Frequently Asked Questions
Please view our frequently asked questions. Click on the “Show Answer” text for the answer. If you do not find the information about our office that you are looking for, please contact us.
Access to Information FAQ
What kinds of information can I request from a provincial government institution or local authority?
You can request access to any records in the possession or under the control of a provincial government institution or local authority. Both The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) define a “record” as, “… a record of information in any form and includes information that is written, photographed, recorded or stored in any manner…” Although this list is non-exhaustive, a record can include emails, paper records, draft and final reports, handwritten meeting notes, information written on a sticky note, pictures, video and tape recordings … and the list goes on.
Someone has filed an access to information request with a government institution seeking information about a business that I own or operate. The government institution has refused to disclose the information, but the requester has filed a request for a review with the IPC. Do I have a right to participate in the review?
When your business is affected by a review conducted by the IPC, you have a right to participate in the review. Your business will receive a notice from this office asking you to indicate if you consent to the release of the information. If you do not consent to the release, you will be invited to provide a submission setting out your views as to whether the information should be released to the requester. For further information, see What to Expect During a Review with the IPC and A Guide to Submissions.
Who can make an access request to a provincial government institution or local authority?
Under The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) any person may make an access request. Those who make an access request under FOIP and LA FOIP are considered an applicant. The definition of applicant in both statutes does not restrict who can make a request – in other words it does not matter if you are a citizen of Saskatchewan, Canada, or another country, you can make a request for records in the possession or under the control of a provincial government institution or local authority.
Can a government institution release information about a private business to access to information requesters?
The government institution is obliged to release information in its possession or control under FOIP, including information about private businesses, unless the information is exempt from disclosure.
A record containing information about a private business may be exempt from disclosure if, for example, section 19(1) of FOIP applies.
If a government institution decides to release information about a private business and you disagree with the decision, within 20 days of receiving that decision, you can file a request for a review of the decision on behalf of the business with the IPC. For further information, see Guide to Requesting a Review from the IPC.
I want to obtain information about the latest public sector program, how do I make an access request? How long do I have to wait for the information?
Requests to provincial government institutions: send the request to the appropriate office in the ministry you are seeking information from. For a complete list of access and privacy officers for each provincial government institution please refer to Government Institution Contacts.
Requests to a local authority (i.e. Saskatchewan Health Authority, school divisions, cities, police services or towns): send the request to the head office of each public body so that the request can be forwarded to the appropriate team or individual. If you are still unsure of where to send your request, you may contact our office and we can point you in the right direction.
Requests to a trustee (i.e. doctor’s office, pharmacy, health clinic): send the request directly to the doctor’s office, pharmacy, or health clinic and address to the individual (typically the Dr., Pharmacist) who you believe has custody and/or control of the records.
It is recommended that an access request be completed on the prescribed form found here: Access to Information Request Forms.
Once the public body has received your request, it has 30 days to respond. If your request is for a large amount of records, or requires a substantial amount of time to process, the public body may extend your request an additional 30 days; you should be provided with notice from the public body of any extension of time needed.
For your information, access to information does not require the public body to answer questions or create new records that do not already exist at the time the access request is made.
For more information on how to submit a good Access to Information Request, please refer to the following:
I have verbally requested my medical records from my doctor; they have yet to provide them to me. What should I do?
You should make the same request in writing to your doctor’s office. Our office can only become involved when an access to information request has been made in writing. If you have submitted a written access to information request for your medical records to your doctor under The Health Information Protection Act (HIPA) and have not received a response within the legislated timeline of 30 days, you can request a review by our office. Please see here for an overview on the access to information and request for review process. Additionally, you may wish to review the following blog on what makes a good access request.
I am a small public body and I have received my first freedom of information request or privacy complaint ever! Where can I find help?
Receiving your first formal freedom of information request or privacy complaint can be overwhelming. Certainly, you may contact our office at 306-787-8350 or 1-877-748-2298 for assistance or by taking a look at some of our resources available in our Resource Directory.
The Access and Privacy Branch of the Ministry of Justice can also help. The Access and Privacy Branch:
To find out more about the Access and Privacy Branch contact 306-787-5473 or email AccessPrivacyJustice@gov.sk.ca.
