The Rules of Procedure

This document sets out the Rules of Procedure for reviews of complaints under section 49 of The Freedom of Information and Protection of Privacy Act (FOIP), section 38 of The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), section 42 of The Health Information Protection Act (HIPA) and investigations under the Acts.

These procedures are established pursuant to section 45 of FOIP, which provides as follows:

General powers of commissioner
45 The commissioner may:

(d) determine the procedure to be followed in the exercise of the powers or
performance of any duties of the commissioner pursuant to this Act; and

For a full copy of the Rules in one document, please click on the following link:   The Rules of Procedure

For referencing specific Parts of the Rules, please click on the + sign to expand each Part below.

PART 1: Names and Definitions

What this Part is about: This Part contains definitions of words and phrases that appear in the rules.

Name
1-1 These rules may be cited as the Rules of Procedure.

Words in Acts or Regulations
1-2 Words used in these rules have the same meaning that they have under the Acts or Regulations and the following definitions are intended to clarify meanings of words as used in these rules.

Definitions
1-3 In these rules:

“access to information request” means a request for information under the Acts submitted to a public body either on paper or electronically;

“Acts” means The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) and The Health Information Protection Act (HIPA) and their regulations;

“affected individual” means a person identified as having personal information or personal health information, being inappropriately collected used or disclosed in a privacy breach;

“applicant” means:
a) except in Parts 2 and 3, a person or organization who makes an access to information request or a request for correction or amendment;
b) in Part 2, a person or organization who requests a review pursuant to section 49 of FOIP or section 38 of LA FOIP; and
c) in Part 3, a person who requests a review pursuant to section 42 of HIPA.

“commissioner’s office” means a staff person employed by the commissioner and delegated to carry out certain duties of the commissioner;

“complainant” means an individual who has made a complaint alleging a privacy breach has occurred that involves the complainant’s personal information or personal health information under the Acts;

“days” means calendar days;

“FOIP” means The Freedom of Information and Protection of Privacy Act;

“HIPA” means The Health Information Protection Act;

“Investigation” means an investigation pursuant to sections 33 and 51 of FOIP, sections 32 and 40 of LA FOIP or section 52 of HIPA;

“LA FOIP” means The Local Authority Freedom of Information and Protection of Privacy Act;

“office” means the office of the Information and Privacy Commissioner located at 503-1801 Hamilton Street, Regina, Saskatchewan.

“public body” means a government institution, local authority or trustee involved in an investigation or a review;

“real risk of significant harm” may, among other things, include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.

“record” means a record as defined in FOIP, LA FOIP or HIPA;

“representation” means the documents, other evidence and/or statements provided by a party to the commissioner’s office setting out its position with respect to a review or investigation and often referred to as a submission;

“request for correction” means a request by the individual for correction of his or her personal information or personal health information;

“request for review” means a request made pursuant to section 49 of FOIP, section 38 of LA FOIP or section 42 of HIPA;

“review” means a review pursuant to sections 49 to 55 of FOIP, sections 38 to 44 of LA FOIP or sections 42 to 48 of HIPA;

“section 7 response” means the letter, notice or email provided by the head of a public body pursuant to section 7 of FOIP or LA FOIP;

“section 36 response” means the letter, notice or email provided by the trustee pursuant to section 36 of HIPA;

“trustee” is a trustee, as defined by HIPA.

PART 2: Procedure on Reviews Under FOIP or LA FOIP

What this Part is about: This Part outlines the procedure that the commissioner’s office will follow and require public bodies to follow when carrying out a request for a review under FOIP or LAFOIP.

Request for review
2-1 A request for a review may be made in the prescribed form and may be filed with the office by email, regular mail, fax or personal delivery.

Early resolution
2-2 Before commencing a review, the commissioner’s office may attempt to resolve the matter by entering into discussions with the applicant, public body and any third party.

Notice of review
2-3 After the commissioner’s office determines that a matter cannot be resolved and that a review will be undertaken of the head’s decision under FOIP or LA FOIP, the commissioner’s office will prepare a notice indicating that a review of the head’s decision will be undertaken. Notices will be forwarded electronically or by other means to the public body and the applicant.

