Ontario IPC releases a new independent research report on emerging technology- Emerging Uses of Neurotechnology.

Privacy Commissioner of Canada and UK Information Commissioner’s Office issue a joint letter regarding 23andMe’s bankruptcy proceedings

Instagram still posing serious risks to children, campaigners say

English Information Commissioner issues statement on police use of facial recognition technology (FRT)

BC OIPC provides instruction to delete a user account and DNA on 23andMe

Alberta, update to access and privacy legislation, passed in December and in force this spring

Federal Privacy Commissioner launches new online privacy breach risk self-assessment tool

Law Society – Bite Size video – cloud computing guide

Ontario IPC commissions report on workplace surveillance technologies

Australian IPC releases new Privacy Basics e-Learning module

How do I Request a Correction of my Personal Information or an Amendment of my Personal Health Information?

How do I Request a Correction of my Personal Information or an Amendment of my Personal Health Information?

The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) provide individuals with a right of correction to their personal information. The Health Information Protection Act (HIPA) provides individuals with a right of amendment to their personal health information.

Our office has received calls and emails from individuals who, after accessing a record from a government institution, local authority or a trustee containing their personal information or personal health information, believe that it contains errors or omissions.

An error is mistaken or wrong information that doesn’t reflect the true state of something – it is an error to something factual.

An omission is information that is incomplete, missing or overlooked.

An opinion is not an error or omission if it accurately reflects the views of the individual who recorded the information at the time.

If you believe a record containing your personal information or your personal health information contains an error or omission, you can request a correction or amendment under FOIP, LA FOIP or HIPA. Such requests are made to the government institution or local authority (for personal information), or to the trustee (for personal health information) with possession/custody or control of the record.

Our office has prepared the following resource, Steps to Request a Correction of Personal Information or Amendment of Personal Health Information.  The resource outlines the steps that an individual can take to request a correction of their personal information or an amendment to their personal health information. It also includes information on the obligation of the government institution, local authority, or trustee, to respond to your request and what the possible outcomes are. As well as advising on what you can do if you are not satisfied with the response to your request for correction or amendment.

Steps to Request a Correction of PI or Amendment of PHI (Flipbook)

Steps to Request a Correction of Personal Information or Amendment of Personal Health Information (PDF)

Was this page helpful?

Section 45 LA FOIP/Section 56 FOIP Decisions – Responses by the Head

When the Commissioner concludes a review or investigation, he or she may have recommendations for the head of the government institution or local authority involved. Recommendations may be, for example, to release records or to address procedural deficiencies. The Commissioner outlines such recommendations in a report that is normally made public.

The head of the government institution or local authority is then required to provide a written response to the applicant or complainant, to any affected third party, and to the Commissioner. The head’s response is to state if they intend to follow the Commissioner’s recommendation(s), or if there is any other decision they are making that they consider to be appropriate. This requirement is set out at section 45 of The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) for local authorities, and at section 56 of The Freedom of Information and Protection of Privacy Act (FOIP) for government institutions. These responses are typically referred to as a “Section 45 LA FOIP/56 FOIP Decision.”

To help the head of a government institution or a local authority consider their obligation pursuant to section 45 of LA FOIP or section 56 of FOIP, the IPC has developed the following resources:

Each resource includes sample decision letters that a local authority or a government institution may want to use or modify when responding to applicants/complainants or third parties.

 

Was this page helpful?

What Does it Mean if a Proactively Reported Privacy Breach is Informally Resolved?

Public bodies or trustees can proactively report a privacy breach to the IPC when it has a reasonable basis to suspect or confirm a privacy breach has occurred. While not required by law, the IPC encourages public bodies and trustees to proactively report, to our office, if there is a suspected or confirmed privacy breach. For public bodies and trustees wanting to proactively report a privacy breach, they can complete the Proactively Reported Breach of Privacy Form and submit it to the IPC, ideally within seven days of discovery of the breach. For more information on what happens when a public body or trustee proactively reports a privacy breach, please refer to the Rules of Procedure, as well as the IPC resources: Privacy Breach Guidelines for Government Institutions and Local Authorities or Privacy Breach Guidelines for Trustees.

