Commissioner Dufresne launches exploratory consultation on children’s privacy code

Survey conducted by OPC found that most parents worry about their children’s online privacy

Information and Privacy Commissioner of Ontario and The French Language Services Commissioner discuss your rights of access to information and services in French June 4, 2025

Ontario IPC releases a new independent research report on emerging technology- Emerging Uses of Neurotechnology.

Privacy Commissioner of Canada and UK Information Commissioner’s Office issue a joint letter regarding 23andMe’s bankruptcy proceedings

Instagram still posing serious risks to children, campaigners say

English Information Commissioner issues statement on police use of facial recognition technology (FRT)

BC OIPC provides instruction to delete a user account and DNA on 23andMe

Alberta, update to access and privacy legislation, passed in December and in force this spring

Federal Privacy Commissioner launches new online privacy breach risk self-assessment tool

File Path Frustrations

File Path Frustrations

Good records management assists in compliance with access and privacy obligations. It requires properly identifying and classifying records. For electronic records, files need a meaningful name and categorization. This all seems simple, but what if your system is working against this goal, and you cannot properly name your files?

We encountered this issue after switching to M365. We follow the Administrative Records Management System (ARMS) and the Operational Records System (ORS). Documents are managed using folders and subfolders in Windows file explorer unless they pertain to a case file, as those are stored in a separate system. Windows file explorer has a 255-character limit for file paths. I had never encountered the 255-character limit before. I was frustrated.

How can I manage our records if I cannot name them as I see fit? In some instances, the file path was too long and we could not open files. File explorer cut off file extensions, and neither I nor the system could tell what program opened the document. We tried to name something in a meaningful way and ran out of characters. We made our file names as short as possible as a band-aid solution, but this also made them harder to identify.

After several months of this struggle, we found a solution which reduces the risk of hitting the 255-character limit and I would like to share it. Hopefully a public body, local authority, or trustee will be saved from the 9-month headache I had.

Before we get going here is a typical file path you might see when following ARMS in Windows file explorer.

C:\Users\<username>\<organization/entity name> \<site name> – General\<Folder Name>\<Sub-Folder>\

This uses up about 97 characters, which will vary user to user.

So, what do you do? The answer is, the shorter the better at every step.

What your IT people can control:

  1. Make the username as short as possible – Existing users converting to M365 may end up with unwanted characters in their username. I was unable to find a way to get rid of these. On new installations the name can be exactly what you want it to be but ask your IT people to keep it short.
  2. Organization/Entity Name – If your organization has a shorthand name or acronym, ask your IT people to use that instead of the full name. OIPC vs “Office of the Saskatchewan Information and Privacy Commissioner” saves a bunch of characters.
  3. Site Naming – Do you need “Administration” or is “Admin” fine or HR instead of “Human Resources”?
  4. Folder syncing – You can configure M365 syncing to Windows file explorer to be for manual or automatic. I learned that automatic syncing uses up precious characters. For instance, my file path when automatically syncing was C:\Users\<username>\<organization/entity name> \<site name> -Documents\General\<Folder Name>\

when I figured out the manual syncing quirk it became:

C:\Users\<username>\<organization/entity name> \<site name> – General\<Folder Name> which saves a handful of precious characters.

What you can (probably) control:

  1. Subfolders and Beyond Naming – Give your folders and subfolders the shortest usable name possible.
  2. Document Naming – If you followed steps one through 5, you will hopefully have more than enough characters to name your files.

Is it too late for me?

If this issue has been plaguing you and your system has already been configured, there is still hope. Steps 5 and 6 can be done at any time. Steps 1 through 4 may need to be done by your IT Department. You will likely need to re-sync your computer, which requires temporarily logging out of M365 and unlinking your OneDrive account from your computer.

