When AI Turns DarkWarning: this blog contains details about suicide. If you are struggling with your mental health, call 988 for 24/7 voice or text support or visit 988.ca

Check out our latest blog on safeguarding your information during the holiday season

Privacy Commissioner finds that Canadians have a right to have information de-listed from online search engine results in limited circumstances.

Joint investigation of TikTok Pte. Ltd.

How systemic delays, a backlog of overdue requests, and process errors led to UBC having the lowest rate of compliance.

NEW Checklist for Healthcare Organizations Considering the use of an AI Scribe

Privacy Commissioner of Canada to investigate cybersecurity breach at WestJet

PowerSchool commits to strengthened breach measures following engagement with the Privacy Commissioner of Canada

Sask. information and privacy commissioner brings a focus on cyber security, AI

Guardrails for Police Use of Investigative Genetic Genealogy in Ontario

How do I Request a Correction of my Personal Information or an Amendment of my Personal Health Information?

How do I Request a Correction of my Personal Information or an Amendment of my Personal Health Information?

The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) provide individuals with a right of correction to their personal information. The Health Information Protection Act (HIPA) provides individuals with a right of amendment to their personal health information.

Our office has received calls and emails from individuals who, after accessing a record from a government institution, local authority or a trustee containing their personal information or personal health information, believe that it contains errors or omissions.

An error is mistaken or wrong information that doesn’t reflect the true state of something – it is an error to something factual.

An omission is information that is incomplete, missing or overlooked.

An opinion is not an error or omission if it accurately reflects the views of the individual who recorded the information at the time.

If you believe a record containing your personal information or your personal health information contains an error or omission, you can request a correction or amendment under FOIP, LA FOIP or HIPA. Such requests are made to the government institution or local authority (for personal information), or to the trustee (for personal health information) with possession/custody or control of the record.

Our office has prepared the following resource, Steps to Request a Correction of Personal Information or Amendment of Personal Health Information.  The resource outlines the steps that an individual can take to request a correction of their personal information or an amendment to their personal health information. It also includes information on the obligation of the government institution, local authority, or trustee, to respond to your request and what the possible outcomes are. As well as advising on what you can do if you are not satisfied with the response to your request for correction or amendment.

Steps to Request a Correction of PI or Amendment of PHI (Flipbook)

Steps to Request a Correction of Personal Information or Amendment of Personal Health Information (PDF)

Was this page helpful?

When AI Turns Dark

Warning: this blog contains details about suicide. If you are struggling with your mental health, call 988 for 24/7 voice or text support or visit 988.ca

Sewell Setzer III is a name you may not know. He was a Florida youth who took his life in February 2024 at age 16. Shortly after he turned 14, he became increasingly obsessed with a Character.AI chatbot he created, modeling it after a Game of Thrones character. His mother, Megan Garcia, stated in a lawsuit against Character.AI that the more time Setzer spent engaged with his chatbot, the more he withdrew from family and friends, and the more his schoolwork and self-esteem suffered.[1]

Garcia saved messages between her son and his chatbot that demonstrate the depth of the relationship that developed between the two. Just prior to his death, the chatbot asked Setzer if he had considered suicide. When Setzer responded that he wouldn’t want to die a painful death, the chatbot responded that it wasn’t a good enough reason to not want to go through with it. Garcia noted that not only did the chatbot continue a conversation about self-harm with her son, but it kept directing him; at no point did the chatbot suggest her son should seek help.

Character.AI describes itself as an “infinite playground for your imagination, creativity and exploration.”[2] It allows users to create custom chatbots using Artificial Intelligence (AI) that speak and act the way you want that you can interact with. Human-like responses are designed to be realistic, and to allow you to become involved in the character’s world. It’s an artificial relationship that may feel real to some. It did to Setzer.

The American Psychological Association (APA) suggests that youth are increasingly turning towards chatbots for friendship and emotional, educational and recreational support.[3]The APA cited research showing that as children develop, they seek reciprocal friendships to cope and build self-esteem. The positive reinforcement offered through friendships helps them to better understand their social environment and to build empathy. The more time youth spend interacting online, however, the more their social development may be negatively impacted, and the more they may experience depression and anxiety. Marginalized youth are especially vulnerable, with the online world easing their fear of social interaction. Such youth may turn to AI-powered chatbots to fill the need for social support, the concern being that they have not fully developed a sense of impulse control. In other words, they are highly impressionable and easily suggestible and may be left guided by the influence of AI, as Setzer was.