Some of the benefits of proactively reporting include:

  • May reduce the need for the IPC to issue a public investigation report on the matter, if the public body or trustee has appropriately responded to the breach including taken necessary steps to prevent future breaches.
  • Receive timely, expert advice from the IPC – the IPC can help guide the public body or trustee on what to consider, what questions to ask and what parts of the relevant legislation may be applicable. Depending on the legislation that the public body or trustee is subject to and the specific circumstances of the proactively reported privacy breach, the applicable parts of the legislation may vary. However, some examples may include:
    • provisions related to the definitions of personal information and personal health information.
    • provisions related to the collection, use and disclosure of personal information or personal health information.
    • provisions related to the duty to protect personal information or personal health information.
    • provisions related to the requirement to notify affected individuals where there is a real risk of significant harm.
  • When engaging with the media, the public body or trustee can advise the public that it is working with the IPC to address the matter.
  • Should affected individuals contact the IPC, we can advise the individuals that we are working with the public body or trustee to address the breach which may prevent a formal complaint to the IPC. The IPC also redirects affected individuals back to the public body or trustee to address any questions they may have about the information involved and the steps a public body or trustee has taken to respond to the privacy breach.

After a public body or trustee proactively reports a privacy breach to the IPC, our office will notify the public body or trustee of our intention to undertake an investigation and request the public body or trustee complete the Privacy Breach Investigation Questionnaire and submit any other relevant supporting documentation by the deadlines outlined in our notice.

The IPC will review the Privacy Breach Investigation Questionnaire and any other supporting documentation and consider if the public body or trustee appropriately managed the breach and took the following steps in responding to the privacy breach:

  • Contained the breach (as soon as possible)
  • Notified affected individuals (as soon as possible)
  • Investigated the breach
  • Taken steps to prevent future breaches

The Rules of Procedure provides that after investigating the reported privacy breach and the actions taken by the trustee, the IPC will make a decision about how to resolve the file. The possible outcomes include:

  • If the IPC is satisfied with most or all of the steps taken, the file may be closed without the issuance of a public investigation report, and if applicable, with recommendations for the public body or trustee to consider implementing.
  • If the IPC is not satisfied with the steps taken, an affected individual has filed a complaint with the IPC, the privacy breach is egregious, there is a systemic issue involved, there is significant educational value or where it involves a large number of affected individuals, the commissioner may direct that a public investigation report be issued.

The IPC takes all privacy breaches seriously, as every breach comes with an associated risk to the affected individuals (such as identity theft, credit card fraud, humiliation, damage to reputation, etc.). Staff at the IPC make efforts to attempt to reach early resolution for all files before a formal review or investigation is undertaken and staff are encouraged to explore any opportunities to informally resolve all files. As noted earlier, one of the benefits of proactively reporting is that the IPC may not need to issue a public investigation report, provided the Commissioner is satisfied that the public body or trustee has appropriately responded to the breach and taken steps to prevent future breaches. When a proactively reported breach of privacy is informally resolved, this reflects the efforts of the public body or trustee to appropriately respond to the breach and take steps to prevent future breaches.

Was this page helpful?

The Last Podcast

Well, all of a sudden, my term is just about up. It will end April 30, 2025. I thought it was time to talk about my 10 plus years as the Information and Privacy Commissioner. A thank you to staff past and present. Together we accomplished a lot, and I thought it was worth talking about.

For examples, in the almost 11 years, we wrote, issued and posted over 1230 reports and were able to get those reports to public bodies and applicants within, on average, 105 days. We were also able to provide residents of Saskatchewan with advice 12,746 times and in the last year we provided that advice within, 48 hours.

Our office also developed a Guide to FOIP and a Guide to LA FOIP, which gave public bodies and residents an idea of what we expected when we did a review or an investigation.

So, instead of asking questions in this last Podcast, Diane Aldridge, Deputy Commissioner asked the questions and put me on the hot seat to give good answers. I hope I did, but I will let you be the judge. Please check out the last Podcast.

Was this page helpful?

Saskatchewan Business and Privacy (updated)

The Office of the Privacy Commissioner of Canada (OPC) has issued a guidance document entitled Privacy Guide for Businesses. You may ask, “Does it apply to businesses or organizations in Saskatchewan?” The answer is yes, it does. The Personal Information Protection and Electronic Documents Act (PIPEDA) is a federal statute that applies to businesses in Saskatchewan. If you are in business in Saskatchewan, I recommend you read the Privacy Guide for Businesses.