I am not satisfied with the response I received to my access to information request, can your office conduct a review and force the public body to release the records to me? How do I request a review by your office?
Our office has the power to review/investigate, comment and make recommendations, but we do not have order-making power and cannot force compliance with our recommendations.
In order to initiate a review we require:
• A copy of an access to information request, which was made using the prescribed form.
• A copy of the response (letter or email) from the public body, which states:
access had been denied, or
information does not exist.
• A completed request for review form, using the prescribed form.
If you have not received a response, you will need to provide evidence that it has been over 30 days since the access to information request was submitted to the public body or trustee and no response has been provided.
The completed forms can be emailed to our office at intake@oipc.sk.ca or mailed to:
Office of the Information and Privacy Commissioner of Saskatchewan
503-1801 Hamilton Street
Regina, SK S4P 4B4
Once we receive this information we will determine whether we have jurisdiction and advise you of whether there is anything further that we require.
After we have conducted a review and issued the report outlining our findings and recommendations, the decision of the public body to either comply or not comply with our recommendations, if you do not agree, can be appealed to the Court of Queen’s Bench. For more information on this process, please refer to our office’s resource guide to appealing the decision of a head.
I have requested access to the meeting minutes from the RM that should be available to the public pursuant to section 117 of The Municipalities Act but have not received access. What should I do?
You can call the Administrator and indicate you are asking for the Minutes under section 117 of The Municipalities Act. If that does not work, you can call Government Relations and indicate the Municipality is not complying with section 117. If that does not yield results, you can make an access request under LA FOIP requesting the Minutes. Be sure to be as clear as you can regarding the dates of the meeting Minutes that you want. The Municipality has 30 days to provide you with the Minutes. If they fail to do so, you can request a review by our office.
Remember Minutes of a particular meeting are usually not approved until the next meeting. The Minutes don’t become “Minutes” until they are approved.
Can I issue a fee estimate after initial 30 days?
Please refer to report 160-2020 where the Commissioner found that if the intention is to issue a fee estimate, it should be done within 30 days of receiving the access to information request. This only applies if the fee is over $100. There is no mechanism within the legislation that allows the issuance of a fee estimate beyond the first 30 days. Additionally, without a fee estimate, a public body would be unable to charge fees for search, preparation and reproduction of records.
Amendment/Right of Correction FAQ
I don’t like something that is written about me in my file, what do I need to know when requesting an amendment?
An individual can request that an amendment be made to his/her personal information or personal health information if there is an error or an omission. An error is a mistake or something is wrong or incorrect. An omission means that something is missing, left out or overlooked. Regarding a request for an amendment, an applicant must initially provide some argument to support the request for amendment. A request for correction must, at a minimum:
Identify the personal information/personal health information the applicant believes is in error. It must be the personal information/personal health information of the applicant and not of a third party.
The alleged error must be a factual error or omission.
The request must include some evidence to support the allegation of error or omission. Mere assertions will not suffice.
The proposed correction must be clearly stated and cannot be a substitution of opinion.
For further information regarding amendments and/or right of correction, please refer to section 40 of HIPA, section 31 of LA FOIP and section 32 of FOIP.
Protection of Privacy FAQ
I recently discovered a coworker has been viewing patient records without any need-to-know; who would I report this to?
If you suspect or have proof that a co-worker has been viewing patient records without a need-to-know, see what your internal policies and procedures say regarding reporting such incidents. If you are not sure, speak to your supervisor or Privacy Officer to learn the proper procedure. You may also wish to contact our office to request assistance on how to formally report an alleged breach of privacy and how our office can become involved. For more information on responding to privacy breaches, please refer to our Privacy Breach Guidelines for Trustees resource available on our website in the Resource Directory, under the Resource Tab.
I feel my privacy has been breached and I would like your office to look into it because I don't feel that the public body will thoroughly investigate the breach.