Beyond this, there are other troubling aspects of AI. AI allows disinformation to spread or be quickly disseminated. Deepfake videos, pictures and audio clips that appear real can fuel the spread of disinformation. They can also be used to cyberbully, as was the case for a high school student who was subjected to fake nudes of herself being distributed through social media.[4] Legal experts argue that such activity goes beyond cyberbullying and into sextortion, where attempts may be made to financially extort youth and their families to prevent faked content from being shared online. Youth subjected to this not only suffer embarrassment, but may also suffer depression and anxiety, or a growing sense of distrust of those around them. Because of the algorithms built into AI, youth can also be fed information that reinforces fringe or unacceptable views, thereby further pushing them to seek out those who agree with those views or that perpetuate biased thinking.[5] In so doing, they may develop a warped sense of reality or be led into dangerous or illegal activities.

Character.AI recently stated that it will ban anyone under the age of 18 from using its chatbots.[6] While it is a step forward, it leaves many questions unanswered, such as how companies will verify ages. Considering cases such as Setzer’s, Canada’s Artificial Intelligence Minister, Evan Solomon, stated publicly that an upcoming privacy bill could introduce age restrictions on access to chatbots. [7] Chatbots might seem to be imparting empathy or acting like friends to youth who use them, but what they lack is responsibility for what they say or how they engage, which is something the privacy bill seeks to change. An age restriction may not release companies from culpability, but it at least recognizes that those under the age of 18 may not, because of their lack of social development, be able to separate reality from fantasy.

In the meantime, it’s important for parents to help their kids use AI responsibly. The APA suggests the following:[8]

  1. Help your kids understand that AI responses are programmed, and that interactions and relationships with chatbots are not genuine. Help kids understand the difference between an artificially created relationship and a human one that has emotional depth.
  2. If your kids are using AI for health purposes, including for their mental health, or to seek health information on themselves, remind them that it is not a substitute for professional medical advice. Health advice or information should always be verified by a real, human professional.
  3. Review the privacy settings on the devices and apps your kids use. Know what data is collected or help your kids understand how their data is being collected and used.
  4. Tell your kids to question AI-generated content rather than accepting it as real. While AI can be a useful tool to aid learning, it should not replace traditional learning and research. Challenging AI can help build critical thinking skills.

Garcia channeled the grief over losing her son into warning others about the dangers of chatbots and AI. She wants parents to know and understand how sophisticated AI is, and how youth may not be able to distinguish AI from reality.[9] Youth may be manipulated or deceived into believing things that are not real or true. Undoubtedly, Garcia may wish she paid more attention to how deeply her son was being drawn into a relationship with a chatbot character that did not really exist, but that held a lot of emotional control over him. No parent would anticipate the outcome that Garcia experienced, but it serves as a cautionary story about the fast evolution of AI, and how crucial it is for parents to learn about the dark side of AI and how to help their kids navigate around it.

[1] Yang, A. “Mom who sued Character.AI over son’s suicide says the platform’s new teen policy comes ‘too late’.” 30, October 2025, https://www.nbcnews.com/tech/tech-news/characterai-bans-minors-response-megan-garcia-parent-suing-company-rcna240985. Accessed November 3, 2025.

[2] https://play.google.com/store/apps/details?id=ai.character.app&hl=en_CA. Accessed November 3, 2025.

[3] Andoh, E. “Many teens are turning to AI chatbots for friendship and emotional support.” 1, October 2025, https://www.apa.org/monitor/2025/10/technology-youth-friendships. Accessed November 3, 2025.

[4] Wong, J. “Amid rise in AI deepfakes, experts urge school curriculum updates for online behaviour.” 9, January 2025, https://www.cbc.ca/news/canada/education-curriculum-sexual-violence-deepfake-1.7073380. Accessed November 3, 2025.

[5] Marr, B. “7 Terrifying AI Risks That Could Change The World.” 18, August 2025, https://www.forbes.com/sites/bernardmarr/2025/08/18/7-terrifying-ai-risks-that-could-change-the-world/. Accessed November 3, 2025.

[6] Folk, Z. “Character.ai Will Ban Children From Speaking With Chatbots After Facing Regulatory Pressure And Lawsuits.” 2025 October, https://www.msn.com/en-us/money/companies/characterai-will-ban-children-from-speaking-with-chatbots-after-facing-regulatory-pressure-and-lawsuits/ar-AA1PrdiC?ocid=BingNewsVerp. Accessed November 4, 2025.