Contents of notice of review
2-4(1) The notice of review will be prepared in accordance with FOIP or LA FOIP and may include a request for the following:

(a) records for which an exemption is claimed:
– an index of records;
– the records at issue provided to the applicant in the same unaltered form as provided to the applicant with the addition of a record number or page number;
– the records at issue responsive to the access to information request with no redactions and the record number or page number;
– a written representation (submission);
(b) a request that the public body immediately give notice of review to affected third parties pursuant to section 52 of FOIP or section 41 of LA FOIP;
(c) contact information for third parties affected by the review; and
(d) any other relevant information that the commissioner considers necessary for a full review.

(2) The notice of review will indicate that all of the items requested in the notice of review are to be provided within 14 days after receipt of the notice or any further time agreed to by the commissioner’s office.

(3) The notice of review will indicate that the public body must in its representation, indicate all the exemptions the public body is relying upon.
Discretionary exemptions, not included in a public body’s representation and raised later, may not be considered by the commissioner’s officer.

Request to third parties
2-5 At the time of sending out the notice of review to the public body, the commissioner’s office will send a request to third parties, known to the office, indicating they have a right to make representations (submissions) to the commissioner’s office.

Parties to a review
2-6(1) The parties entitled to receive notice include the persons requesting a review and the public body to which the access to information request or request for correction was made.

(2) If during the review, the commissioner’s office determines there are other third parties, the commissioner’s office will provide a notice of review to those third parties and will invite those third parties to make a representation (submission) within 14 days after receipt of the notice or any further time agreed to by the commissioner’s office.

(3) From time to time, the commissioner’s office may identify a government institution, local authority, trustee or other organization that may have an interest or concern regarding the records in question, and the commissioner’s office may request representations from any of those parties.

Index of records
2-7(1) The index of records provided by the public body shall include but is not limited to the following information:

  • a record number or page number assigned by the public body;
  • a general description of the record such as a letter, email, memo, note, agreement indicating who it was from, who it was sent to and the date;
  • the number of pages in the record;
  • the section or subsection numbers of the exemptions claimed for that record; and
  • the status of the record, whether released to the applicant in part, full or withheld in full.

A sample of the index of records is contained in Form A.

(2) The commissioner’s office will provide a copy of the index of records to the applicant unless subsection 7(4) of FOIP or LA FOIP has been invoked or the commissioner’s office determines not to release the index of records.

Contents of a representation (submission)
2-8(1) A representation (submission) should include but is not limited to the following:

For each exemption relied on:

(a) refer to the exemptions that has been applied by section, subsection, clause and sub-clause;
(b) list the record number, page numbers and where applicable paragraphs, sentences, lines or words that the exemption applies to
(group pages if the records are similar);
(c) refer to the test from the IPC Guide to Exemptions for that exemption;
(d) provide positions for each part of the test and link these to the information in the record;
(e) provide any further materials necessary to support its position (i.e. affidavits, cases, reports, contracts, screen shots); and
(f) provide reasons or justifications for the position taken by the public body regarding the issue in question including searches, possession or control, paramountcy, fees, waiver of fees, time extensions, transfers or corrections.

(2) Applicants, third parties and public bodies are encouraged in their representation (submission) to follow the tests and principles set out in the IPC Guide to Exemptions. In addition, cite relevant court cases and decisions of other commissioners or ombudsmen across Canada who are responsible for overseeing access and/or privacy legislation in other jurisdictions.

(3) A representation (submission) shall not be disclosed to another party unless the party submitting the representation (submission) agrees that the representation (submission) or a portion thereof can be shared with another party.

(4) In accordance with section 46 of FOIP, the commissioner may quote short passages from the representation (submission) in its final report.

Records
2-9 The records will be provided to the commissioner’s office either in electronic or paper form, with a document number or page number that corresponds to the number given to that record in the index of records.

Analysis of the information provided
2-10 After 14 days or any further time agreed to by the commissioner’s office, the commissioner’s office will continue its analysis of the information or materials provided to it. If any information, requested in the notice of review, is missing or clarification is needed, the commissioner’s office will make one request for that information from the applicant, public body or third party and then continue with
its analysis.

Additional information
2-11(1) If the commissioner’s office determines it requires additional relevant information to do its analysis, it will request that information from the public body or any other organization it considers appropriate.

(2) In order to avoid delay, the commissioner’s office will request the information by a certain date and if information was not provided by that date or another date agreed to by the commissioner’s office, the commissioner’s office will proceed with its analysis.

A draft report
2-12(1) After all information and material has been gathered and an analysis done, the commissioner’s office may prepare a draft report and send it to the public body and any other party the commissioner deems appropriate.