Bonus tip 

Even after you have made your file path as short as possible, you might still forget where things should go. Windows file explorer, backed by M365, can quickly find file names and even document contents for things like .doc and .pdf files. As long as you know something about the document, whether it is the name, or some of the content, you should be able to easily search for and locate it. This may come in handy if you are a new FOIP coordinator responding to an access to information request but are not yet fully acquainted with the filing system.

As electronic records management becomes the norm, I hope this blog assists you in managing your records and meeting your access and privacy obligations by making it easier to search for, locate and access records.

Was this page helpful?

Privacy and Transparency in the Digital Identity Ecosystem in Canada

The federal, provincial and territorial Information and Privacy Commissioners across Canada recognize the many potential benefits of a privacy-respecting and secure digital identity for use by Canadians. The development of which is part of a broader global trend intended to enable individuals, businesses and devices to securely and efficiently connect with one another.

To be trusted, digital identities must meet high standards of privacy, security, transparency and accountability; and must not come at the cost of fine-grained tracking and surveillance, increased risk of discrimination, heightened incidence of identity theft, fraud and other harms, or diminished roles for individual users.

In our office’s 2021-2022 Annual Report, Saskatchewan Information and Privacy Commissioner, Ron Kruzeniski, K.C., states

“I would hope the Government of Saskatchewan continues to consult, educate and explain the benefits of a digital ID for citizens of our province. My hope is that Saskatchewan develops a digital ID that meets our province’s needs, maximizes the benefits and minimizes the risks.”

In order to address these potential risks, the federal, provincial and territorial Information and Privacy Commissioners are committed to working with one another, their respective governments and other relevant stakeholders to ensure the responsible design and implementation of a digital identity ecosystem in Canada.

In doing so, they commit to the following:

  • Continually monitor the development of digital identity initiatives.
  • Collaborate between our respective offices to strengthen our collective capacity and knowledge in this area.
  • Stand ready to engage with our respective governments to provide our views and advice on evolving digital ID programs and initiatives in a timely, constructive manner that is conducive to enhancing privacy protections and public trust in the adoption of digital identities.

Finally, the design and operation of privacy-respecting digital identities and a trustworthy digital identity ecosystem should meet various conditions and properties and should be integrated with a legislative framework applicable to the creation and management of digital identities. For more on the list of conditions, including ecosystem properties, role of individuals, governance and oversight, a link to the full resolution can be found here.

 

Media contact:

Julie Ursu, Manager of Communication

Telephone: 306-798-2260

Email: jursu@oipc.sk.ca

 

Was this page helpful?

Knowledge can be a Gateway to Truth and Reconciliation

Today is Canada’s National Day for Truth and Reconciliation. Page 12 of Honouring the Truth, Reconciling for the Future:  Summary of the Final Report of the Truth and Reconciliation Commission of Canada states, “Without truth, justice, and healing, there can be no genuine reconciliation. Reconciliation is not about “closing a sad chapter of Canada’s past,” but about opening new healing pathways of reconciliation that are forged in truth and justice.”

I reflect on this powerful statement and how it holds meaning with a recent Report I issued. The report involved a Metis individual who was seeking information about their deceased parent from the Ministry of Social Services. I was moved by this individual’s story. They advised that their parent passed away in 2015 and they were looking for answers to questions about their parent’s past and what happened when their parent was a child.

Upon requesting that my office review this matter, the individual so eloquently stated, “…upon discovery of mass graves at residential school across Canada and the public conversation this prompted regarding the actions of child welfare agencies more broadly, I felt strengthened to renew my search for answers.” They further stated, “…There is no Truth & Reconciliation without the truth. I submitted my request for information on September 30, 2021, the first National Day for Truth and Reconciliation. This was by no means a coincidence. I just finally want to know the truth around this matter because it affected my [Parent], me and our family.  Therefore, I feel it is our truth and story to understand….”

I feel this story is representative of the story of so many Indigenous peoples. Some of their truth can be found in the records that government holds. Government needs to demonstrate its commitment to truth and reconciliation by removing barriers to access this information. This can help pave the path forward.