[7] Karadeglija, A. “Age restrictions for AI chatbots may be in new privacy bill, minister says.” 24, October 2025, https://globalnews.ca/news/11493930/ai-chatbots-age-restrictions-privacy-bill-solomon/. Accessed November 3, 2025.

[8] American Psychological Association. “Four ways parents can help teens use AI safely.” 3, June 2025, https://www.apa.org/topics/artificial-intelligence-machine-learning/tips-to-keep-teens-safe. Accessed November 3, 2025.

[9] Chow, A. “Megan Garcia, Activist against chatbot harms.”, 2025, https://time.com/collections/time100-ai-2025/7305805/megan-garcia/. Accessed November 3, 2025.

Was this page helpful?

Ho, Ho, Hold on a Minute… How to Safeguard Your Personal Information During the Holiday Shopping Season

As fall fades and winter draws closer, many of us are turning our attention to the upcoming holiday season and all the preparation that entails. A growing trend shows that Canadians will be spending more this holiday season and that most Canadian shoppers prefer to support local and Canadian businesses.

While the average holiday shopper is busy making their shopping lists and checking them twice, they might not realize that the hottest holiday trend is their personal information!

Any identifiable information you share with a retailer could potentially land in the wrong hands. Examples of this information may include your full name, home address, phone number and birth date. Once you have given your personal information, created a customer account or opted into a loyalty program, you may have unknowingly consented to share your personal information with data brokers[1] and other third parties.  Think about the consequences if the retailer is subject to a cyber breach.  That is the ultimate fear but we are seeing this occur on a frequent basis these days.

Consider these 3 ways to safeguard your personal information and become a conscious consumer before you hit the pavement this holiday shopping season:

  1. Be a Grinch – less is always better!

The best way to safeguard your personal information is not to share it in the first place if you don’t have to! Holiday shopping can be as easy as 1, 2, 3… choose the gift, pay for it at the till and collect your receipt! You do not need to share your name, address or financial information to make an in-store purchase. Christmas doesn’t have to “mean a little bit more” sharing of your information, so tighten up those privacy purse strings and be a Grinch!

  1. Dream of a “White Christmas” – paper is perfection!

Grab that lovely paper receipt and rest assured that your privacy has been protected! What about the oh-so-convenient e-receipt? It may not be as innocuous as you think. In 2023, the Office of the Privacy Commissioner of Canada completed an investigation into the disclosure of customer data collected by Home Depot of Canada Inc. to a third party (Facebook)[2]. In a subsequent press conference, the Privacy Commissioner of Canada, Philippe Dufresne, addressed the seemingly innocent choice between paper or e-receipt by stating:

Most customers likely understand that this [option] is for their benefit and convenience in this increasingly digital world. Canadians would likely not expect or accept that their personal information would be shared with a third party, like Facebook, simply because they opted for an email receipt.[3]

Consider going paper-all-the-way this holiday season!

  1. Take the “holiday road” when it comes to creating a customer account

Does one need to create a customer account full of personal and precious financial information just to buy Grandma a new scarf or to snag that new Lego set for your kids? Definitely not. The popular franchise Toys R Us Canada recently confirmed a privacy breach of its customer database during which vast amounts of customer information was breached by an unauthorized third party and posted on the dark web.

Carefully weigh the pros and cons when you consider creating a customer account. Can you adjust your privacy settings online once you’ve created that account? Have you read through the company’s privacy options? These are all great questions to consider. Check out a previous OIPC blog titled 5 Ways to Protect Your Privacy for more ways to protect your privacy in general.

Do you have young shoppers in your family who are ready to dive into the consumer landscape? Teach them “SANTA”, an easy acronym to help them safeguard their own personal information (and perhaps yours) during the holiday shopping season.

S – share like a Grinch!

A – always get a paper receipt

N – name and number? No thanks!

T – take only my hard cash!

A – ask why it is needed (if not satisfied, then don’t provide!)

Hopefully this blog helps you create a safe and fun holiday shopping experience for you and your family!

 

[1] Data brokers are companies whose primary business involves the trading and analysis of personal information. Specifically, data brokers are focused on the gathering and selling of consumer data for targeted marking purposes. OIPC Guide to FOIP, Ch 6 p. 357, also see Tracking the Surveillance and Information Practices of Data Brokers: A Report

[2] PIPEDA Findings #2023-001, January 26, 2023

[3] Statement by the Privacy Commissioner of Canada following an investigation into Home Depot of Canada Inc.’s compliance with PIPEDA, January 26, 2023

Was this page helpful?