(2) The public body shall have seven days or any further time agreed to by the commissioner’s office, to provide input regarding factual errors in the draft report.

(3) Additional arguments on the exemptions claimed in the representation (submission) will not be considered, unless the draft report has raised an approach or principle not contained in the notice of review, the IPC Guide to Exemptions or unique circumstances exist as to why the additional arguments should be considered.

Final report
2-13(1) After the seven days or any further time agreed to by the commissioner’s office, the commissioner’s office will proceed to prepare and issue the final report, including, if deemed necessary by the commissioner, any factual corrections, public body comments, and revisions to the recommendations.

(2) The final report will be sent to:

  • the applicant; the head or the head’s designate (if known) of the public body and the FOIP coordinator;
  • any affected third parties;
  • the Deputy Minister of Justice;
  • where the report discloses a possible offense, the Director of Public Prosecutions;
  • where the report involves HIPA, the Deputy Minister of Health;
  • where the report involves a city, town, or village, the Deputy Minister of Government Relations and CEO of the Saskatchewan Urban
    Municipalities Association;
  • where the report involves a board or commission of a city, town or village, the Mayor of the city, town or village, the Deputy Minister of
    Government Relations and the Saskatchewan Urban Municipalities Association;
  • where a report involves the municipality, the Deputy Minister of Government Relations and the Executive Director of the Saskatchewan
    Association of Rural Municipalities;
  • where the report involves a board or commission of a municipality, the Reeve of the municipality, the Deputy Minister of Government
    Relations and the Executive Director of the Saskatchewan Rural Municipalities Association;
  • where the report involves information technology of the government of Saskatchewan, the Deputy Minister of Central Services;
  • where the report involves information technology related to personal health information, the President of eHealth Saskatchewan and the
    CEO of the Saskatchewan Health Authority;
  • where the report involves an affiliate or health care organizations that provides services to the Saskatchewan Health Authority, the Deputy Minister of Health and the CEO of the Saskatchewan Health Authority;
  • where the report involves the managing or archiving of official records, the Provincial Archivist;
  • where the report involves a board of education, the Deputy Minister of Education, and the Executive Director of the Saskatchewan School Boards Association;
  • where the report involves a University, College, Regional College or Saskatchewan Polytechnic, the Deputy Minister of Advanced
    Education;
  • where the report involves a health professional, the CEO of the association to which the health professional belongs;
  • where a report involves a police force, the President of the Saskatchewan Association of Chiefs of Police; and
  • any other public body, organization or person the commissioner’s office considers appropriate.

Report will be posted
2-14 Unless the commissioner directs otherwise, three to five days after the final report is sent to the parties, the report will be:

  • posted on the commissioner’s office website;
  • forwarded to CanLll;
  • forwarded to the Saskatchewan Legislative Library; and
  • forwarded to other commissioners or ombudsmen across Canada who are responsible for overseeing federal, provincial and territorial access and/or privacy legislation.

Public body to indicate decision
2-15 Pursuant to section 56 of FOIP and section 45 of LA FOIP, the head of the public body, within 30 days, shall indicate to the applicant and the commissioner’s office, his or her decision on the recommendations in the final report. If the head fails to advise the commissioner’s office within 30 days, the commissioner will consider that there is no response to the report and will so state in the commissioner’s Annual Report, in accordance with subsection 62(2) of FOIP and section 52(2) of LA FOIP.

Appeal to court
2-16 Pursuant to section 57 of FOIP or section 46 of LA FOIP, the applicant or the third party has the right to appeal the decision of the head to the Court of Queen’s Bench and the applicant, third party, government institution or local authority involved will be asked to advise the commissioner’s office of the appeal.

Commissioner’s office shall destroy the record
2-17 The commissioner’s office shall destroy the record which the public body has provided to the commissioner’s office, six months after the report was sent, unless:

(a) the commissioner’s office finds the matter has proceeded to the Court of Queen’s Bench, and in that case shall not destroy the record until the matter is no longer in the courts; or
(b) the commissioner’s office determines there are unique circumstances that justify the record being retained.

PART 3: Procedure on Reviews Under HIPA

What this Part is about: This Part outlines the procedure that the commissioner’s office will follow and require trustees to follow when carrying out a request for a review under HIPA.

Request for review
3-1 A request for a review may be made and filed with the office by email, regular mail, fax or personal delivery.

Early resolution
3-2 Before commencing a review, the commissioner’s office may attempt to resolve the matter by entering into discussions with the applicant, trustee and any third party.

