Privacy Commissioner finds that Canadians have a right to have information de-listed from online search engine results in limited circumstances.

Joint investigation of TikTok Pte. Ltd.

How systemic delays, a backlog of overdue requests, and process errors led to UBC having the lowest rate of compliance.

NEW Checklist for Healthcare Organizations Considering the use of an AI Scribe

Privacy Commissioner of Canada to investigate cybersecurity breach at WestJet

PowerSchool commits to strengthened breach measures following engagement with the Privacy Commissioner of Canada

Sask. information and privacy commissioner brings a focus on cyber security, AI

Guardrails for Police Use of Investigative Genetic Genealogy in Ontario

Access to Information Act, Protection of Privacy Act implemented in Alberta

Commissioner Dufresne launches exploratory consultation on children’s privacy code

Health Care Personal Information Snooping: When Will People Learn?

Health Care Personal Information Snooping: When Will People Learn?

Those who wish to snoop into health care databases to get personal health information with respect to their friends, family, acquaintances or even strangers, should realize that they are violating the privacy legislation in Saskatchewan and the consequences will likely be significant.  We will review the basics of a unique snooping case in Saskatchewan where an employee snooped with what she thought was impunity.  In fact, an audit tracked her snooping, she was questioned by her employer on the breadth of her violation of The Health Information and Privacy Act (HIPA)[1] and ultimately, she chose to walk away from her employment.  We have named her in our public investigation report and we explain why it was not ultimately in the public interest to recommend a prosecution with the Minister of Justice. But as we say, the consequences of snooping can be highly significant to one’s career.

Ms. Fahmida Shipa was employed and held multiple roles within the Saskatchewan Health Authority (SHA) in the City of North Battleford from August 2023 to May of 2025.  During that time, three separate SHA audits revealed that she had snooped on an estimated 323 patient records for her own interest during the course of her employment.  She was suspended in April of 2025 when the audits revealed the snooping and she voluntarily resigned from her position on May 1, 2025.  The breach was investigated by this office and Ms. Shipa was provided with a notice that recognized her right to counsel and her right to silence.  She chose to respond to this office and give many reasons for why she snooped.  But none of her reasons fell within the only two viable reasons for accessing the personal health information of a resident of Saskatchewan:  (1) either the subject of the snoop has provided consent as per section 26(1) of HIPA; and/or (2) on a need to know basis as per section 23 of HIPA.[2]

One of the mystifying aspects of this investigation involved the extent to which this snooper had been educated and schooled on the privacy laws with respect to personal health information in this province by her employer.  The trustee in this matter provided excellent training for this employee which covered the following crucial areas:

  • The training described the access to information and privacy legislation in Saskatchewan, specifically The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP)[3] and HIPA.
  • The training emphasized the “need-to-know” principle, including a direct emphasis on the rejection by SHA of the “Circle of Care” model and inclusion of its “Need to Know versus Circle of Care” directive.[4]
  • The training specifically commented on snooping, gossiping, and the public discussion of personal health information, stating that the names of snoopers may be released to affected individuals.
  • The training imparted warnings about audits and the digital traces evident in SHA electronic systems.
  • The training discussed privacy breaches in the form of unauthorized collections and uses, notably drawing upon a wide array of examples of privacy breaches relevant to a health-care environment.
  • The training addressed how to respond to privacy breaches, with a focus on containment, notification, and prevention.
  • The training highlighted high-profile cases wherein snoopers working in health care environments have been named and prosecuted.

There was no excuse or reason that could justify the invasion of privacy into 323 records on the part of Ms. Shipa, especially when the SHA referenced her signed Pledge of Confidentiality from 2023 and 2024.  Even though section 64 of HIPA provides for the consent of the Attorney General of Saskatchewan for a prosecution for a snooping violation under HIPA, this office chose to not to pursue this final step with respect to this snooper.  Our office received no formal complaints as the result of this snooper’s activities, the trustee acted efficiently and expertly in its investigation of the breach and in its notification of affected individuals.  Ultimately, this would have been a costly prosecution and it was deemed that it would not be in the public interest, especially since the snooper had voluntarily resigned and put herself in a difficult position for future employment in the health industry in Saskatchewan in the future.  Here is some recommended further reading, including our Investigation Report on this incident:

SHA and Fahmida Shipa, Investigation Report 103-2025, 104, 2025

Ten Tips for Addressing Employee Snooping (Office of the Privacy Commissioner of Canada)

Detecting and Deterring Unauthorized Access to Personal Health Information (Information and Privacy Commissioner of Ontario)

[1] The Health Information Protection Act, SS 1990-91, c. H-0.021, as amended.