Canada’s Information Regulators call on their respective governments to promote a more robust information ecosystem

Gatineau, Québec, November 5, 2025 – In an era where false and misleading information can spread rapidly and influence public discourse, Canada’s Federal, Provincial, and Territorial Information Commissioners and Ombuds (FPT Information Regulators) are urging governments and public institutions to modernize access to information laws, proactively disclose records, and ensure the integrity of public information.

The FPT Information Regulators responsible for overseeing access to information adopted a joint resolution at their annual meeting in Banff, Alberta, earlier this fall titled “Trust, transparency, and democracy in an era of misinformation”. This resolution calls upon their respective governments to promote a more robust information ecosystem.

Misinformation thrives in environments where transparency is lacking. “By embracing transparency and proactively making accurate information available to the public, public institutions can play a crucial role in strengthening our collective information ecosystem, countering misinformation, enhancing trust, and preserving the integrity and resilience of democratic societies”, states the resolution.

Access to government-held information matters to Canadians. Whether it’s understanding how public health decisions are made, accessing environmental data, or verifying the facts behind government policies, reliable information empowers Canadians to make informed choices. When institutions are transparent and information is easy to access, citizens are better equipped to engage in public life, challenge misinformation, and hold decision-makers accountable. Transparency is key to a healthy democracy.

The resolution outlines specific recommendations, including:

  • Codifying a duty to document and setting minimum standards for proactive disclosure;
  • Ensuring public institutions have the resources to effectively run their access and transparency programs;
  • Supporting media and civil society in promoting the public’s right to know, and
  • Enhancing digital and media literacy and regulating online platforms for greater transparency.

The regulators also commit to improving their own transparency practices, collaborating with other oversight bodies, and reducing delays in access to information processes.

In recent years, related joint resolutions focused on restoring trust through access to government records (2023) and promoting transparency by default in public service delivery (2024).

Related documents:
Joint resolution: Trust, transparency, and democracy in an era of misinformation

News Release: Canada’s information and privacy regulators wrap up meeting that focused on critical access and privacy issues facing Canadians

For more information:

Julie Ursu
Manager of Communication
Office of the Saskatchewan Information and Privacy Commissioner
jursu@oipc.sk.ca

 

Was this page helpful?

Work Product vs. Personal Information

Personal information is defined in section 24 of The Freedom of Information and Protection of Privacy Act (FOIP) and section 23 of The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP).  An individual’s employment history is personal information.  However, it should be noted that if the individual’s employment status or business phone number is publicly available, for example posted on a website, then the information is no longer “personal” information and outside the protection of section 29 of FOIP or section 28 of LA FOIP.  Review Report 045-2025 is a perfect application of this principle.  In that case, the Ministry of Justice redacted the mobile phone numbers of several government employees.  These mobile numbers are not publicly available.  The names of the various lawyers in this Ministry and the main office number are posted on a public website.  Still the individual mobile numbers of the employees are treated as confidential by this Ministry.  Helpful guidance from the Saskatchewan King’s Bench allowed for a finding that these government phone numbers should continue to be withheld:

[50] Upon review, the redacted telephone numbers on the mobility bills on pages 1 to 18 are the mobility phone number of a Crown Prosecutor as well as another telephone number that is used to retrieve voicemails (voicemail number). These numbers are not publicly available. Similarly, the redacted portions on pages 19 to 54 appear to be telephone numbers used by Crown Prosecutors. I note, though, that these phone numbers are not listed publicly on the Government of Saskatchewan Directory. In Schiller v Saskatchewan (Education), 2025 SKKB 146, Mitchell J. found that business or personal contact information of public servants qualifies as personal information as defined by sections 24(1)(e) and (k) of FOIP. Government institutions are to only disclose business phone numbers if they are publicly available.15 In this case, the phone numbers that appear on pages 1 to 54 are not publicly available. As such, there will be a finding that Justice properly applied section 29(1) of FOIP to pages 1 to 54.