Our office is an office of last resort, meaning we would not normally become involved with a breach of privacy complaint until the public body and/or trustee under our jurisdiction (FOIP, LA FOIP, HIPA) first has the opportunity to investigate. If you feel your privacy has been breached (improperly collected, used or disclosed) you must first write to the public body and/or trustee you believe breached your privacy and request they complete an investigation into the matter. You need to be very specific with what you believe is a breach of your privacy so that they have enough information to conduct an adequate investigation (i.e. where the breach occurred, date, time, people involved, how the breach occurred). Our office suggests including as much detail as possible when making your complaint such as; whether personal information, personal health information or both have been compromised as well as whether you believe unlawful collection, use, or disclosure has occurred. Include evidence or proof you have that the breach occurred, keep a copy of the written complaint and forward your complaint to the applicable privacy officer.
Public bodies and/or trustees must comply with the access and privacy legislation to which they are subject. The public body and/or trustee will then have approximately 30 days to respond to you in writing. Once the internal investigation is complete, if you are not satisfied with the outcome of the investigation, or if you do not receive a response within 30 days, you may contact our office.
If you would like our office to look into a privacy matter, please include a copy of the written complaint you made to the public body and/or trustee, a copy of the response you received from the public body and/or trustee (if you received one) and our completed Alleged Breach of Privacy Reporting Form.
If the complaint is currently being investigated by a regulatory body (i.e. College of Physicians and Surgeons), our office may still proceed to open an investigation. If a complaint has not been filed with a regulatory body, you may wish to also contact them regarding your concerns.
I work in the public sector; why is my salary not considered my personal information?
When you work for a public body where your salary is paid with tax-payer dollars, there is a legal responsibility of the public body to make public expenditures more transparent. Under subsection 24(2)(a) of The Freedom of Information and Protection of Privacy Act (FOIP) and subsection 23(2)(a) of The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) “salary” of employees is not considered personal information. For more information on this topic, please refer to our blog “When Salary is Open to Public Scrutiny”.
I work in the public sector and there has been an access request for information which is contained in my work emails. Is it a breach of my privacy to release information from my email?
This is one of those questions that begins with, “that depends”. It depends on the email itself – was it sent from your work email? Who is the email to? What is the content of the email? Review Report 096-2015 and 097-2015 provides very good examples of how emails in possession of a public body are not the property of that public body.
Just because you are emailing your spouse or family members from your work email does not mean that those emails would be considered releasable. If it is an email from one coworker to another, discussing only their weekend plans, that email may not be considered releasable. If the content of emails constitutes work product, no privacy interests are engaged.
To protect yourself, send personal emails form your personal email account and work related emails from your work account. For more information please review our resource Best Practices for Managing the Use of Personal Email Accounts, Text Messaging and Other Instant Messaging Tools | IPC (oipc.sk.ca)
I am concerned that my family doctor breached my privacy. How do I make a complaint?
If you feel that your personal health information has been breached (improperly collected, used, disclosed or disposed of) by your doctor, first make your complaint in writing to your family doctor as he/she is most likely a trustee of your personal health information under The Health Information Protection Act. Be sure to outline the reason you believe your privacy was breached and include evidence or proof you have that the breach occurred. Keep a copy of the written complaint. You should allow the doctor around 30 days to respond to you.
If you do not receive a response or are not satisfied by the response you receive, forward your concern to the appropriate regulatory body and make a formal complaint using their processes. In the case of a family doctor, that would be The College of Physicians and Surgeons of Saskatchewan. Include, as background information, the original complaint and the response you received from your doctor.
If you are not satisfied with the response you receive from the College, you can then bring your complaint to our office. We will require the complaint to be in writing. We will also ask for the background information you have on the complaint, such as the original complaint made to the doctor and College and any responses you received back.
If you feel the breach was extremely egregious or harmful, you may wish to contact our office first at 306-787-8350 or 1-877-748-2298 to discuss.
I work in a special care home. I am worried about families of my patients secretly taping me at work. Are they allowed to do that?
The laws that this office oversees only apply to organizations and their employees, not individuals. This office does not have the power to force an individual to stop recording or to investigate after the fact.