[2] Second, section 26(2) of HIPA lays out other reasons for accessing the personal health information of residents of Saskatchewan, such as for the purposes of de-identifying the data, but we have only listed the relevant sections in this blog that pertain to this snooper within the context of her employment.

[3] The Local Authority Freedom of Information and Protection of Privacy Act, S.S. 1990-91, c. L-27.1, as amended.

[4] See SHA resource Privacy Guidance Document: Need-to-Know vs Circle of Care.

Was this page helpful?

Surveillance in Personal Care Homes: A Case Study

We often get questions from those working in personal care homes and family members of residents about the use of hidden video surveillance. We thought we would share some of our thoughts on the issue as it relates to privacy concerns.

Imagine this scenario: Family members of Grandmother, an elderly woman with dementia, suspect that she is being mistreated or maybe even abused by staff in her personal care home. The family requires proof to move forward with their allegations and make changes in the care that is being provided. The family considers putting a hidden recording device in Jane’s room to monitor the actions of staff and to ensure the protection of their loved one.

Without a doubt, there are many parties that can have their privacy rights affected by this scenario.  We will discuss the case of each:

  • Grandmother;
  • The care home as a “trustee” under The Health Information Protection Act[1] (HIPA);
  • The staff that work at the care home;
  • Other residents who reside in the care home; and
  • The family member(s) responsible for the recording (Substitute Decision Maker).

Here are some privacy considerations to review:

The Personal Care Home/Trustee

Our office is cloaked with the mandate of administering HIPA in this province. HIPA is the privacy act that specifically applies in situations where personal health information is involved. However, the privacy rules and exemptions contained within HIPA only apply to a “trustee” and its staff. In this scenario, the personal care home is the trustee. Since Jane’s family is making the recording, HIPA would not apply to the trustee in this situation.  HIPA may apply to the trustee, however, if the family provides the video to the personal care home after filming.  This determination will be based on what use the trustee makes of the video.

Personal care homes do have a duty to protect the personal health information of their residents. In the interest of safeguarding the personal health information of all residents, personal care homes may consider developing policies and guidelines for families. But when it comes to secret video recording cameras the connection with a personal care home is remote when the camera is brought into the care home by a family member of a resident.

Grandmother

A recording device can only be used if Grandmother gives her consent.  In this case, Grandmother has dementia and cannot legally give consent. If she were able to give consent, she would likely be able to bring forward allegations on her own and the recording device would provide corroboration. Families need to know that if they have a loved one who is going to commence residency in a personal care home – it is crucial for the family and for Grandmother to pursue a legal substitute decision maker.  A substitution decision maker is a contractual relationship similar to a power of attorney and it gives the delegated person the authority to choose to put surveillance in her room. We urge the substitute decision maker to carefully consider their loved one’s wishes. For example, intimate care might be captured. Would Grandmother have accepted this intrusion – or is this perhaps an area where the greatest abuse can occur?  Substitution decision maker agreements must be formally entered into between two parties who both have capacity and within the confines of a legal agreement witnessed and supervised by a lawyer in the province of Saskatchewan.  We highly recommend the pursuit of this arrangement where there is an elderly loved one who must enter into care in a third-party environment.

The Roommate

If Grandmother has a roommate, substitute decision makers should ensure that the camera only captures their loved one’s personal space. The capture of any images of a roommate in this situation will violate the privacy considerations of the roommate unless written consent of the roommate is obtained.  Further, as we will discuss below, surveillance should not have an audio component.

Grandmother’s Substitute Decision Maker

There are some risks associated with surveillance that the substitute decision maker should weigh. There may be Criminal Code considerations and while we cannot give legal advice on this blog, we highly recommend that anyone who wishes to pursue this line of protection for a loved one engage the legal opinion of a lawyer who is experienced in criminal law.