Work product involves information prepared or collected by an individual or group of individuals as part of their assigned employment responsibilities/duties.  This body of work will usually involve an opinion with respect to an assigned research task.  Sometimes employees think that if they attended a work meeting and they took notes – those are their personal notes.  That is not the case.  Work product is any work that is performed within the context of an assignment given by an employer such as a government body or a local authority.  This does not automatically mean that the work product is immediately disclosable once an access to information request is filed. On the contrary, a head will then assess the work product and decide whether or not any of the exemptions in the statutes apply that will prohibit disclosure.  Still, it is important to understand the concept of “work product”.  One important feature of work product is an employee’s opinion about another employee.  That opinion is not the personal information of the person who gave the opinion – it is the personal information about the person for whom the opinion was given.  Section 24(1)(f) of FOIP and section 23(1)(f) of LA FOIP are the statutory authority for this exception.  The exception is so important that the drafters of the legislation went further to specifically indicate that personal information does not include information that discloses personal opinions or views with respect to another individual, see section 24(2)(c) of FOIP and section 23(2)(b) of LA FOIP.  Essentially, if you are preparing work product and in the course of this you express a view with respect to the ability or work of a fellow employee at a government institution or a local authority – that is not your personal information.  That is the personal information of the person about whom you evaluated and if they file an access request for this information – it is disclosable unless another exemption applies.

Was this page helpful?

Health Care Personal Information Snooping: When Will People Learn?

Those who wish to snoop into health care databases to get personal health information with respect to their friends, family, acquaintances or even strangers, should realize that they are violating the privacy legislation in Saskatchewan and the consequences will likely be significant.  We will review the basics of a unique snooping case in Saskatchewan where an employee snooped with what she thought was impunity.  In fact, an audit tracked her snooping, she was questioned by her employer on the breadth of her violation of The Health Information and Privacy Act (HIPA)[1] and ultimately, she chose to walk away from her employment.  We have named her in our public investigation report and we explain why it was not ultimately in the public interest to recommend a prosecution with the Minister of Justice. But as we say, the consequences of snooping can be highly significant to one’s career.

Ms. Fahmida Shipa was employed and held multiple roles within the Saskatchewan Health Authority (SHA) in the City of North Battleford from August 2023 to May of 2025.  During that time, three separate SHA audits revealed that she had snooped on an estimated 323 patient records for her own interest during the course of her employment.  She was suspended in April of 2025 when the audits revealed the snooping and she voluntarily resigned from her position on May 1, 2025.  The breach was investigated by this office and Ms. Shipa was provided with a notice that recognized her right to counsel and her right to silence.  She chose to respond to this office and give many reasons for why she snooped.  But none of her reasons fell within the only two viable reasons for accessing the personal health information of a resident of Saskatchewan:  (1) either the subject of the snoop has provided consent as per section 26(1) of HIPA; and/or (2) on a need to know basis as per section 23 of HIPA.[2]

One of the mystifying aspects of this investigation involved the extent to which this snooper had been educated and schooled on the privacy laws with respect to personal health information in this province by her employer.  The trustee in this matter provided excellent training for this employee which covered the following crucial areas:

  • The training described the access to information and privacy legislation in Saskatchewan, specifically The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP)[3] and HIPA.
  • The training emphasized the “need-to-know” principle, including a direct emphasis on the rejection by SHA of the “Circle of Care” model and inclusion of its “Need to Know versus Circle of Care” directive.[4]
  • The training specifically commented on snooping, gossiping, and the public discussion of personal health information, stating that the names of snoopers may be released to affected individuals.
  • The training imparted warnings about audits and the digital traces evident in SHA electronic systems.
  • The training discussed privacy breaches in the form of unauthorized collections and uses, notably drawing upon a wide array of examples of privacy breaches relevant to a health-care environment.
  • The training addressed how to respond to privacy breaches, with a focus on containment, notification, and prevention.
  • The training highlighted high-profile cases wherein snoopers working in health care environments have been named and prosecuted.

There was no excuse or reason that could justify the invasion of privacy into 323 records on the part of Ms. Shipa, especially when the SHA referenced her signed Pledge of Confidentiality from 2023 and 2024.  Even though section 64 of HIPA provides for the consent of the Attorney General of Saskatchewan for a prosecution for a snooping violation under HIPA, this office chose to not to pursue this final step with respect to this snooper.  Our office received no formal complaints as the result of this snooper’s activities, the trustee acted efficiently and expertly in its investigation of the breach and in its notification of affected individuals.  Ultimately, this would have been a costly prosecution and it was deemed that it would not be in the public interest, especially since the snooper had voluntarily resigned and put herself in a difficult position for future employment in the health industry in Saskatchewan in the future.  Here is some recommended further reading, including our Investigation Report on this incident:

SHA and Fahmida Shipa, Investigation Report 103-2025, 104, 2025

Ten Tips for Addressing Employee Snooping (Office of the Privacy Commissioner of Canada)

Detecting and Deterring Unauthorized Access to Personal Health Information (Information and Privacy Commissioner of Ontario)

[1] The Health Information Protection Act, SS 1990-91, c. H-0.021, as amended.

