (emails) an employee can perform a search in Outlook (or other email programs) and very quickly locate the emails related to the access request. If the requests are for older emails, which have been archived in the Outlook archive system, the search can still be done (it might take a little longer). If the access request is for emails that are no longer in the Outlook system, then the search might be more difficult depending on the technology used. Or, if the employee has left the organization, and their emails have been stored outside the Outlook system, the effort to get those emails could be difficult and time consuming. This can be hard work or expensive if IT resources are required.

The best solution is that emails be reviewed regularly by each employee. The emails that are part of the official record get stored in an organized electronic filing system, such as a shared drive that is accessible to authorized employees or an electronic document records management system (EDRMS). I know employees don’t always do this, but they should. An alternative solution is that an organization acquires an email management system that stores all emails, old and new, for current and former employees.

Those are two solutions. There may be other solutions and I encourage organizations to determine what solution works for them.

In the meantime, access requests for emails will be made. Organizations need to decide on a search strategy for finding those emails and then decide whether they will charge a fee. If an organization charges a fee for those emails, it is necessary to figure out what is a reasonable fee. My office has developed rules of thumb for searches such as 5 minutes per file drawer or 1 minute to review 12 pages. We have developed another rule of thumb. We will accept that it takes 3 minutes for an employee to search their email Outlook account for each search parameter. Of course, a public body is free to perform its own test and determine the length of time it takes to perform a search of an employee’s email account and store the results.

Our hope is that this guideline will make it easier for public bodies to estimate a fee and easier for applicants to understand the fee being charged.

We think our 3 minutes is reasonable, but try it, search your email account and time how long it took your computer to deliver the search result and then the time to move those results to a separate file or flash drive. As you are working on a fee estimate, you should review section 9 of FOIP, section 6 and 7 of the FOIP Regulations or section 9 of LA FOIP and sections 5 and 6 of the LA FOIP Regulations. For a report that analyzes a fee estimate, see Review Report 119-2023.

 

Was this page helpful?

Collection/Disclosure; A Two-Step Analysis (updated)

When personal information or personal health information (information) is shared by one public body with another, the issue arises as to who has the authority to disclose and who has the authority to collect. Many collections of information happen when you or I visit a public body, apply for a service or benefit and fill out a form or answer questions orally.  By giving the information to the public body, we are consenting to their collection of it.  We have expectations that they will use it for the purpose collected, that they will protect it and not disclose it to others without consent unless legislative authority to disclose otherwise exists.

So, when it comes to the sharing of information by one public body with another, my office has to ask two questions: Does one body have the authority to collect?  Does another body have the authority to disclose?  For an authorized sharing to occur, the answer to both questions has to be yes.  If one of the answers is no, then the sharing is unauthorized.

If the sharing will only occur once, then the public bodies are wise to reduce their understanding to emails, but probably don’t need a formal data sharing agreement.

If the data sharing will occur often, it is then best practice that the public bodies enter into a written data sharing agreement. That agreement should set out the legislative provisions that allow collection and disclosure and it should set out the obligations of the receiving public body regarding the safeguarding of that information and the rights of the sending public body to review and audit the actions of the receiving body.

The existence of a data sharing agreement itself does not authorize the sharing; it is the provisions in statutes or regulations, authorizing collection and disclosure that make the sharing authorized.

As a final note, any authorized sharing should be looked at with the data minimization principle in mind. The public body collecting the information should collect the least amount possible and the disclosing public body should disclose the least amount possible. Of course, there may have to be discussions between the two bodies to ensure that the least amount of information gets shared.

Another situation where the two-step analysis must be applied is when a public body has the power to investigate. Implied in the power to investigate is the authority to collect information.  When an investigator approaches someone in another public body and asks for information, the other public body needs to decide whether they have the authority to disclose under The Freedom of Information and Protection of Privacy Act, The Local Authority Freedom of Information and Protection of Privacy Act or The Health Information Protection Act (i.e., where the disclosure is permitted pursuant to another Act or Regulation). Now for general information or de-identified information, they can always disclose that as no privacy interests are engaged.  For personal health information, they should attempt to determine whether the personal health information is reasonably necessary for the investigation. The data minimization principle always suggests that the least amount of information be disclosed. Collection and disclosure are like two sides of the same coin. You can’t have one without the other. It is always necessary to analyze the authority to collect and the authority to disclose before sharing the information in question.