The Personal Care Home Worker

As discussed above, HIPA does not apply to a trustee in this fact situation and if a personal care home worker was upset with the recording – our office would not accept a complaint because HIPA does not apply.  Further, the personal care home is Grandmother’s dwelling and staff in a personal care home cannot expect to have any expectation of privacy when providing care to an individual. As long as the person who installed the camera could testify to the integrity of the workings of the camera and the authenticity of the recording after it was downloaded – the video would in all likelihood be admissible evidence in a court of law.  We reference:  R v Llanto, 2018 BCPC 102  which is a case out of British Columbia but a case where a hidden camera in the room of an elderly loved one provided evidence of elder abuse and assault.

[1] The Health Information Protection Act, SS 1999, c.H-0.021, as amended.

Was this page helpful?

5 Ways to Protect Your Privacy

Welcome to the Saskatchewan IPC’s blog! Here you’ll find tips, information, instruction, stories, and commentary on what’s going on in our office or in the access and privacy community at large. We also hope to invite guest bloggers to post their thoughts on here too.

So to kick off this blog, here are five ways to protect your privacy:

1. Limit what you post on social networking sites to minimize the likelihood of identity theft/fraud.

Any identifiable information about you could be used to commit identity theft or fraud. Posting your full name, full birth date or any other type of information may provide identity thieves with the information they need to commit identity theft or fraud.

2. Cross-shred or burn documents containing your personal information.

Similar to the above tip, you don’t want any of your personal information in the wrong hands because it can be used for identity theft or fraud.

3. Avoid using public Wi-Fi networks.

Information that you send or receive, such as your username and passwords for email and social networking accounts using public Wi-Fi networks could be intercepted by anyone else on the network.

4. Ask organizations the purpose behind their collection of your personal information.

Also ask how they protect your personal information. Provide only the personal information that is necessary. Once they have our personal information, you are trusting them to protect your information from identity thieves.

5. Use strong passwords.

There are many resources online on how to come up with a strong password, including this one here. Use different strong passwords for different accounts. This is so that if one account is compromised, not all of your accounts are compromised. If memorizing strong passwords become difficult, consider using a password manager that will help manage all your passwords.

Hopefully the above list will help you brainstorm other ways how you might be able to protect your privacy. Stay tuned for more blog entries!

Was this page helpful?

How to Conduct an Effective Search for Records

So you have received an access to information request and you know it is not going to be easy to locate responsive records. What do you do? Here are some tips for you.

First: You develop a search strategy and document everything. A search strategy could include:

  • Searching for records in multiple formats (i.e. electronic, paper, and other);
  • Identifying which departments or divisions should be included in the search;
  • If the original access request was broad or covers a wide open time period, determine how you will define the search parameters;
  • Identify who should search for the records;
    • Will you delegate others to do the search? If so, consider developing detailed directions that you can provide to staff to ensure the search is done the way you require it.
  • Determine if external agents, consultants or other contracted services have any records. If yes, determine if these records should be included (i.e. possession/control)

Second: You have now received a notification letter from our office requesting details of your search efforts. A review involving search efforts focuses on whether the search conducted was reasonable or not. If you have documented your efforts in detail, you are already prepared for our request. Generally, the details to our office could include:

  • For personal information requests – explain how the individual is involved with the public body (i.e. client, employee, former employee etc.) and why certain departments/divisions/branches were included in the search;
  • For general requests – tie the subject matter of the request to the departments/divisions/branches included in the search. In other words, explain why certain areas were searched and not others;
  • Identify the employee(s) involved in the search and explain how the employee(s) is “experienced in the subject matter”;
  • Explain how the records management system is organized (both paper & electronic) in the departments/divisions/branches included in the search:
    • Describe how records are classified within the records management system. For example, are the records classified by:
      • alphabet
      • year
      • function
      • subject
    • Consider providing a copy of your organizations record schedule and screen shots of the electronic directory (folders & subfolders).
    • If the record has been destroyed, provide copies of record schedules and/or destruction certificates;
    • Explain how you have considered records stored off-site.
    • Explain how records that may be in the possession of a third party but in the public body’s control have been searched such as a contractor or information service provider.
    • Explain how a search of mobile electronic devices was conducted (i.e. laptops, smart phones, cell phones, tablets).
  • Which folders within the records management system were searched and explain how these folders link back to the subject matter requested?
    • For electronic folders – indicate what key terms were used to search if applicable;
  • On what dates did each employee search?
  • How long did the search take for each employee?
  • What were the results of each employee’s search?
    • Consider having the employee that is searching provide an affidavit to support the position that no record exists or to support the details provided. For more on this, see the OIPC resource, Using Affidavits in a Review with the IPC available on our website.