[2] Second, section 26(2) of HIPA lays out other reasons for accessing the personal health information of residents of Saskatchewan, such as for the purposes of de-identifying the data, but we have only listed the relevant sections in this blog that pertain to this snooper within the context of her employment.

[3] The Local Authority Freedom of Information and Protection of Privacy Act, S.S. 1990-91, c. L-27.1, as amended.

[4] See SHA resource Privacy Guidance Document: Need-to-Know vs Circle of Care.

Was this page helpful?

Surveillance in Personal Care Homes: A Case Study

We often get questions from those working in personal care homes and family members of residents about the use of hidden video surveillance. We thought we would share some of our thoughts on the issue as it relates to privacy concerns.

Imagine this scenario: Family members of Grandmother, an elderly woman with dementia, suspect that she is being mistreated or maybe even abused by staff in her personal care home. The family requires proof to move forward with their allegations and make changes in the care that is being provided. The family considers putting a hidden recording device in Jane’s room to monitor the actions of staff and to ensure the protection of their loved one.

Without a doubt, there are many parties that can have their privacy rights affected by this scenario.  We will discuss the case of each:

  • Grandmother;
  • The care home as a “trustee” under The Health Information Protection Act[1] (HIPA);
  • The staff that work at the care home;
  • Other residents who reside in the care home; and
  • The family member(s) responsible for the recording (Substitute Decision Maker).

Here are some privacy considerations to review:

The Personal Care Home/Trustee

Our office is cloaked with the mandate of administering HIPA in this province. HIPA is the privacy act that specifically applies in situations where personal health information is involved. However, the privacy rules and exemptions contained within HIPA only apply to a “trustee” and its staff. In this scenario, the personal care home is the trustee. Since Jane’s family is making the recording, HIPA would not apply to the trustee in this situation.  HIPA may apply to the trustee, however, if the family provides the video to the personal care home after filming.  This determination will be based on what use the trustee makes of the video.

Personal care homes do have a duty to protect the personal health information of their residents. In the interest of safeguarding the personal health information of all residents, personal care homes may consider developing policies and guidelines for families. But when it comes to secret video recording cameras the connection with a personal care home is remote when the camera is brought into the care home by a family member of a resident.

Grandmother

A recording device can only be used if Grandmother gives her consent.  In this case, Grandmother has dementia and cannot legally give consent. If she were able to give consent, she would likely be able to bring forward allegations on her own and the recording device would provide corroboration. Families need to know that if they have a loved one who is going to commence residency in a personal care home – it is crucial for the family and for Grandmother to pursue a legal substitute decision maker.  A substitution decision maker is a contractual relationship similar to a power of attorney and it gives the delegated person the authority to choose to put surveillance in her room. We urge the substitute decision maker to carefully consider their loved one’s wishes. For example, intimate care might be captured. Would Grandmother have accepted this intrusion – or is this perhaps an area where the greatest abuse can occur?  Substitution decision maker agreements must be formally entered into between two parties who both have capacity and within the confines of a legal agreement witnessed and supervised by a lawyer in the province of Saskatchewan.  We highly recommend the pursuit of this arrangement where there is an elderly loved one who must enter into care in a third-party environment.

The Roommate

If Grandmother has a roommate, substitute decision makers should ensure that the camera only captures their loved one’s personal space. The capture of any images of a roommate in this situation will violate the privacy considerations of the roommate unless written consent of the roommate is obtained.  Further, as we will discuss below, surveillance should not have an audio component.

Grandmother’s Substitute Decision Maker

There are some risks associated with surveillance that the substitute decision maker should weigh. There may be Criminal Code considerations and while we cannot give legal advice on this blog, we highly recommend that anyone who wishes to pursue this line of protection for a loved one engage the legal opinion of a lawyer who is experienced in criminal law.

The Personal Care Home Worker

As discussed above, HIPA does not apply to a trustee in this fact situation and if a personal care home worker was upset with the recording – our office would not accept a complaint because HIPA does not apply.  Further, the personal care home is Grandmother’s dwelling and staff in a personal care home cannot expect to have any expectation of privacy when providing care to an individual. As long as the person who installed the camera could testify to the integrity of the workings of the camera and the authenticity of the recording after it was downloaded – the video would in all likelihood be admissible evidence in a court of law.  We reference:  R v Llanto, 2018 BCPC 102  which is a case out of British Columbia but a case where a hidden camera in the room of an elderly loved one provided evidence of elder abuse and assault.