 

Was this page helpful?

Demystifying Access to Information Rights

What rights do members of the public have when it comes to access to information? The right to access information in government records is established at the federal and provincial level.

Federally, the Access to Information Act is overseen by the Information Commissioner of Canada. For more on this, please visit the Information Commissioner of Canada’s website.  The provinces/territories also have access to information legislation. For more on this, check out the Summary of privacy laws in Canada on the Privacy Commissioner of Canada’s website.  In Saskatchewan, we have three Acts that give you access to information rights:  The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) and The Health Information Protection Act (HIPA).

In Saskatchewan, your access to information rights include:

A right of access to records

Under FOIP and LA FOIP, anyone has the right to request access to any record in the possession and control of a government institution or local authority. Information in the records of public bodies defaults to being accessible to the public. That said, the legislation also outlines some limited and specific exemptions to the right of access – these are situations when the head of a public body may or must withhold access to some or all of the information.

Under HIPA, an individual has the right to request access to their own personal health information under the custody or control of a trustee. HIPA does not provide a right of access to policy or process information in the holdings of trustees. Like FOIP and LA FOIP, the default is that you have a right to access your own personal health information – if the trustee withholds your personal health information, they must be able to justify their decision by pointing to specific sections of HIPA.

A right to request an amendment or correction to your own information

If, upon receiving access to your own information, you feel there is an error or omission in the records, all three acts give you the right to request correction or amendment. The right of correction only extends to factual information; generally, it does not apply to subjective opinions noted in the records.

A right to request a review from the IPC

If an individual is not satisfied with the public body or trustee’s response to their access request or request for correction within legislated timelines, they have a right to request that our office review the matter. The IPC will determine whether the public body/trustee responded to the request appropriately under the applicable legislation. If we find that they did not, we will, in most cases, issue a public report with recommendations based on our findings.

If you have questions about your access rights under the Saskatchewan legislation, contact our office – we would be happy to help!

Was this page helpful?

Making a Privacy Complaint for Someone Else?

Often, our office is contacted by individuals who are concerned about the inappropriate disclosure of personal information that is not their own. If this is you, then perhaps you are attempting to complain on behalf of a loved one; or you’ve received the personal information of a stranger, and you’re willing to go out of your way to report the matter in hopes of having it rectified.

There are many reasons why our office may determine that it is unable to proceed with privacy concerns that individuals bring to our attention (see “Why some reviews and investigations cannot pass go” for some discussion of these reasons), but, in the aforementioned scenarios, the absence of the affected individual is an immediate obstacle.

That is because your privacy rights under the legislation that our office oversees (The Freedom of Information and Protection of Privacy Act, The Local Authority Freedom of Information and Protection of Privacy Act, and The Health Information Protection Act) extend to the collection, use, and disclosure of your own personal information or personal health information by public bodies and health trustees. As a result, although you can still inquire regarding the process that an affected individual must follow in submitting a privacy complaint, you will probably not be in a position to actually submit a complaint on behalf of anyone else.

If you know someone whose privacy has been breached, you may be in a position to serve as a witness, but they will likely need to make their own complaint, first to the public body or health trustee, and only then, if they are unsatisfied with the response that they receive to that complaint, to our office.

Similarly, if you have received personal information that is not your own, you should first report it to the Privacy Officer of the public body or health trustee from which it originated and allow them an opportunity to rectify the situation before reporting it to the IPC.

That said, any right conferred by FOIP, LA FOIP, or HIPA can be exercised by a surrogate under specific conditions, usually explicit permission from the affected individual. If you wanted to submit a complaint on behalf of a child, for example, you may need to demonstrate through documentation that you are the child’s legal custodian (see FOIP section 59, LA FOIP 49 and HIPA section 56). If any adults were to grant you permission to pursue a privacy complaint on their behalf, this permission would have to be in writing and very specific regarding the powers and scope that it conferred and the time at which it was intended to expire.

From time to time, the Commissioner does become aware of a breach that he chooses to research or investigate on his own initiative. However, these “own motion” investigations are rare and typically relate to breaches involving a large number of affected individuals and/or more expansive, serious, or recurring problems (e.g., misdirected faxes).