Each case will require different search strategies and details depending on the records requested. You do not have to address every bullet in your submission to our office. You want to tailor your response to fit the circumstances and records on a case-by-case basis. The more thorough and detailed the response is, the more likely our office will find the search was reasonable. For more information on how our office approaches search reviews, see our IPC Guide to FOIP, IPC Guide to LA FOIP and/or IPC Guide to HIPA.

Was this page helpful?

Canada’s information and privacy regulators wrap up meeting that focused on critical access and privacy issues facing Canadians

Topics included cyber security, artificial intelligence and the risks of storing health information outside Canada

BANFF, ALBERTA (October 10, 2025) – Federal, provincial, and territorial information and privacy commissioners and ombuds with responsibilities under access and privacy laws have concluded their annual meeting in Banff, Alberta. The two-day meeting, hosted by the Information and Privacy Commissioner of Alberta, included discussions on a broad range of privacy and access to information issues, with a strong focus on emerging issues related to new technologies, such as the use of artificial intelligence (AI), cybersecurity risks and the protection of online data.

Online harms and the information ecosystem

Emily Laidlaw, a Canada Research Chair in cybersecurity law and Associate Professor in the Faculty of Law at the University of Calgary, presented on online harms and the information ecosystem, with references to AI, protection of children, mis/disinformation, freedom of expression and human-centric cybersecurity.

Protecting health information: The use of servers outside Canada

Information and privacy regulators in Canada play a role in the protection of health information through ensuring compliance with health information laws and/or private sector laws. An emerging issue is the use of servers outside Canada to store the health data of Canadians. Michael Geist, Canada Research Chair in Internet and E-Commerce Law in the Faculty of Law at the University of Ottawa spoke to the meeting about the need to consider whether data localization should be regulated under privacy or other laws in Canada.

Cyber security challenges and opportunities for cooperative leadership

Cyber security is top of mind for privacy regulators as they continue to deal with massive data breaches caused by cyber security attacks. Daniel Couillard and Richard Larose, both with the Canadian Centre for Cyber Security (Cyber Centre), provided an overview of the roles and mandate of the Cyber Centre, Canada’s federal technical authority on cybersecurity. This included insights from their National Cyber Threat Assessment 2025-2026 and

a discussion of opportunities for mutual support.

The use of AI by administrative tribunals

Since their origins in the 19th century, the rationale for the use of administrative tribunals has been primarily to achieve more efficient and effective decision-making, which is a benefit that AI may provide. Paul Daly, Chair in Administrative Law and Governance at the University of Ottawa, shared his views on the use of AI by administrative tribunals, describing potential advantages and disadvantages, and outlining a possible path toward appropriate uses of AI by these tribunals.

AI: A role in the delivery of health care

The use of AI in health care is rapidly advancing across the country and around the world. An emerging application is the use of AI scribes to record and transcribe physician conversations with patients. Ross Mitchell, a Professor in the Department of Medicine and an Adjunct Professor in Computer Science at the University of Alberta, and a Fellow at the Alberta Machine Intelligence Institute, provided an overview to the meeting of deep learning and recent applications to health care, including the use of AI scribes and how to consider privacy rights in this context.

Legislative updates & court decisions

Meeting participants discussed recent developments and expected changes to access and privacy laws across Canada, as well as a number of recent key court decisions with implications for access and privacy. This provided insights and understanding regarding trends and opportunities for legislative modernization in the context of the evolving legal landscape.

“Our offices work collaboratively year-round on issues relating to privacy and access to information,” said Diane McLeod, Information and Privacy Commissioner of Alberta. “Our annual meeting offers the opportunity to spend time together in person to discuss emerging issues, share insights and experiences, and strengthen our joint commitment to protecting the access and privacy rights of all Canadians. The work of our offices is at the heart of some of the most critical issues facing individuals, communities, governments, organizations, businesses and society at large, many of which relate to the challenges of digital technology. Most of us live much of our lives online, and while this brings benefits, it also presents privacy risks. I am pleased that this year’s meeting provided the opportunity for key discussions that focused on protecting privacy and providing access in the context of our changing world.”

For more information:

Julie Ursu
Manager of Communication
Office of the Saskatchewan Information and Privacy Commissioner
jursu@oipc.sk.ca

 

Was this page helpful?