Notice of review
3-3 After the commissioner’s office determines that a matter cannot be resolved and that a review will be undertaken of the trustee’s decision under HIPA, the commissioner’s office will prepare a notice of review indicating that a review of the trustee’s decision will be undertaken. Notices will be forwarded electronically or by other means to the trustee and the applicant.

Contents of notice of review
3-4(1) The notice of review will be prepared in accordance with HIPA and may include a request for the following:

For all other records for which the trustee refuses to release:

  • an index of records;
  • the records at issue provided to the applicant in the same unaltered form as provided to the applicant with the addition of a record number or page number;
  • the records at issue responsive to the access to information request with no redactions and the record number or page number;
  • a written representation (submission); and
  • any other relevant information that the commissioner considers necessary for a full review.

(2) The notice of review will indicate that all of the items requested in the notice are to be provided within 14 days after receipt of the notice or any further time agreed to by the commissioner’s office.

(3) The notice of review will indicate that the trustee must in its representation, indicate all the reasons the trustee is relying upon. Reasons, not included in a trustee’s representation and raised later, may not be considered by the commissioner’s office.

Request representations
3-5 From time to time, the commissioner’s office may identify a government institution, local authority, trustee or other organization that may have an interest or concern regarding the records or issues in question, and the commissioner’s office may request representations from any of those parties.

Index of records
3-6(1) The index of records provided by the trustee shall include the following information:

  • a record number or page number assigned by the trustee;
  • a general description of the record such as a letter, email, memo, note, agreement indicating who it was from, who it was sent to and the date;
  • the number of pages in the record;
  • the section or subsection numbers of HIPA claimed to support withholding that record; and
  • the status of the record, whether released to the applicant in part, full or withheld in full.

A sample of the index of records is contained in Form A.

(2) The commissioner’s office will provide a copy of the index of records to the applicant unless the trustee provides strong reasons why the index of records should not be provided to the applicant and the commissioner’s office agrees with those reasons.

Contents of a representation (submission)
3-7(1) A representation (submission) should include but is not limited to the following:

For each reason given to withhold a record:

(a) list the record number, page numbers and where applicable paragraphs, sentences, lines or words that the trustee wishes to withhold (group pages if the records are similar);
(b) refer to the test from the IPC Guide to HIPA, where appropriate;
(c) provide positions for each reason to withhold and link the argument to the information in the record;
(d) provide any further materials necessary to support its position (i.e. affidavits, cases, reports, contracts, screen shots); and
(e) provide reasons or justifications for the position taken by the trustee regarding the issue in question under HIPA including searches, custody or control, paramountcy, fees, waiver of fees, time extensions, transfers or corrections.

(2) Applicants and trustees are encouraged in their representation (submission) to follow the tests and principles set out in the IPC Guide to HIPA. In addition, cite relevant court cases and decisions of other commissioners or ombudsmen across Canada who are responsible for overseeing access and/or privacy legislation in other jurisdictions.

(3) A representation (submission) shall not be disclosed to another party unless the party submitting the representation (submission) agrees that the representation (submission) or a portion thereof can be shared with another party.

(4) In accordance with section 54 of HIPA, the commissioner may quote short passages from the representation (submission) in its final report.

Records
3-8 The records will be provided to the commissioner’s office either in electronic or paper form, with a document number or page number that corresponds to the number given to that record in the index of records.

Analysis of the information provided
3-9 After 14 days or any further time agreed to by the commissioner’s office, the commissioner’s office will continue its analysis of the information or materials provided to it. If any information, requested in the notice of review, is missing or clarification is needed, the commissioner’s office will make one request for that information from the applicant, trustee or other person and then continue with its analysis.

Additional information
3-10(1) If the commissioner’s office determines it requires additional relevant information to do its analysis, it will request that information from the trustee or any other organization it considers appropriate.

(2) In order to avoid delay, the commissioner’s office will request the information by a certain date and if information was not provided by that date or another date agreed to by the commissioner’s office, the commissioner’s office will proceed with its analysis.

A draft report
3-11(1) After all information and material has been gathered and an analysis done, the commissioner’s office may prepare a draft report and send it to the trustee and any other party the commissioner deems appropriate.

(2) The trustee shall have seven days or any further time agreed to by the commissioner’s office, to provide input regarding factual errors in the draft report.