Nevertheless, if the special care home is a trustee for the purposes of The Health Information Protection Act, it does have a duty to protect the personal health information of those in its care. If family members are making recordings, it may compromise the privacy of its patients. First, discuss the issue with your supervisor who can determine whether the organization is a trustee and can do anything to safeguard personal health information. Also, see our blog Surveillance in Personal Care Homes: A Case Study.
We are wanting to install video surveillance at our organization. Are there any steps to take regarding the potential privacy implications of this?
Our office has a blog titled Privacy Concerns with Video Surveillance that contains helpful information to refer to when you are considering installing video surveillance.
Our organization has discovered a potential privacy breach. What should we do?
Our office has many resources that may contain helpful information for an organization regarding a potential privacy breach. We have a Privacy Breach Guidelines for Health Trustees resource and a Privacy Breach Guidelines for Government Institutions and Local Authorities resource that contain very helpful information around the steps to take when a breach has occurred. This includes containing the breach, notifying the affected individuals, investigating the breach and preventing future breaches. Another resource that our office has that may be helpful is our Guide to Creating an Internal Privacy Breach Investigation Report.
When a privacy breach occurs with a public body/trustee that our office has jurisdiction over, although it is not mandatory, our office encourages the public body/trustee to proactively report the privacy breach to us. Information on the advantages of proactively reporting a privacy breach, what the possible outcomes are and what to expect if our office becomes involved can be found on page 8 of our Privacy Breach Guidelines for Health Trustees resource and page 8 of our Privacy Breach Guidelines for Government Institutions and Local Authorities resource.
If it is determined that our office has jurisdiction over the organization and you decide to proactively report the potential privacy breach to us, you can fill out the Proactively Reported Breach of Privacy Reporting Form and submit it to our office via mail or send by email to intake@oipc.sk.ca.
Once our office receives the completed form we will be able to open an investigation file and will contact you for any additional information that we require.
General/Non-Jurisdictional FAQ
If you can't help me, who can?
Our office is the oversight body for three Saskatchewan laws: The Freedom of Information and Protection of Privacy Act, The Local Authority Freedom of Information and Protection of Privacy Act and The Health Information Protection Act. If you do not have an access or privacy issue that falls under one of those three statutes, there are other oversight bodies available to assist with any other concerns you may be facing:
- Saskatchewan Ombudsman: takes complaints about government services that include decisions/actions, failure to act and a delay in service.
- The Public Interest Disclosure Commissioner: deals with issues, receives disclosures and investigates matters surrounding complaints of wrongdoings made by public servants against his or her employer under The Public Interest Disclosure Act (PIDA).
- The Provincial Auditor: provides independent assurance and advice on the Government’s management, governance, and effective use of public resources.
- Office of the Privacy Commissioner of Canada: deals with privacy issues related to the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA).
- Office of the Information Commissioner of Canada: investigates complaints about federal institutions’ handling of access requests under the Access to Information Act.
- Health Professional Associations: if you have a concern about a regulated health professional you should contact the appropriate Health Professional Association to learn the appropriate steps for you to take to make a complaint.
I work for a privately owned business in Saskatchewan and my employer is refusing me access to my personnel file.
There is very limited access to information and privacy protection laws in Saskatchewan that extend to employees of private businesses owned and operated in Saskatchewan.
If you work for an employer of a privately owned business that is also listed as a trustee under The Health Information Protection Act (HIPA) your personal health information within your employee file would most likely be protected under HIPA. If you are an employee in federal works, undertakings or businesses in Saskatchewan you may be covered under the federal law, the Personal Information Protection and Electronic Documents Act (PIPEDA). To learn more about the application of PIPEDA, read this Fact Sheet, found on the website of the Office of the Privacy Commissioner of Canada.
Unfortunately, these two laws would not apply to the majority of private sector employees. In order for access and privacy laws to apply to employees of the private sector in Saskatchewan, new legislation would need to be enacted to cover private sector employees, as has been done in B.C. and Alberta.
You may wish to contact the Human Resources area of your company to see if there are any written policies in place for access to your personnel or employee file. In addition, you can learn more about employee rights in Saskatchewan by clicking here.
Do the police fall under access and privacy legislation?