Act on your “Right to Know”

As taxpayers, it can feel like you write blank cheques to the public institutions that serve you. But Saskatchewan citizens represent more than a mere well-spring of funds; they bear the responsibility of holding public bodies to account.

To achieve this end, you might be interested to know:

  • why a particular contract was awarded by a ministry,
  • what factored into a new zoning decision in your town,
  • who has accessed your medical records, and more.

Saskatchewan citizens have a legislated right to know.

“Right to Know” Week is celebrated from September 22 to 28, 2025. Central to the celebration of citizens’ right to know are the following principles:

1. Access to information is a right of everyone.

In Saskatchewan, there are three Acts that govern access to information and privacy:

For copies of the prescribed forms, refer to OIPC’s How do I get access to information?

2. Access is the rule. Secrecy is the exception.

FOIP, LA FOIP, and HIPA provide for a public body to withhold information in limited and specific circumstances. A public body can refuse to disclose part of (or all) of the information only if an Act provides for it in what is referred to as an “exemption.” Some exemptions are mandatory, which means that a public body must withhold that information, such as Cabinet confidences, third party business information, and personal information. Other exemptions are discretionary, which means that a public body may withhold that information, such as information related to law enforcement and investigations, advice from officials, and solicitor-client privilege.

3. The right applies to all public bodies.

In Saskatchewan, FOIP applies to provincial government institutions and LA FOIP applies to provincial local authorities only. OIPC has no authority over the federal government, unions, not-for-profit organizations, or the private sector, other than organizations that are health information “trustees.”

4. Making requests should be simple, speedy, and free.

FOIP, LA FOIP, and HIPA all require a public body to respond to an access to information request within 30 calendar days. If a public body is unable to fulfill the request within 30 calendar days, that public body is obligated to communicate its need of a time extension within those same 30 calendar days.

Although applications for access to information under FOIP are entirely free, there is a $20 application fee if making application under LA FOIP. It also merits mentioning that, under FOIP and LA FOIP, fees may be charged for search, preparation, and reproduction of records, though fees may be waived in certain circumstances. In the case of HIPA, a trustee also may charge a reasonable fee to recover costs in providing access to a record containing personal health information. For more information, check out OIPC’s Understanding Fees with Ease.

5. Officials have a duty to assist requesters.

Each public body has a duty to assist. This means that each public body and trustee must respond openly, accurately, and completely to requests and explain terminology, processes, actions, and decisions taken to fulfill an access request. For more information, see OIPC’s Understanding the Duty to Assist.

6. Refusals must be justified.

A public body is obligated respond to the access to information request. If exemptions were applied to the information provided, the public body should tell the applicant, in writing, what specific exemptions applied to the information.

7. The public interest takes precedence over secrecy.

When considering whether it may withhold information, a public body needs to balance the right of access with denying it in order to protect other interests. It is of note, however, that FOIP, LA FOIP, and HIPA do not contain overarching “public interest overrides,” which would require that information be disclosed in all cases where the general public interest in disclosure outweighs the specific interest which is intended to be protected by the exemptions. The only exception to this is in the case of two exemptions in FOIP and LA FOIP, both which address the treatment of third party business information and personal information.

8. Everyone has the right to appeal an adverse decision.

Your right to appeal a public body’s or trustee’s decision is by requesting a review by OIPC. For more information, consider OIPC’s Guide to Requesting a Review from the OIPC. The FOIP “Request for Review Form” is available here, the LA FOIP “Request for Review Form” is available here, and the HIPA “Request for Review Form” is available here.

9. Public bodies should proactively publish core information.

Public bodies are strongly encouraged to enhance transparency and public participation by maximizing the ongoing proactive release of information to the public. In some cases, like with local authorities, other statutes like The Municipalities Act require that town councils, for example, make agendas and council meeting minutes publicly available.

10. The right to know should be guaranteed by an independent body.

That independent body, in Saskatchewan, is OIPC, which oversees FOIP, LA FOIP, and HIPA. OIPC is pleased to answer general and process related questions by phone at 306-787-8350 or via email at intake@oipc.sk.ca.

As part of “Right to Know” Week 2025, OIPC is hosting a free, public presentation called “Know Your Access to Information Rights” on Thursday, September 25 from 7pm-8:30pm at the Regent Place Library Branch in Regina, Saskatchewan. At the event, attendees will learn about their rights to access information held by public bodies and trustees in the province, how to exercise those rights, and how the OIPC serves citizens who are dissatisfied with the outcomes of their access requests. To attend, register at the link here or just drop in!