(3) Additional arguments not contained in the representation (submission) will not be considered, unless the draft report has raised an approach or principle not contained in the notice of review, the IPC Guide to HIPA or unique circumstances exist as to why the additional arguments should be considered.

Final report
3-12(1) After the seven days or any further time agreed to by the commissioner’s office, the commissioner’s office will proceed to prepare and issue the final report, including, if deemed necessary by the commissioner, any factual corrections, trustee’s comments, and revisions to the recommendations.

(2) The final report will be sent to:

  • the applicant; the trustee or the trustee’s designate (if known);
  • the Deputy Minister of Justice;
  • where the report discloses a possible offense, the Director of Public Prosecutions;
  • the Deputy Minister of Health;
  • where the report involves information technology related to personal health information, the President of eHealth Saskatchewan and the
    CEO of the Saskatchewan Health Authority;
  • where the report involves an affiliate or health care organization that provides services to the Saskatchewan Health Authority, and the CEO of the Saskatchewan Health Authority;
  • where the report involves the managing or archiving of official records, the provincial archivist;
  • where the report involves a health professional, the CEO of the association to which the health professional belongs; and
  • any other public body, organization or person the commissioner’s office considers appropriate.

Report will be posted
3-13 Unless the commissioner directs otherwise, three to five days after the final report is sent to the parties, the report will be:

  • forwarded to CanLll;
  • forwarded to the Saskatchewan Legislative Library;
  • posted on the commissioner’s office website; and
  • forwarded to other commissioners or ombudsmen across Canada who are responsible for overseeing federal, provincial and territorial access and/or privacy legislation.

Trustee to indicate decision
3-14 Pursuant to section 49 of HIPA, the trustee, within 30 days, shall indicate to the applicant and the commissioner’s office, the trustee’s decision on the recommendations in the final report. If the trustee fails to advise the commissioner’s office within 30 days, the commissioner will consider that there is no response to the report and will so state in the commissioner’s Annual Report, in accordance with subsection 60(2) of HIPA.

Appeal to court
3-15 Pursuant to section 50 of HIPA, the applicant has the right to appeal the decision of the head to the Court of Queen’s Bench and the applicant and trustee will be asked to advise the commissioner’s office of the appeal.

Commissioner’s office shall destroy the record
3-16 The commissioner’s office shall destroy the record which the trustee has provided to the commissioner’s office, six months after the report was sent, unless:

(a) a the commissioner’s office finds the matter has proceeded to the Court of Queen’s Bench, and in that case shall not destroy the record until the matter is no longer in the courts; or
(b) the commissioner’s office determines there are unique circumstances that justify the record being retained.

PART 4: Procedure on Proactively Reported Privacy Breaches Under FOIP and LA FOIP

What this Part is about: This Part outlines the procedure that the commissioner’s office will follow and require public bodies, Minister’s offices or Members of the Legislative Assembly’s (MLA) offices to follow when there is a proactively reported privacy.

Proactively reported privacy breaches
4-1(1) When a public body, Minister’s office or MLA’s office proactively reports a privacy breach to the commissioner’s office, the commissioner’s office will open a case file and provide a notice to the reporting party setting out its requirements. The notice will also request a response within 14 days after receipt of the notice or any further time agreed to by the commissioner’s office.

(2) A public body, Minister’s office or MLA’s office can proactively report a privacy breach to the commissioner’s office by either email, regular mail, fax or personal delivery.

(3) When a public body, Minister’s office or MLA’s office reports a privacy breach to the commissioner’s office under FOIP or LA FOIP, the commissioner’s office may proceed with an investigation of that privacy breach as outlined in this Part.

Notice of investigation
4-2 The commissioner’s office will prepare and send to the public body, Minister’s office or MLA’s office, a notice of investigation indicating that an investigation will be undertaken.

When investigating a privacy breach
4-3 When investigating a proactively reported privacy breach, the commissioner’s office will, among other things, review whether the public body, Minister’s office or MLA’s office issued a notification of a privacy breach under section 29.1 of FOIP or section 28.1 of LA FOIP and whether there, under the circumstances, was a real risk of significant harm.

Steps taken by public body, minister’s office or MLA’s office
4-4 When the commissioner’s office investigates a proactively reported privacy breach, the commissioner’s office will analyze whether the public body, Minister’s office or MLA’s office appropriately managed the breach and took the following steps in responding to the privacy breach:

  • Contain the breach,
  • Notify affected individuals,
  • Investigate the breach,
  • Prevent future breaches, and
  • Write a privacy breach report.

