Records blowing in the wind – Saskatchewan needs a private-sector privacy law
Citizens in Regina had a difficult time navigating Victoria Avenue on Wednesday January 22, 2020. Boxes and papers that had spilled out of the back of a truck blocked the road. It was determined that the papers contained the personal information of citizens and that the owner of the papers was a private-sector business for which my office has no jurisdiction. The type of personal information involved included names, addresses, phone numbers, email addresses and financial transactions that individuals were involved in (e.g. payments received).
Unlike some other provinces in Canada, Saskatchewan does not have a private-sector privacy law. If it did, the Commissioner would have jurisdiction to investigate such a privacy breach. However, despite not having jurisdiction, my office still played an initial role in trying to determine where the records originated.
My office contacted the Office of the Privacy Commissioner of Canada to see if the federal Privacy Commissioner had jurisdiction. Federal law, the Personal Information Protection and Electronic Documents Act (PIPEDA), sets national standards for privacy practices in the private sector such as how private-sector businesses collect, use, and disclose personal information in the course of for-profit, commercial activities across Canada. It also applies to the personal information of employees of federally-regulated businesses such as banks, airlines and telecommunications companies.
The outcome of this privacy breach was that the federal office provided directions through our office to the City of Regina who had initially gathered records off the street. A local response by my office might have been more efficient. We are available to attend to the scene right away, respond to the media inquiries, be available to quickly interview witnesses, gather evidence and provide prompt guidance to both the City and the business that lost its records. In order for us to do that, we need a Saskatchewan private-sector privacy law similar to ones in British Columbia, Alberta and Quebec.
If this type of event occurs again in the future, some initial steps that can be taken are:
- Immediately secure the records – collect them and put them in a secure place (locked office or drawer);
- If it is possible to identify whom the records belong to, notify them; notify my office or the federal Privacy Commissioner’s office at 1-800-282-1376; and
- Keep the records securely stored, limit access and wait for further instructions from my office or the federal Privacy Commissioner’s office.