First let me summarize the main issues from the guide:

  • PIPEDA sets out the ground rules for businesses in Saskatchewan.
  • The OPC oversees compliance with PIPEDA by conducting independent and impartial investigations and audits.
  • Businesses covered by PIPEDA must generally obtain an individual’s consent when they collect, use or disclose that individual’s personal information.
  • People have the right to access their personal information held by a business. They also have the right to challenge its accuracy.
  • Personal information can only be used for the purposes for which it was collected.
  • Generally, personal information must be protected by appropriate safeguards.
  • PIPEDA applies to private-sector businesses across Canada and Saskatchewan that collect, use or disclose personal information in the course of a commercial activity.
  • The law defines a commercial activity as any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.
  • All businesses that operate in Canada and handle personal information that crosses provincial or national borders in the course of commercial activities are subject to PIPEDA.
  • Under PIPEDA, personal information includes any factual or subjective information, recorded or not, about an identifiable individual.
  • PIPEDA includes mandatory breach reporting requirements. Businesses must report to the OPC any breaches of security safeguards that pose a real risk of significant harm.
  • Businesses must follow the 10 fair information principles to protect personal information, which are set out in Schedule 1 of PIPEDA. The principles are:
    • Accountability
    • Identifying purposes
    • Consent
    • Limiting collection
    • Limiting use, disclosure and retention
    • Accuracy
    • Safeguards
    • Openness
    • Individual access
    • Challenging compliance

For more information on PIPEDA and Businesses, see the Privacy Guide for Businesses.

When the federal government makes changes (amendments), those changes will affect Saskatchewan businesses, whether Saskatchewan businesses like those changes or not. Alberta, British Columbia and Quebec have passed legislation provincially, which applies to businesses in their province and replaces the operation of PIPEDA to a certain extent.

I pose the question whether Saskatchewan should, like Alberta and British Columbia, develop its own legislation to ensure privacy protections are extended to all employees in Saskatchewan regardless of the type of employer they work for.

Was this page helpful?

What Have We Done?

In a world where I am older than the official birth of the internet and technology moves faster than I can…it can be a challenge keeping up to date on emerging website trends. Anyone who works in this office knows that when we have an idea (or have an idea given to us) we make it happen! We love GOALS!

We know that keeping our website updated is key to staying current and providing a great user experience; something that is very important to us. Our main focus when making updates is to ensure our website is as accessible as possible making it fast, functional and visually appealing. As such, we have implemented the following new features:

  1. Title Text Over New Resources

On our main page under the heading New Resources, if you hover over the flipbooks, you will be able to see the title of the resource without zooming in or squinting, no need to grab those bi-focals.

  1. Was this Page Helpful Icons

We want to know what you find helpful on our website and areas we need to improve. Therefore, we added icons on our pages, so just click on the Yes or No and let us know whether you find the content useful, because your opinion is important to us and helps us serve you better.

  1. Google Translate

We have incorporated Google Translate on our site. To use this feature, click on the map icons in the top menu, a disclaimer will then appear that gives you information about this service. You will then need to click “ok” to proceed. Il n’y a pas de quoi.

  1. Dark Mode

We have added the ability to switch to dark mode on our website. You can do this by accessing dark mode in the settings of your browser or setting it on an OS level. Dark mode can help with eye strain and fatigue, limits blue light and can even improve focus and concentration allowing you more uninterrupted time to explore our website. 😊

Consistent improvement is something we strive for, and we would love your feedback. If there is something you find particularly helpful, you can’t seem to find something or there is a topic we haven’t covered or you would like us to explore further, let us know. You can message us on X, LinkedIn or email us at webmaster@oipc.sk.ca.

This photograph shows an employee asleep on the desk with two empty coffee cups beside her and an open laptop. It’s a stock image so the individuals should not be identified. It’s being used to give the impression of the work that goes into maintaining and updating a website. The caption reads "Me: the Website updates are done! Boss: The Website updates are NEVER done. Me: ...."

 

Was this page helpful?