Contents of privacy breach notification
4-5 When the commissioner’s office investigates a reported privacy breach, the commissioner’s office will review the notice of privacy breach sent to affected individuals and consider whether it contains the following:

  • a description of what happened, including the date, time, location and who was involved;
  • how the breach was contained,
  • a detailed description of the personal information that was involved;
  • if known, a description of possible types of harm that may come to them as a result of the privacy breach;
  • steps that can be taken to mitigate harm;
  • steps the organization is taking to prevent the occurrence of similar privacy breaches in the future;
  • the contact information of an individual within the organization who can answer questions and provide further information regarding
    the breach;
  • a reference to the fact that individuals have a right to complain to the Office of the Saskatchewan Information and Privacy Commissioner;
  • the contact information of the Office of the Saskatchewan Information and Privacy Commissioner; and
  • where appropriate, recognition of the impacts of the privacy breach on affected individuals and an apology.

Closing of file or issuing a report
4-6 After investigating the proactively reported privacy breach and the actions taken by the public body, Minister’s office or MLA’s office:

(a) if the commissioner’s office is satisfied with the steps taken, the file will be closed without issuing a report.
(b) If the commissioner’s office is not satisfied with the steps taken, a person has filed a complaint with the commissioner’s office, a privacy breach is egregious, there is a systemic issue involved or where it involves a large number of affected individuals, the commissioner’s office may determine that a report will be issued.

Issuing a report
4-7 If the commissioner’s office determines that a report will be issued, the process for issuing a report in Part 6 will be followed.

 

PART 5: Procedure on Proactively Reported Privacy Breaches Under HIPA

What this Part is about: This Part outlines the procedure that the commissioner’s office will follow and require trustees to follow when there is a proactively reported privacy breach.

Proactively reported privacy breaches
5-1(1) When a trustee proactively reports a privacy breach to the commissioner’s office, the commissioner’s office will open a case file and provide a notice to the reporting party, setting out its requirements. The notice will also request a response within 14 days after receipt of the notice or any further time agreed to by the commissioner’s office.

(2) A trustee can proactively report a privacy breach in writing to the commissioner’s office, by either email, regular mail, fax or personal delivery.

(3) When a trustee reports a privacy breach to the commissioner’s office under HIPA, the commissioner’s office may proceed with an investigation of that privacy breach as outlined in this Part.

Notice of investigation
5-2 The commissioner’s office will prepare and send to the trustee, a notice of investigation indicating that an investigation will be undertaken.

When investigating a privacy breach
5-3 When investigating a proactively reported privacy breach, the commissioner’s office will, among other things, review whether the trustee issued a notification of a privacy breach.

Steps taken by trustee
5-4 When the commissioner’s office investigates a proactively reported privacy breach, the commissioner’s office will analyze whether the trustee appropriately managed the breach and took the following steps in responding to the privacy breach:

  • Contain the breach,
  • Notify affected individuals,
  • Investigate the breach,
  • Prevent future breaches, and
  • Write a privacy breach report.

Contents of privacy breach notification
5-5 When the commissioner’s office investigates a reported privacy breach, the commissioner’s office will review the notice of privacy breach sent to affected individuals and consider whether it contains the following:

  • a description of what happened;
  • a detailed description of the personal health information that was involved;
  • if known, a description of possible types of harm that may come to them as a result of the privacy breach;
  • steps that can be taken to mitigate harm;
  • steps the organization is taking to prevent the occurrence of similar privacy breaches in the future;
  • the contact information of an individual within the organization who can answer questions and provide further information regarding
    the breach;
  • a reference to the fact that individuals have a right to complain to the Office of the Saskatchewan Information and Privacy Commissioner;
  • the contact information of the Office of the Saskatchewan Information and Privacy Commissioner; and
  • where appropriate, recognition of the impacts of the privacy breach on affected individuals and an apology.

Closing of file or issuing a report
5-6 After investigating the reported privacy breach and the actions taken by the trustee:

(a) if the commissioner’s office is satisfied with the steps taken, the file will be closed without issuing a report.
(b) if the commissioner’s office is not satisfied with the steps taken, a person has filed a complaint with the commissioner’s office, a privacy breach is egregious, there is a systemic issue involved or where it involves a large number of affected individuals, the commissioner’s office may determine that a report will be issued.

Issuing a report
5-7 If the commissioner’s office determines that a report will be issued, the process for issuing a report in Part 7 will be followed.