 

Was this page helpful?

Canadian Information and Privacy Regulators Urge Governments, Health Sector Institutions and Health Providers to Strengthen Safeguards for Sharing Personal Health Information

In a joint resolution released today, Canada’s federal, provincial, and territorial information and privacy commissioners and ombudspersons are calling for a concerted effort across the healthcare sector to modernize and strengthen privacy protections for sharing personal health information.

Because of the pandemic, the shift to virtual care came quickly, maybe without enough time for a thorough examination of it; that shift in service model could adversely impact access and privacy rights. Despite advancements in the health sector, breaches continue to occur and the use of outdated and vulnerable technologies, such as faxes and unencrypted email not only impacts patient privacy but also the delivery of timely patient care.

This has spurred innovation and change in the delivery of services, including virtual health care visits and other forms of digital health communications.

Canada’s Information and Privacy Commissioners urge stakeholders to take the following action:

  • Develop a strategic plan to phase out the use of traditional fax and unencrypted email and ensure that all digital health information sharing infrastructure, including solutions that replace traditional fax and unencrypted email, are equitably available and accessible to all Canadians.
  • Promote the adoption of secure digital technologies and the implementation of responsible data governance frameworks. For health sector institutions and providers, this may include the adoption of standards developed by organizations such as ISO, NIST, or CIS that provide reasonable safeguards to protect personal health information.
  • Amend laws and regulations, as necessary, to further provide for meaningful penalties, including administrative penalties, for health institutions and providers that willfully refuse to take reasonable measures necessary to protect personal health information as well as for individuals who unlawfully collect, use, or disclose personal health information.
  • Seek guidance to understand how to evaluate new digital health solutions and assess their compatibility with other digital assets, compliance with health information privacy laws, and how they facilitate citizens’ rights to access their own records of personal health information.
  • Promote transparency by completing privacy impact assessments and proactively publishing a plain-language summary in a manner that is easily accessible to the public.
  • Use the procurement process to help ensure third-party compliance by establishing contractual requirements for vendors of health information software and services

If you have any questions or would like to request an interview with the Commissioner, please email or call our office at the contact below.

To learn more, a copy of the joint resolution and these initiatives can be found here.

 

Media contact:

Julie Ursu, Manager of Communication

Telephone: 306-798-2260

Email: jursu@oipc.sk.ca

Was this page helpful?

Absurd Results: Part II

In 2017, the Commissioner posted a blog entry about absurd results. He provided examples of absurd results that can be reached when interpreting and applying The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), and The Health Information Protection Act (HIPA). He emphasized that public bodies take a liberal approach to these three statutes and provide as much of the record(s) to applicants as is possible.

Since 2017, my office has dealt with more reviews that involve absurd results. Therefore, in this blog, I’m revisiting this topic once again.

When an individual submits an access request to a public body, that individual would be denied access to the personal information of others. In Saskatchewan, government institutions would deny access to third parties’ personal information pursuant to section 29(1) of FOIP. Local authorities would deny access to third parties’ personal information pursuant to section 28(1) of LA FOIP. That is, the application of section 29(1) of FOIP and section 28(1) of LA FOIP to third party personal information is meant to prevent the unauthorized disclosure of personal information, which is one of the purposes of FOIP and LA FOIP.

However, what happens when Person A provides information about other individuals to a public body? An example is when an individual provides a witness statement to a police service about a matter they had witnessed involving other individuals. If Person A submitted an access to information request to the police service for the witness statement containing other individuals’ information, would Person A be denied access to the witness statement?

An “absurd result” occurs when a public body applies an exemption to withhold records that contradicts the purpose of the legislation. Using the example described above, Person A originally supplied the third party personal information to the police service. it would be an “absurd result” to withhold the information from Person A pursuant to either section 29(1) of FOIP or section 28(1) of LA FOIP.