Templates for Section 7 Decisions

One of many steps in processing an access to information request is preparing the “section 7 decision.” Section 7 of FOIP and section 7 of LA FOIP requires the government institution or local authority to give written notice to the individual who submitted the access to information request. This written notice is the “section 7 decision.” The section 7 decision informs the individual of whether the government institution or local authority is granting or refusing access to records.

My office has received many calls and emails from government institutions or local authorities requesting help on how to prepare section 7 decisions. Therefore, we have prepared templates that government institutions and local authorities can use to help prepare their section 7 decisions. Government institutions can access the templates here and local authorities can access the templates here.

Section 7 Response | IPC

Was this page helpful?

AI’s Double-Edged Sword: Balancing Innovation and Privacy of Information

Canada enacted the first federal privacy protection in 1977 as part of Part IV of the Canadian Human Rights Act. The right to privacy was further supported in the enactment of the Canadian Charter of Rights and Freedoms in 1982 and when the federal Privacy Act and Access to Information Act were proclaimed in 1983. The first forms of Artificial Intelligence (AI) have been around for many decades; however, AI as we know it now, only began to emerge more recently. With further developments continuing in AI, it is natural that people’s concerns about how their privacy will be affected has had to evolve as well. As technology continues to advance, so do the risks of improperly collecting, using and disclosing individuals’ personal information and/or personal health information (pi/phi).

What is AI?

Bill C-27 (not passed) – Subsection 39(2) defines AI as a “technological system that, autonomously or partly autonomously, processes data related to human activities through the use of a genetic algorithm, a neural network, machine learning or another technique in order to generate content or make decisions, recommendations or predictions.”

The Department of National Defence and Canadian Armed Forces (DND/CAF) recognizes there is no single accepted definition of AI, however, defines AI as “the capability of a computer to do things that are normally associated with human cognition, such as reasoning, learning, and self-improvement.”

AI and Privacy

As AI continues to transform industries and workflows worldwide, with some formal investigations underway, we are learning more about AI and its potential negative impacts on privacy. For instance, AI software may “scrape” pi/phi from websites without the requisite authority. The Privacy Commissioner of Canada (PCC) launched a joint investigation with three provincial Commissioners on OpenAI, which runs ChatGPT, to determine if their practices comply with Canadian privacy laws.

New Legislation

The Artificial Intelligence and Data Act (AIDA) as part of Bill C-27 is dead because parliament has prorogued. Bill C-27 or AIDA itself will have to be reintroduced into the House of Commons. If Bill C-27 were to pass, AIDA would be one of the first national frameworks specific to the creation and use of Artificial Intelligence in Canada.

The PCC notes that, while privacy laws require modernization, the current laws apply regarding the misuse of pi/phi in the AI space. The PCC also notes that if an organization or public body is considering adopting AI tools in their work, to complete a Privacy Impact Assessment (PIA) to determine if privacy rights are complied with in implementing new tools.

Even without specific legislation here in Saskatchewan governing AI, if a public body or trustee bound by FOIP, LA FOIP or HIPA uses AI in a way that creates a privacy breach, we could review or investigate the matter. More information as to who we have oversight on can be found in the Acts or on my office’s blog posts: “When We Cannot Help You | IPC” and “Why some reviews and investigations cannot pass go (updated) | IPC.”

Moving Forward

The risks of the misuse of AI and corresponding privacy implications have been raised by the PCC and several provincial privacy commissioners in Canada, including the Saskatchewan Information and Privacy Commissioner.

As a result, the Federal, Provincial and Territorial Information and Privacy Commissioners proposed 9 principles for the “development, provision, and use of generative AI systems” listed in the Principles for responsible, trustworthy and privacy-protective generative AI technologies document.

  1. Legal authority and consent: ensure consent for collection, use or disclosure and is as specific as possible.
  2. Appropriate purposes: collection, use and disclosure of pi/phi should only be for appropriate purposes.
  3. Necessity and proportionality: use of data to achieve intended purposes.
  4. Openness: open and transparent on the collection, use and disclosure of personal information and the potential privacy risks
  5. Accountability: establish accountability for compliance with privacy legislation.
  6. Individual access: individuals have the right to access their personal information collected during use of an AI software.
  7. Limiting collection, use, and disclosure: limit to only what is needed to fulfill the explicitly specified, appropriate identified purpose.
  8. Accuracy: ensure personal information is as accurate, complete, and up to date as necessary for the purposes it is used.
  9. Develop safeguards: to protect personal information and mitigate potential privacy risks.