So, although you can be of assistance when you learn that someone else’s privacy has been breached, it is usually necessary for the affected individual to exercise their own rights.

Was this page helpful?

A Near Attack

A few weeks into a new role, Jane received an interesting email supposedly from her “colleague” Stacy.  Stacy welcomed Jane to the team and asked for some time in her day. There was, of course, a smart attempt to cover up any tracks – a clause about Stacy entering a meeting and was only available to communicate via email.

As Jane pondered over the content of the email, other red flags became apparent.  Although she in fact had a co-worker called Stacy, the email was sent from a sketchy address and was missing the signature usual for emails emanating from the office.

With each passing day, scammers develop ingenious ways to attack unsuspecting victims. Publicly accessible information from organizations’ websites and internet activity is unfortunately employed as a springboard for a malicious attack. The Canadian Centre for Cyber Security outlines different ways by which phishing could occur. These include:

  1. Spear phising: A personalized attack which may contain specific details about a victim (as happened with Jane).
  2. Whailing: A personalized attack that targets a big “phish” such as the Chief Executive Officer because of their possible access to sensitive information.
  3. SMiShing: An attack using SMS (texts) where a scammer impersonates someone known by the victim or poses as the provider of a service used.
  4. Quishing: An attack involving Quick Response (QR) codes that re-directs victims to malicious websites when scanned.
  5. Vishing: “Voice phishing” which involves defrauding people through voice calls, enticing them through means which appear legitimate, to divulge sensitive information.

Phishing attacks typically result in identity theft, fraud, and the transmission of computer viruses. There have also been ransomware incidents where files have been encrypted, organizational data stolen and significant ransom payments demanded. In the case of Jane, she deleted the email and never responded to the sender’s request. This protected her account from being compromised and the entire organization from a potential security breach.

The onus is on organizations and individuals to protect personal information and personal health information (where applicable). Employees are generally advised, in the case of suspicious phone calls, not to divulge any personal or sensitive organizational information and to end the call immediately. They are also cautioned not to open any suspected phishing emails, but if do, they should:

  • Not click any links or download any attachments in the attached email.
  • Not respond to the sender.
  • Swiftly report in accordance with their organization’s standard operational practices.
  • Delete immediately!

In the unfortunate event that a person falls victim to an attack, immediate steps to be taken include scanning devices for viruses and other malware, changing affected passwords, enabling multi-factor authentication across their devices and informing co-workers to contain the breach and prevent future attacks. Privacy awareness training and cybersecurity training are a good starting point in the fight against phishing attacks.

Was this page helpful?

Delegation of Powers and Duties Under LA FOIP

Frequently, my office is asked by municipalities on how to prepare a delegation instrument where the “head” of the municipality may delegate their powers and/or duties under LA FOIP to one or more employees. In many cases, it is the mayor or reeve who wishes to delegate their powers and duties under LA FOIP to the administrator.

Section 50 of LA FOIP provides that the head may delegate to one or more officers or employees of a local authority their powers or duty under LA FOIP:

50(1) A head may delegate to one or more officers or employees of the local authority a power granted to the head or a duty vested in the head.

(2) A delegation pursuant to subsection (1):

(a) is to be in writing; and

(b) may contain any limitations, restrictions, conditions or requirements that the head considers necessary.

To help with the task of preparing a delegation instrument, my office has prepared a delegation table that breaks down the powers and duties of a head under LA FOIP. Municipalities can fill out the delegation table according to which powers and/or duties the head wishes to delegate. The head must approve the delegation table in order for the delegation to be effective. The head does not need council approval to delegate powers and duties under LA FOIP.

Some important things about a delegation are as follows:

  • The delegation should identify the position, not the individual, to which the powers are delegated. When delegation is to the position, a new delegation is not required when a new appointee assumes the position.
  • It is important to review the delegation periodically for any changes that may be needed, especially if the local authority is restructured or a new head is elected.
  • Delegated authority empowers certain officials and employees to make decisions or act.
  • The person delegating the authority remains responsible and accountable for all actions and decisions made under that delegation.

For more information about LA FOIP and delegations, check out Chapter 2 of my office’s Guide to LA FOIP.

 

Was this page helpful?