In 2017, amendments were made to The Local Authority Freedom of Information and Protection of Privacy Act. One of these amendments brought police services in Saskatchewan under this access and privacy legislation. The amendments were in force on January 1, 2018.
If you would like information about how to access information or make a privacy complaint about a police service, it is no different than the process for any other local authorities. Please click here for our resource on the access to information process and here for the privacy complaint process.
Please note, the RCMP is subject to the federal Access to Information Act and Privacy Act. Please visit the RCMP’s Access to Information and Privacy Branch website to learn more. The oversight bodies for the federal legislation are the Office of the Information Commissioner of Canada and the Office of the Privacy Commissioner of Canada.
I work with a private organization that is not engaged in commercial activity. As such, we are not covered by any federal privacy statutes or any of the statutes that the Saskatchewan Information and Privacy Commissioner oversees. What are some best practices to follow in relation to the collection, use and disclosure of member information?
Our office receives this question frequently when it comes time to establish member directories, emergency contact lists for parents, etc. The first step is to ensure the individuals who will be involved understand what information of theirs is being collected, why it is being collected, how it will be used/disclosed and how it will be protected. Examples of information include an individual’s name, telephone number, address and even photographs. Once they understand this, written consent should be obtained as to what information of theirs, if any, they are comfortable having disclosed. If an individual is a child, their parent or legal guardian can provide or decline consent on their behalf. Common methods of gathering consent include forms which update contact information that indicate what information may be disclosed, why it is being disclosed, where it will be disclosed and for how long and how it will be protected. Lastly, ensure that individuals are able to opt out of having their information disclosed, and ensure you have a person who is responsible for addressing privacy concerns and correcting/removing information.
Organizations should also try to follow the data minimization and need-to-know principles:
The need-to-know rule is that personal information and personal health information should only be available to those employees in an organization that have a legitimate need to know that information for the purpose of a program or activity of an organization.
The data minimization rule means that an organization should always collect, use and disclose the least amount of personal information or personal health information necessary for the purpose.
What does your office do and how can you help?
The Office of the Saskatchewan Information and Privacy Commissioner oversees three Saskatchewan statutes and their regulations. Those statutes are: The Freedom of Information and Protection of Privacy Act (FOIP) which applies to the provincial government’s ministries, crown corporations, commissions etc.; The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) applies to cities, towns, libraries, the Saskatchewan Health Authority, municipal police services (such as the Regina Police Service) etc.; and The Health Information Protection Act (HIPA) applies to health information trustees such as the Saskatchewan Health Authority, doctors and certain areas of the provincial government.
The primary focus of these statutes is to afford individuals the right to access general information and their own personal information from government institutions and local authorities, and their own personal health information from government institutions and trustees. On the privacy side, all three acts establish an individual’s privacy rights related to the protection (collection, use, disclosure, safeguarding and destruction) of their personal information/personal health information by government institutions, local authorities, and health information trustees.
Our office cannot address concerns related to the following as we can only become involved in matters related to access to information and privacy under our jurisdiction:
• Conduct
• Ethics
• How policies and procedures are written
• Termination of employment
• Organizations covered under Federal legislation
• Private sector organizations
Where in the legislation can I find the retention schedules for our organization to follow regarding certain documents in our possession?
There is nothing specifically outlined in the legislation (FOIP, LA FOIP, HIPA) regarding the retention periods of certain documents for a public body to follow. It would be the responsibility of the public body to ensure that policies and procedures are created and safeguards are in place regarding the retention and destruction of documents.
It is possible that some public bodies under our jurisdiction are subject to The Archives and Public Records Management Act, which includes the Administrative Records Management System (ARMS) for administrative government records and the Operational Records System (ORS) for operational government records in regard to official government records. However, for transitory records, each public body generally adopts their own processes regarding retention while still adhering to the legislation they are subject to. You may find the links below from Sask Archives of more assistance regarding this as our office does not oversee this Act.
Records Classification and Retention Schedules | Provincial Archives of Saskatchewan (saskarchives.com)
Operational Records System (ORS) | Provincial Archives of Saskatchewan (saskarchives.com)