Recommendations:

  • Avoid using confidential data in AI software, including pi/phi.
  • Implement data masking techniques such as replacing names or redaction to reduce privacy risk.
  • Balance transparency of use with confidentiality with data and ensure controlled disclosure of information.
  • Review and update policies to re-evaluate AI data privacy policies as AI standards are updated.
  • Educate staff on the importance of data protection.
  • Monitor and audit AI systems for potential vulnerabilities.
  • Complete a PIA: My office has published a PIA Guidance Document which can support organizations in determining if AI has an impact on privacy.

AI can be a helpful tool to help automate the work that organizations and individuals do, but it does not come without risks. Anyone who plans to use AI tools in their work should review the recommendations from my office, and when in doubt, contact us.

Further Resources

The Artificial Intelligence and Data Act: Video

The Artificial Intelligence and Data Act (AIDA) – Companion document

The Law Society Issues “Guidelines for the Use of Generative AI in the Practice of Law” | IPC

References

A Regulatory Framework for AI: Recommendations for PIPEDA Reform – Office of the Privacy Commissioner of Canada

Principles for responsible, trustworthy and privacy-protective generative AI technologies – Office of the Privacy Commissioner of Canada

Government Bill (House of Commons) C-27 (44-1) – First Reading – Digital Charter Implementation Act, 2022 – Parliament of Canada

Exploring privacy issues in the age of AI | IBM

Legislative Summary of Bill C-27: An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts

Statement on Generative AI – Office of the Privacy Commissioner of Canada

Protecting privacy in a digital age – Office of the Privacy Commissioner of Canada

A regulatory roadmap to AI and privacy | IAPP

 

Was this page helpful?

Best Practices for Administrative Tribunals

The article, On the Road to Fairness: Redesigning Saskatchewan’s Administrative Tribunal System, discusses the role of administrative tribunals that help resolve disputes “between citizen and State.” Administrative tribunals “review a broad range of government decisions” and may play a regulatory or adjudicative function. In Saskatchewan, they serve as an extension “of the executive branch of government on matters that require independent decision-making free from political influence.” As part of the justice system, they are to be “fair and impartial.” Besides the Office of the Information and Privacy Commissioner, examples of administrative tribunals in Saskatchewan include:

Not all administrative tribunals post decisions online, nor may be required to by law or otherwise. However, to demonstrate how “fair and impartial” they are, administrative tribunals may post their decisions online to inform citizens of the work they do. It also helps citizens better understand their rights. Given the Internet’s reach, it is a good way to achieve these goals. Administrative tribunals undoubtedly all deal with various types of personal information and personal health information. Some of it may be highly sensitive, or disclosure could lead to risks to the individual such as risk to identity theft or risk to reputation.

The guide, Best Practices for Administrative Tribunals When Publishing Decisions, will help administrative tribunals consider how to best manage personal information and personal health information when posting decisions online. If possible, administrative tribunals should not post any personal information or personal health information online or should at least strive to post only what is necessary to meet their mandate or purpose. The goal should always be to protect individuals who are part of the decision from any harm associated with the disclosure of their personal information or personal health information.

Was this page helpful?

“Top of Mind” Webinar

My office hosted a webinar on January 31, 2025. We called it “Top of Mind” Webinar. We had invited four Privacy Commissioners from across Canada to talk about what most concerned them when it came to data privacy, and we asked them to predict what would be the “big” privacy issues in 2025.

My office was pleased that 800 registered for the webinar. We recorded the webinar so those of you who could not join on the 31st, can now view the webinar by accessing it on our webinars page under “Top of Mind” Data Privacy Webinar 2025 or on YouTube.

Reflecting back, the Commissioners from Canada, Ontario, Alberta and British Columbia gave us a great blueprint for the issues facing our country when it comes to data privacy.

 

 

Was this page helpful?

Google Translate Disclaimer

Translations on the IPC Website are performed by Google Translate. Please note that not all text may be translated accurately or be translated at all. The IPC is not responsible for incorrect or inaccurate translations. The IPC will not be held responsible for any damage or issues that may result from using Google Translate.

For more information, read our full disclaimer.