The term “show the receipts” has become a common colloquial expression. May this “Right to Know” Week 2025 remind you that you are entitled to ask for the receipts.

Influencing Source

“Right to Know.” Information Commissioner of Canada. https://www.oic-ci.gc.ca/en/right-know.

Was this page helpful?

School is in Session

Are you:

  • New to the access and privacy field?
  • Working in access and privacy but looking for additional training?
  • Completing access and privacy tasks such as access to information requests or complaints into alleged breaches of privacy as a “side of the desk” job but have no real experience in it?

Navigating the access and privacy world can be challenging, particularly when there is a lack of training and educational resources provided, or you don’t know where to turn when you have questions. That’s why, with your help, we hope to continue to develop our education page on our website with a list of training resources that can help you gain a better understanding of the access to information and privacy breach complaint process.

In order to get this started, our office sent out a mass email to various organizations to collaborate on this education initiative. The response was extremely positive with some organizations offering links to their own access and privacy training modules or training they found to be particularly useful for their own organization. Even though there were several organizations that did not have anything to contribute, many of them were really excited about the prospect of coming back and accessing the list in the future. This just goes to show how valuable something like this is.

It is our hope that providing a list of additional training will assist those in the access and privacy field and help them better understand their obligations under The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) and The Health Information Protection Act (HIPA).

To review the list of training and education material, please see our education page here. The information is posted under the heading External Educational Resources.

Please note that the Office of the Saskatchewan Information and Privacy Commissioner does not endorse any of the training listed on our website but rather aims at providing helpful solutions to those looking for additional training. If you know of any training that may be helpful for those working in this field, please feel free to email webmaster@oipc.sk.ca and we will review your submission for publication on our website.

Was this page helpful?

AI and Children’s Privacy Podcast

In Commissioner Hession David’s first episode of Un-redacted, the Sask IPC Podcast, she discusses with Diane Aldridge, the Deputy Commissioner, an extremely important topic regarding children’s privacy and generative artificial intelligence (AI).

“The real concern in terms of children is that these models can be used to create the deep fakes that are becoming very common in the cyber world at present. This is where a person’s voice or persona can be poached from an available social media platform, and their voice can be re-created so they seem to say something that they never said in a situation that never was.”

Technology continues to evolve rapidly, so much so that it can be hard for adults to keep up and fully understand the risks, let alone children. You might be asking yourself, so how can I protect my children? I think we can all agree that supervision and monitoring goes a long way but there is more to it than that as “there are no AI specific controls or visibility options to oversee or control how your child interacts with Gemini or most chatbots so you need to have the direct conversation with your child about the need to keep personal information private.”

For more information on what exactly generative AI is, its history, and guidance on how you can take steps to protect your loved ones, listen to the full episode here.

If you have found this podcast helpful, let us know by clicking on the YES icon at the bottom of this blog or let us know on X or LinkedIn what topics you would like us to explore in the future. Thanks for listening!

Was this page helpful?

“Bin” There, Shouldn’t Have Done That: When Medical Records End Up in the Wrong Bin

“Medical records found in Regina recycling bin” reads a CBC News headline from March 2011, where former Commissioner Dickson and members of our office were seen climbing into a paper recycling bin in Regina after personal health information was found inside. This case was, and still is, “the largest breach involving personal health information since The Health Information Protection Act (HIPA) was proclaimed on September 1, 2003” as stated by former Commissioner Dickson. Still, in October 2024, medical records were found blowing in the wind through an alley in Regina (Investigation Report 251-2024, 004-2025 – Elphinstone Medical Clinic).

While our office has only issued seven investigation reports involving personal health information being found in dumpsters or recycling bins[1], we have received at least 15 proactively reported breaches involving the same issue. This is likely only the tip of the iceberg in terms of the volume of personal health information that isn’t disposed of in a secure manner.

Saskatchewan is not alone in this problem of improper disposal of personal health information. In November of 2024, the Ontario Information and Privacy Commissioner (ON IPC) issued PHIPA Decision 266 and classified it as a “case of note” on its website, where personal health information was found in a recycling bin, and developed key takeaways from this case. Further, a study conducted in Ontario in 2018 that assessed the presence of personal health information through a recycling audit of five hospitals in the Toronto area, found that all five hospitals had established policies for disposal of personal health information including secure shredding bins. Of the nearly 2700 documents found, 31% were classified as medium sensitivity (personal health information including diagnosis), and 39% were classified as high sensitivity (personal health information including a description of the patient’s medical condition). Of the types of documentation improperly discarded, clinical notes, summaries, and medical reports were the most frequent type of information (31%).