[1] The Health Information Protection Act, SS 1999, c.H-0.021, as amended.

Was this page helpful?

5 Ways to Protect Your Privacy

Welcome to the Saskatchewan IPC’s blog! Here you’ll find tips, information, instruction, stories, and commentary on what’s going on in our office or in the access and privacy community at large. We also hope to invite guest bloggers to post their thoughts on here too.

So to kick off this blog, here are five ways to protect your privacy:

1. Limit what you post on social networking sites to minimize the likelihood of identity theft/fraud.

Any identifiable information about you could be used to commit identity theft or fraud. Posting your full name, full birth date or any other type of information may provide identity thieves with the information they need to commit identity theft or fraud.

2. Cross-shred or burn documents containing your personal information.

Similar to the above tip, you don’t want any of your personal information in the wrong hands because it can be used for identity theft or fraud.

3. Avoid using public Wi-Fi networks.

Information that you send or receive, such as your username and passwords for email and social networking accounts using public Wi-Fi networks could be intercepted by anyone else on the network.

4. Ask organizations the purpose behind their collection of your personal information.

Also ask how they protect your personal information. Provide only the personal information that is necessary. Once they have our personal information, you are trusting them to protect your information from identity thieves.

5. Use strong passwords.

There are many resources online on how to come up with a strong password, including this one here. Use different strong passwords for different accounts. This is so that if one account is compromised, not all of your accounts are compromised. If memorizing strong passwords become difficult, consider using a password manager that will help manage all your passwords.

Hopefully the above list will help you brainstorm other ways how you might be able to protect your privacy. Stay tuned for more blog entries!

Was this page helpful?

How to Conduct an Effective Search for Records

So you have received an access to information request and you know it is not going to be easy to locate responsive records. What do you do? Here are some tips for you.

First: You develop a search strategy and document everything. A search strategy could include:

  • Searching for records in multiple formats (i.e. electronic, paper, and other);
  • Identifying which departments or divisions should be included in the search;
  • If the original access request was broad or covers a wide open time period, determine how you will define the search parameters;
  • Identify who should search for the records;
    • Will you delegate others to do the search? If so, consider developing detailed directions that you can provide to staff to ensure the search is done the way you require it.
  • Determine if external agents, consultants or other contracted services have any records. If yes, determine if these records should be included (i.e. possession/control)

Second: You have now received a notification letter from our office requesting details of your search efforts. A review involving search efforts focuses on whether the search conducted was reasonable or not. If you have documented your efforts in detail, you are already prepared for our request. Generally, the details to our office could include:

  • For personal information requests – explain how the individual is involved with the public body (i.e. client, employee, former employee etc.) and why certain departments/divisions/branches were included in the search;
  • For general requests – tie the subject matter of the request to the departments/divisions/branches included in the search. In other words, explain why certain areas were searched and not others;
  • Identify the employee(s) involved in the search and explain how the employee(s) is “experienced in the subject matter”;
  • Explain how the records management system is organized (both paper & electronic) in the departments/divisions/branches included in the search:
    • Describe how records are classified within the records management system. For example, are the records classified by:
      • alphabet
      • year
      • function
      • subject
    • Consider providing a copy of your organizations record schedule and screen shots of the electronic directory (folders & subfolders).
    • If the record has been destroyed, provide copies of record schedules and/or destruction certificates;
    • Explain how you have considered records stored off-site.
    • Explain how records that may be in the possession of a third party but in the public body’s control have been searched such as a contractor or information service provider.
    • Explain how a search of mobile electronic devices was conducted (i.e. laptops, smart phones, cell phones, tablets).
  • Which folders within the records management system were searched and explain how these folders link back to the subject matter requested?
    • For electronic folders – indicate what key terms were used to search if applicable;
  • On what dates did each employee search?
  • How long did the search take for each employee?
  • What were the results of each employee’s search?
    • Consider having the employee that is searching provide an affidavit to support the position that no record exists or to support the details provided. For more on this, see the OIPC resource, Using Affidavits in a Review with the IPC available on our website.