PART 6: Procedure on Privacy Breach Investigations Under FOIP and LA FOIP

What this Part is about: This Part outlines the procedure that the commissioner’s office will follow and require public bodies, Minister’s office or Members of the Legislative Assembly’s (MLA) office to follow when carrying out an investigation of a possible privacy breach.

Complaint of breach of privacy
6-1(1) The commissioner’s office may become aware of a possible privacy breach in several different ways including:

  • an individual complaining to the commissioner’s office about a public body, Minister’s office or MLA’s office actions or practices;
  • a third party in possession of personal information notifying the commissioner’s office;
  • employees of a public body, Minister’s office or MLA’s office informing the commissioner’s office of inappropriate practices within the
    organization;
  • the commissioner’s office becoming aware of media reports of a potential privacy breach or inappropriate privacy practices

and upon becoming aware, the commissioner’s office may commence an investigation.

(2) If a complainant makes a complaint of a possible privacy breach, it must be made in writing and may be filed with the commissioner’s office by email, regular mail, fax or personal delivery.

(3) If a complainant has not yet given the public body, Minister’s office or MLA’s office an opportunity to respond to the matter, the commissioner’s office may refer the complainant to the public body, Minister’s office or MLA’s office before proceeding with an investigation.

Preliminary inquiries
6-2 Before commencing an investigation, the commissioner’s office may make inquiries to determine whether there are grounds to investigate the possible privacy breach.

Notice of investigation
6-3 After the commissioner’s office determines that there are grounds to investigate, the commissioner’s office will prepare and send to the public body, Minister’s office or MLA’s office, complainant, and any other interested person, a notice of investigation indicating that an investigation will be undertaken.

Contents of notice of investigation
6-4(1) The notice of investigation will be prepared in accordance with FOIP and LAFOIP may include a request for the following:

  • the circumstances of the breach, including date, time, location and people involved;
  • steps taken to contain the breach;
  • steps taken to contain the breach (i.e. retrieve the data improperly disclosed);
  • the steps taken to notify affected individuals that their information was improperly collected, used or disclosed;
  • details of the investigations carried out to determine the root cause of the breach;
  • steps that will be taken to help prevent a similar breach from occurring in the future;
  • copies of all investigation reports completed by employees of the public body, Minister’s office or MLA’s office or done by independent
    investigators; and
  • any other relevant information that the commissioner considers necessary for a full investigation.

(2) The notice of investigation will indicate that all of the items requested in the notice of investigation are to be provided within 14 days after receipt of the notice or any further time agreed to by the commissioner’s office.

Investigation of the complaint and alleged breach
6-5(1) The commissioner’s office will continue its investigation of the complaint. If any information is missing or clarification is needed, the commissioner’s office will make one or more requests for that information from the public body, Minister’s office or MLA’s office and then continue with its investigation. The commissioner’s office will determine whether to request the missing information from the public
body, Minister’s office or MLA’s office or another organization.

(2) In order to avoid delay, the commissioner’s office will request the information by a certain date and if information was not provided by that date or another date agreed to by the commissioner’s office, the commissioner’s office will proceed with its investigation.

(3) If, during the investigation, the commissioner’s office determines there are other interested persons, the commissioner’s office may provide a copy of the notice of investigation to those interested persons and may request those interested persons to provide information within 14 days after receipt of the notice or any further time agreed to by the commissioner’s office.

When investigating a complaint of a breach
6-6 When investigating a complaint of a possible privacy breach, the commissioner’s office will, among other things, review whether the public body, Minister’s office or MLA’s office ought to have issued a notification of breach and whether there, under the circumstances, was a real risk of significant harm.

Steps taken by public body, Minister’s office or MLA’s office
6-7 When the commissioner’s office determines that there has been a privacy breach, the commissioner’s office will analyze whether the public body, Minister’s office or MLA’s office appropriately managed the breach and took the following steps in responding to the privacy breach:

  • Contain the breach,
  • Notify affected individuals,
  • Investigate the breach,
  • Prevent future breaches, and
  • Write a privacy breach report.

