Ontario Proposing Legislation To Better Protect Children

Sophisticated Cyber attacks on BC

Microsoft to make security a top priority

Ontario introduces cybersecurity bill

Ontario IPC probes government use of non-government email accounts

Federal Privacy Commissioner launches breach reporting tool

Ontario IPC issues guidelines on third party procurement

Sask. Privacy Commissioner asks for authority to compel compliance

Resources - General/Non-Jurisdictional


If you can't help me, who can?

Our office is the oversight body for three Saskatchewan laws: The Freedom of Information and Protection of Privacy Act, The Local Authority Freedom of Information and Protection of Privacy Act and The Health Information Protection Act. If you do not have an access or privacy issue that falls under one of those three statutes, there are other oversight bodies available to assist with any other concerns you may be facing:

  • Saskatchewan Ombudsman: takes complaints about government services that include decisions/actions, failure to act and a delay in service.
  • The Provincial Auditor: provides independent assurance and advice on the Government’s management, governance, and effective use of public resources.
  • Health Professional Associations: if you have a concern about a regulated health professional you should contact the appropriate Health Professional Association to learn the appropriate steps for you to take to make a complaint.

I work for a privately owned business in Saskatchewan and my employer is refusing me access to my personnel file.

There is very limited access to information and privacy protection laws in Saskatchewan that extend to employees of private businesses owned and operated in Saskatchewan.

If you work for an employer of a privately owned business that is also listed as a trustee under The Health Information Protection Act (HIPA) your personal health information within your employee file would most likely be protected under HIPA. If you are an employee in federal works, undertakings or businesses in Saskatchewan you may be covered under the federal law, the Personal Information Protection and Electronic Documents Act (PIPEDA). To learn more about the application of PIPEDA, read this Fact Sheet, found on the website of the Office of the Privacy Commissioner of Canada.

Unfortunately, these two laws would not apply to the majority of private sector employees. In order for access and privacy laws to apply to employees of the private sector in Saskatchewan, new legislation would need to be enacted to cover private sector employees, as has been done in B.C. and Alberta.

You may wish to contact the Human Resources area of your company to see if there are any written policies in place for access to your personnel or employee file. In addition, you can learn more about employee rights in Saskatchewan by clicking here.

Do the police fall under access and privacy legislation?

In 2017, amendments were made to The Local Authority Freedom of Information and Protection of Privacy Act. One of these amendments brought police services in Saskatchewan under this access and privacy legislation.  The amendments were in force on January 1, 2018.

If you would like information about how to access information or make a privacy complaint about a police service, it is no different than the process for any other local authorities.  Please click here for our resource on the access to information process and here for the privacy complaint process.

Please note, the RCMP is subject to the federal Access to Information Act and Privacy Act.  Please visit the RCMP’s Access to Information and Privacy Branch website to learn more.  The oversight bodies for the federal legislation are the Office of the Information Commissioner of Canada and the Office of the Privacy Commissioner of Canada.

I work with a private organization that is not engaged in commercial activity. As such, we are not covered by any federal privacy statutes or any of the statutes that the Saskatchewan Information and Privacy Commissioner oversees. What are some best practices to follow in relation to the collection, use and disclosure of member information?

Our office receives this question frequently when it comes time to establish member directories, emergency contact lists for parents, etc. The first step is to ensure the individuals who will be involved understand what information of theirs is being collected, why it is being collected, how it will be used/disclosed and how it will be protected. Examples of information include an individual’s name, telephone number, address and even photographs. Once they understand this, written consent should be obtained as to what information of theirs, if any, they are comfortable having disclosed. If an individual is a child, their parent or legal guardian can provide or decline consent on their behalf. Common methods of gathering consent include forms which update contact information that indicate what information may be disclosed, why it is being disclosed, where it will be disclosed and for how long and how it will be protected. Lastly, ensure that individuals are able to opt out of having their information disclosed, and ensure you have a person who is responsible for addressing privacy concerns and correcting/removing information.

Organizations should also try to follow the data minimization and need-to-know principles:

The need-to-know rule is that personal information and personal health information should only be available to those employees in an organization that have a legitimate need to know that information for the purpose of a program or activity of an organization.
The data minimization rule means that an organization should always collect, use and disclose the least amount of personal information or personal health information necessary for the purpose.

What does your office do and how can you help?

The Office of the Saskatchewan Information and Privacy Commissioner oversees three Saskatchewan statutes and their regulations. Those statutes are: The Freedom of Information and Protection of Privacy Act (FOIP) which applies to the provincial government’s ministries, crown corporations, commissions etc.; The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) applies to cities, towns, libraries, the Saskatchewan Health Authority, municipal police services (such as the Regina Police Service) etc.; and The Health Information Protection Act (HIPA) applies to health information trustees such as the Saskatchewan Health Authority, doctors and certain areas of the provincial government.

The primary focus of these statutes is to afford individuals the right to access general information and their own personal information from government institutions and local authorities, and their own personal health information from government institutions and trustees. On the privacy side, all three acts establish an individual’s privacy rights related to the protection (collection, use, disclosure, safeguarding and destruction) of their personal information/personal health information by government institutions, local authorities, and health information trustees.

Our office cannot address concerns related to the following as we can only become involved in matters related to access to information and privacy under our jurisdiction:

• Conduct
• Ethics
• How policies and procedures are written
• Termination of employment
• Organizations covered under Federal legislation
• Private sector organizations

Where in the legislation can I find the retention schedules for our organization to follow regarding certain documents in our possession?

There is nothing specifically outlined in the legislation (FOIP, LA FOIP, HIPA) regarding the retention periods of certain documents for a public body to follow. It would be the responsibility of the public body to ensure that policies and procedures are created and safeguards are in place regarding the retention and destruction of documents.

It is possible that some public bodies under our jurisdiction are subject to The Archives and Public Records Management Act, which includes the Administrative Records Management System (ARMS) for administrative government records and the Operational Records System (ORS) for operational government records in regard to official government records. However, for transitory records, each public body generally adopts their own processes regarding retention while still adhering to the legislation they are subject to. You may find the links below from Sask Archives of more assistance regarding this as our office does not oversee this Act.

Records Classification and Retention Schedules | Provincial Archives of Saskatchewan (saskarchives.com)
Operational Records System (ORS) | Provincial Archives of Saskatchewan (saskarchives.com)