In my office’s Review Report 215-2020, the Commissioner discussed a matter where the local authority withheld portions of emails that the Applicant had originally supplied to the local authority. The Commissioner found it would be an absurd result to withhold portions of these emails from the Applicant even if the emails contained the personal information of third parties. The Commissioner recommended the release of the records in their entirety to the Applicant.

Also in Review Report 215-2020, the Commissioner cited a decision by the Office of the Ontario Information and Privacy Commissioner (ON IPC) that noted two other circumstances in which the ON IPC found the absurd result principle to have applied: 1) where the requester was present when the information was presented to the public body, and 2) where the information is clearly within the requester’s knowledge.

When determining if exemptions set out in Parts III and IV of FOIP and LA FOIP apply to a record, government institutions and local authorities should consider whether applying the exemption to a record would manifest in an absurd result. If so, then perhaps the government institution or local authority should consider releasing the record to the applicant.

Was this page helpful?

Saskatchewan Information and Privacy Commissioner Tables 2021-2022 Annual Report

Saskatchewan Information and Privacy Commissioner, Ronald J. Kruzeniski, Q.C., has tabled his office’s 2021-2022 Annual Report: Time for a Digital ID, with the Legislative Assembly.

In his report, the Commissioner addresses the need for the development of a Digital ID for Saskatchewan residents, the move toward virtual health care, the systemic issue of misdirected faxes and recommendations for legislative change.

Digital ID

As several other Canadian provinces shift towards the use of a digital ID, it is the hope that Saskatchewan develops a digital ID that meets the needs of our province. Commissioner Kruzeniski states:

“I would hope the Government of Saskatchewan continues to consult, educate and explain the benefits of a digital ID for citizens of our province. My hope is that Saskatchewan develops a digital ID that meets our province’s needs, maximizes the benefits and minimizes the risks.”

Virtual Health Care

Virtual heath care has increased as a result of the Covid-19 pandemic and consideration is required to ensure that personal health information is adequately protected. Commissioner Kruzeniski outlines ten expectations that should be considered as these virtual care initiatives move forward.

Spotlight on Misdirected Faxes

Over the last decade, there has been concerns with misdirected faxes which continues to be a systemic issue impacting patient privacy and the delivery of patient care. Several recommendations have been made to collectively address this concern including the elimination of traditional fax machines.

Recommendations for Change

The Commissioner concluded by summarizing the recommendations for legislative change to amend The Freedom of Information and Protection of Privacy Act, The Local Authority Freedom of Information and Protection of Privacy Act and The Health Information Protection Act. The goal is that these recommendations will address the gaps and challenges with the legislation as we move from a paper-based society to a digital one.

The Commissioner’s 2021-2022 Annual Report which includes: accomplishments, goals for the future, a thorough statistical report and recommendations for the development of a digital ID, virtual care initiatives, handling of misdirected faxes and legislative change can be viewed here.

A video containing the Commissioner’s comments on the Annual Report can be viewed here.

 

Media contact:

Julie Ursu, Manager of Communication

Telephone: 306-798-2260

Email: jursu@oipc.csk.ca

Saskatchewan Information and Privacy Commissioner Tables 2021-2022 Annual Report

Was this page helpful?

But I’m the Applicant – how can my submission help?

So, you have requested a review of an access to information request under The Freedom of Information of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), or The Health Information Protection Act (HIPA). The IPC has opened the file and sent you an email notifying you of the review. However, in the notification email YOU have been invited to make a submission on the matters at hand. You might be thinking to yourself why would I prepare a submission?  I want to assure you that there is no onus on the applicant to make a submission – however, it can be helpful.