Many other jurisdictions across Canada have seen similar incidents of improper disposal of personal health information  some having made the news. Some examples of similar incidents are listed below.

As demonstrated, the issue of personal health information being improperly disposed of for a variety of reasons poses a challenge within Saskatchewan and across Canada. Trustees must ensure the security of records in their custody or control through the records entire lifecycle, including the destruction phase. When they fail, the result is a privacy breach.

A privacy breach may occur if the trustee’s employees do not securely dispose of personal health information, but in some cases, particularly seen in the Elphinstone Medical Clinic case (Investigation Report 251-2024, 004-2025), can occur when its cleaning company caused the breach instead. Section 2(1)(a)(i) of the The Health Information Protection Regulations, 2023 (HIPA Regulations) defines an employee as “an individual who is employed by a trustee, including an individual retained under a contract to perform services for the trustee, but does not include a health professional who is retained under a contract.” It is also necessary for the trustee to establish if the party fits the definition of information management service provider as requires both parties to enter into a written agreement. In either case, the responsibility for these privacy breaches remains with the trustee as PART III of HIPA outlines the duty of a trustee to protect personal health information, and sections 16 and 17 are particularly relevant in these scenarios regarding duty to protect and retention and destruction policies when it comes to personal health information.

Section 5 of HIPA Regulations was added in 2023. This section places the onus on a trustee to ensure that the trustee provides orientation on HIPA to its employees and sign a pledge of confidentiality. Section 6 of HIPA Regulations is also new and requires trustees to have a written policy concerning the retention and destruction of personal health information.

For more guidance on this topic, below is a list of resources which have been authored by our office or by other individuals or organizations which may be beneficial:

[1] See Investigation Report 251-2024, 004-2025 (Elphinstone Medical Clinic), Investigation Report 158-2022 (Metis Addictions Council), Investigation Report 154-2022 (Dr. Malhotra), Investigation Report 107-2015 (Spruce Manor Special Care Home), Investigation Report H-2013-003 (Dr. Monea), Investigation Report H-2013-002 (Regina Qu’Appelle Regional Health Authority), Investigation Report H-2011-001 (Dr. Ooi).

Was this page helpful?

Saskatchewan Information and Privacy Commissioner Tables 2024-2025 Annual Report

Saskatchewan Information and Privacy Commissioner, Grace Hession David, has tabled the Office of the Information and Privacy Commissioner’s (OIPC) 2024-2025 Annual Report with the Legislative Assembly.
The Commissioner discusses the rapidly developing consequences of technology and the impact this has in every area of life in the province.

“The people of Saskatchewan should be able to freely participate in the digital world and not worry about overreach with respect to the collection of personal information or the fact that their personal information will be ransomed and perhaps available on the Dark Web after a cyber breach.”

The team of dedicated professionals at the OIPC are committed to fighting for the access and privacy rights of Saskatchewan residents and will continue providing relevant, up-to-date information on access and privacy legislation made available to the public.
Commissioner Hession David outlined the top priorities of the office for the next five years. More information on these priorities can be found in the Annual Report.

• Continued accessibility to the public
• Prioritizing youth privacy
• Raising awareness around cyber security and cyber breaches
• Privacy concerns with Generative AI

The 2024-2025 Annual Report includes: last years’ accomplishments, the strategic plan for 2025-2026, a thorough review of the statistics from the past year’s efforts, and a new section on appeals. The appeals section includes a review of four OIPC rulings by the Kings Bench, and one important appeal ruling from the Saskatchewan Court of Appeal.

The annual report can be viewed here.
A video containing the Commissioner’s comments on the Annual Report can be viewed here.

Media contact:
Julie Ursu, Manager of Communication
Telephone: 306-798-2260
Email: jursu@oipc.sk.ca

Was this page helpful?

Google Translate Disclaimer

Translations on the IPC Website are performed by Google Translate. Please note that not all text may be translated accurately or be translated at all. The IPC is not responsible for incorrect or inaccurate translations. The IPC will not be held responsible for any damage or issues that may result from using Google Translate.

For more information, read our full disclaimer.