Saskatchewan Information and Privacy Commissioner Tables 2022-2023 Annual Report

Saskatchewan Information and Privacy Commissioner, Ronald J. Kruzeniski, K.C., has tabled his office’s 2022-2023 Annual Report: Data, with the Legislative Assembly.

In his report, the Commissioner focuses on data and the issues that arise as a result of the creation and/or assembling of data. Given the current technological state of the world, vast amounts of data can be found online. As a result, we need to be conscientious about providing the least amount of information as possible and insisting that it only be used for its intended purpose.

“Each time we do a search on the internet, go to a website, log into an account, purchase something online, check our bank balance or post a blog or video, we create data and add to the content on the internet.”

With so much information about us available online, it is a pivotal time for privacy. It is imperative that we understand what we are consenting to, how our information will be used, to whom it will be disclosed and the potential risks involved.

We need to advocate for greater security; “it is not if a breach occurs, but when a breach occurs.” We need to ask ourselves if we are doing enough and need to get serious about employee training and increasing the security and protection of our databases. There is always more that can be done and being proactive is more important than ever.

The Commissioner’s 2022-2023 Annual Report which includes: accomplishments, goals for the future, a thorough statistical report and views on generating and safeguarding data can be viewed here.

A video containing the Commissioner’s comments on the Annual Report can be viewed here.

Media contact:

Julie Ursu, Manager of Communication
Telephone: 306-798-2260
Email: jursu@oipc.sk.ca

Annual Report – 2022-2023

Was this page helpful?

Privacy Impact Assessments

Back in 2015, my office blogged privacy impact assessments (PIA). It has been awhile since then so I thought I would highlight our PIA resources once again!

What is a privacy impact assessment (PIA)?

A PIA is a process that assists organizations in assessing whether a project, program, or process complies with the applicable access and privacy legislation. In Saskatchewan, government institutions are subject to The Freedom of Information and Protection of Privacy Act (FOIP), local authorities are subject to The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), and trustees are subject to The Health Information Protection Act (HIPA).

What is a privacy impact?

A “privacy impact” is when there are inadequate safeguards to protect personal information or personal health information, or FOIP/LA FOIP/HIPA does not authorize the collection, use, and/or disclosure of personal information or personal health information.

When does an organization engage the PIA process?

As projects are designed, developed, implemented, and carried out, privacy impacts may arise and will need to be addressed. Therefore, PIAs should be done at the outset and throughout projects. The PIA process is not a short exercise and it can require a lot of time and effort depending on the complexity of the project. Further, the PIA process is not a stand-alone, one-time exercise.

Who should be a part of the PIA process?

Although an organization’s Privacy Officer often takes the lead on conducting PIAs, employees and representatives from participating program area, branch, division, business unit, other institutions and third parties can expect to be involved in the PIA process. The PIA process can only be effective if it comprehensively reviews the project.

What should the organization do when it identifies a privacy impact?

When a privacy impact is identified, that is an opportunity for organizations to make adjustments to the project to ensure personal information or personal health information is protected to the greatest extent possible and to be in compliance with the FOIP/LA FOIP/HIPA. For example, if the PIA reveals there is no legal authority for the collection, use, or disclosure of certain personal information or personal health information, then the organization should determine if such personal information or personal health information is required for the project. If not, then the exclusion of such personal information or personal health information in the project will assist the organization in eliminating a privacy impact but still carrying forward with the project.

Where can I find more information?

Check out my office’s guidance documents on privacy impact assessments. My office offers both a PDF and Word version of this document. The Word version allows for organizations to fill in the PIA. Organizations should keep in mind that the guidance document is meant to be a guide. It is not a definitive method of conducting a PIA.

You can also check out Chapter 6 of my office’s Guide to FOIP and Guide to LA FOIP for more step-by-step information on how to conduct PIAs.

Can I get feedback on a PIA?

Yes. If your organization has completed a PIA and want my office to review and provide feedback, you may engage in my office’s consultation process. For more information about the consultation process, please check out my office’s Consultation Request Form.

Was this page helpful?

Google Translate Disclaimer

Translations on the IPC Website are performed by Google Translate. Please note that not all text may be translated accurately or be translated at all. The IPC is not responsible for incorrect or inaccurate translations. The IPC will not be held responsible for any damage or issues that may result from using Google Translate.

For more information, read our full disclaimer.