First of all, what is a submission?  In a nutshell, for an applicant, a submission gives you the ability to counter the position taken by the local authority, government institution or trustee if you disagree with the decision they made regarding your access to information request. The IPC has developed the resource A Guide to Submissions – Increasing your chances of success (Guide to Submissions -updated December 2022). This resource includes tips for applicants on how to create a submission. In this resource, the IPC has outlined what you may wish to prepare your submission on – depending upon the scope of the review. This includes:

  • An applicant disagrees with the exemption(s) claimed to the record.
  • An applicant is not satisfied that a reasonable fee was estimated.
  • An applicant believes that all or part of the fee should be waived.
  • A head (of the local authority or government institution) or trustee failed to respond to the access to information request within the required time.
  • An applicant requests a correction of personal information or personal health information and the correction is not made.
  • An applicant does not believe that a sufficient search was conducted.

When preparing a submission, if you have any evidence to support your arguments, that can be a great help for the IPC through a course of a review. For example, if the scope of the review includes your belief that an adequate search for records was not conducted and you have evidence of that, provide the evidence as an attachment with your submission. A situation where you may have evidence that an adequate search was not conducted is where you have been provided a copy of an email as part of the response, but the attachment to the email has not been included with the response.

The Guide to Submissions includes a template for an applicant they may wish to use for preparing a submission. However, you can also send your submission in the form of an email – it really doesn’t have to be fancy.

If you would like some additional guidance on what the IPC is looking for in your particular review, contact the analyst who has been assigned the file – you will find that information in the notification email advising you of the review or investigation. If you are not sure who the analyst is, please contact our general inquiry line at 306-787-8350.

 

Was this page helpful?

RIM Best Practices

Records and Information Management (RIM) practices are important for any organization. My office has developed a guide dealing with RIM. The guide contains many best practices that an organization can adopt.

The goal here is that an organization implement best practices which over time become every day practices. Check out the guide here. This guide is based on the Ontario resource Improving Access and Privacy with Records and Information Management.

Was this page helpful?

An activity booklet for kids

The Ontario Information and Privacy Commissioner released a privacy activity book, Privacy Pursuit! Games and Activities for Kids, to help kids better understand and protect their online privacy.

In the Commissioner’s blog she says:

This new activity booklet is designed to help kids learn more about online privacy through games like word searches, crossword puzzles, cryptograms, and word matches, among other fun activities. Through these exercises, kids will pick up some easy-to-understand tips that will help them watch out for scams, protect their privacy, and stay safe online. Some thought-provoking questions will also guide kids through a process of self-discovery by reflecting on what privacy means to them and how to respect the privacy of others through caring and empathy.

Check it out and see if it increases the awareness of your children regarding privacy.

 

Was this page helpful?

Saskatchewan Information and Privacy Commissioner Tables 2020-2021 Annual Report

Saskatchewan Information and Privacy Commissioner, Ronald J. Kruzeniski, Q.C., has tabled his office’s 2020-2021 Annual Report: Change is in the Air, with the Legislative Assembly.

In his report, the Commissioner addresses the need to update Saskatchewan’s access and privacy legislation. The Freedom of Information and Protection of Privacy Act and The Local Authority Freedom of Information and Protection of Privacy Act were implemented in 1992 and 1993 respectively, at a time when paper records were the norm. Society has shifted. Technology and the digitization of information is now the rule. Kruzeniski stated:

“A vast amount of information about each of us is housed in databases, many of which are accessible by the internet. We look up information, we order things, and we pay bills and communicate with one another through the utilization of these databases and the internet. It is time that we modernize our access and privacy legislation to take this into account.”

The Commissioner concluded by summarizing the legislative changes that are happening in access and privacy jurisdictions across the country.

 

Media contact:
Kara Philip, Manager of Communication
Telephone: 306-798-2260
Email: kphilip@oipc.sk.ca

 

News Release for 2020-2021 Annual Report

Was this page helpful?

Google Translate Disclaimer

Translations on the IPC Website are performed by Google Translate. Please note that not all text may be translated accurately or be translated at all. The IPC is not responsible for incorrect or inaccurate translations. The IPC will not be held responsible for any damage or issues that may result from using Google Translate.

For more information, read our full disclaimer.