Each case will require different search strategies and details depending on the records requested. You do not have to address every bullet in your submission to our office. You want to tailor your response to fit the circumstances and records on a case-by-case basis. The more thorough and detailed the response is, the more likely our office will find the search was reasonable. For more information on how our office approaches search reviews, see our IPC Guide to FOIP, IPC Guide to LA FOIP and/or IPC Guide to HIPA.

Was this page helpful?

Canada’s information and privacy regulators wrap up meeting that focused on critical access and privacy issues facing Canadians

Topics included cyber security, artificial intelligence and the risks of storing health information outside Canada

BANFF, ALBERTA (October 10, 2025) – Federal, provincial, and territorial information and privacy commissioners and ombuds with responsibilities under access and privacy laws have concluded their annual meeting in Banff, Alberta. The two-day meeting, hosted by the Information and Privacy Commissioner of Alberta, included discussions on a broad range of privacy and access to information issues, with a strong focus on emerging issues related to new technologies, such as the use of artificial intelligence (AI), cybersecurity risks and the protection of online data.

Online harms and the information ecosystem

Emily Laidlaw, a Canada Research Chair in cybersecurity law and Associate Professor in the Faculty of Law at the University of Calgary, presented on online harms and the information ecosystem, with references to AI, protection of children, mis/disinformation, freedom of expression and human-centric cybersecurity.

Protecting health information: The use of servers outside Canada

Information and privacy regulators in Canada play a role in the protection of health information through ensuring compliance with health information laws and/or private sector laws. An emerging issue is the use of servers outside Canada to store the health data of Canadians. Michael Geist, Canada Research Chair in Internet and E-Commerce Law in the Faculty of Law at the University of Ottawa spoke to the meeting about the need to consider whether data localization should be regulated under privacy or other laws in Canada.

Cyber security challenges and opportunities for cooperative leadership

Cyber security is top of mind for privacy regulators as they continue to deal with massive data breaches caused by cyber security attacks. Daniel Couillard and Richard Larose, both with the Canadian Centre for Cyber Security (Cyber Centre), provided an overview of the roles and mandate of the Cyber Centre, Canada’s federal technical authority on cybersecurity. This included insights from their National Cyber Threat Assessment 2025-2026 and

a discussion of opportunities for mutual support.

The use of AI by administrative tribunals

Since their origins in the 19th century, the rationale for the use of administrative tribunals has been primarily to achieve more efficient and effective decision-making, which is a benefit that AI may provide. Paul Daly, Chair in Administrative Law and Governance at the University of Ottawa, shared his views on the use of AI by administrative tribunals, describing potential advantages and disadvantages, and outlining a possible path toward appropriate uses of AI by these tribunals.

AI: A role in the delivery of health care

The use of AI in health care is rapidly advancing across the country and around the world. An emerging application is the use of AI scribes to record and transcribe physician conversations with patients. Ross Mitchell, a Professor in the Department of Medicine and an Adjunct Professor in Computer Science at the University of Alberta, and a Fellow at the Alberta Machine Intelligence Institute, provided an overview to the meeting of deep learning and recent applications to health care, including the use of AI scribes and how to consider privacy rights in this context.

Legislative updates & court decisions

Meeting participants discussed recent developments and expected changes to access and privacy laws across Canada, as well as a number of recent key court decisions with implications for access and privacy. This provided insights and understanding regarding trends and opportunities for legislative modernization in the context of the evolving legal landscape.

“Our offices work collaboratively year-round on issues relating to privacy and access to information,” said Diane McLeod, Information and Privacy Commissioner of Alberta. “Our annual meeting offers the opportunity to spend time together in person to discuss emerging issues, share insights and experiences, and strengthen our joint commitment to protecting the access and privacy rights of all Canadians. The work of our offices is at the heart of some of the most critical issues facing individuals, communities, governments, organizations, businesses and society at large, many of which relate to the challenges of digital technology. Most of us live much of our lives online, and while this brings benefits, it also presents privacy risks. I am pleased that this year’s meeting provided the opportunity for key discussions that focused on protecting privacy and providing access in the context of our changing world.”

For more information:

Julie Ursu
Manager of Communication
Office of the Saskatchewan Information and Privacy Commissioner
jursu@oipc.sk.ca

 

Was this page helpful?

Google Translate Disclaimer

Translations on the IPC Website are performed by Google Translate. Please note that not all text may be translated accurately or be translated at all. The IPC is not responsible for incorrect or inaccurate translations. The IPC will not be held responsible for any damage or issues that may result from using Google Translate.

For more information, read our full disclaimer.