Contents of breach notification
6-8 When the commissioner’s office determines there has been a privacy breach, the commissioner’s office will, in addition to other things, review the notice of breach sent to the complainant and affected individuals and determine whether it contains the following:

  • a description of what happened, including date, time location and individual involved;
  • a detailed description of the personal information that was involved;
  • if known, a description of possible types of harm that may come to them as a result of the privacy breach;
  • steps that can be taken to mitigate harm;
  • steps the organization is taking to prevent the occurrence of similar privacy breaches in the future;
  • the contact information of an individual within the organization who can answer questions and provide further information regarding
    the breach;
  • a reference to the fact that individuals have a right to complain to the Office of the Saskatchewan Information and Privacy Commissioner;
  • the contact information of the Office of the Saskatchewan Information and Privacy Commissioner; and
  • where appropriate, recognition of the impacts of the breach on affected individuals and an apology.

A draft report
6-9(1) After all information and materials have been gathered and an analysis done, the commissioner’s office may prepare and send a draft report to the public body, Minister’s office or MLA’s office and any other party the commissioner deems appropriate.

(2) The public body, Minister’s office or MLA’s office shall have seven days or any further time agreed to by the commissioner’s office, to provide input regarding factual errors in the report unless the time is extended by the commissioner’s office.

Final report
6-10(1) After the seven days or any other further time agreed to by the commissioner’s office, the commissioner’s office will proceed to prepare and issue the final report, including, if deemed necessary by the commissioner, any factual corrections, the public body, Minister’s office or MLA’s office comments, and revisions to the recommendations.

(2) The final report will be sent to:

  • the complainant;
  • the head or the head’s designate (if known) of the public body and the FOIP coordinator or where appropriate the Minister’s office or the
    MLA’s office;
  • where the commissioner directs, the person or entity who is accused of the alleged breach;
  • the Deputy Minister of Justice;
  • where the report discloses a possible offense, the Director of Public Prosecutions;
  • where the report involves HIPA, the Deputy Minister of Health;
  • where the report involves a city, town, or village, the Deputy Minister of Government Relations and the CEO of the Saskatchewan Urban
    Municipalities Association;
  • where the report involves a board or commission of a city, town or village, the Mayor of the city, town or village, the Deputy Minister of
    Government Relations and the Saskatchewan Urban Municipalities Association;
  • where a report involves a municipality, the Deputy Minister of Government Relations and the Executive Director of the Saskatchewan
    Association of Rural Municipalities;
  • where the report involves a board or commission of a municipality, the Reeve of the municipality, the Deputy Minister of Government
    Relations and the Executive Director of the Saskatchewan Rural Municipalities Association;
  • where the report involves information technology of the government of Saskatchewan, the Deputy Minister of Central Services;
  • where the report involves information technology related to personal health information, the president of eHealth Saskatchewan and the
    CEO of the Saskatchewan Health Authority;
  • where the report involves an affiliate or health care organization that provides services to the Saskatchewan Health Authority, the Deputy Minister of Health and the CEO of the Saskatchewan Health Authority;
  • where the report involves the managing or archiving of official records, the provincial archivist;
  • where the report involves a board of education, the Deputy Minister of Education, and the Executive Director of the Saskatchewan School Boards Association;
  • where the report involves a University, College, Regional College or Saskatchewan Polytechnic, the Deputy Minister of Advanced
    Education;
  • where the report involves a health professional, the CEO of the association to which the health professional belongs;
  • where a report involves a police force, the President of the Saskatchewan Association of Chiefs of Police; and
  • any other public body, Minister’s office or MLA’s office, organization or person the commissioner’s office considers appropriate.

Report will be posted
6-11 Unless the commissioner directs otherwise, three to five days after the final report is sent to the parties, the report will be:

  • posted on the commissioner’s office web site;
  • forwarded to CanLll;
  • forwarded to the Saskatchewan Legislative Library; and
  • forwarded to other commissioners or ombudsman across Canada who are responsible for overseeing federal, provincial and territorial
    privacy legislation.

Head to indicate decision
6-12 Pursuant to section 56 of FOIP or section 45 of LA FOIP, the head of the public body, Minister’s office or MLA’s office shall provide within 30 days to the complainant and the commissioner’s office, the decision on the recommendations in the report. If the head fails to advise the commissioner’s office within 30 days, the commissioner will consider that there is no response to the report and will so state in the commissioner’s Annual Report, in accordance with subsection 62(2) of FOIP and subsection 52(2) of LA FOIP.

Appeal to court
6-13 Pursuant to section 57 of FOIP or section 46 of LA FOIP, the complainant or individual has the right to appeal the decision of the head to the Court of Queen’s Bench and the complainant, or individual, government institution, local authority, Minister’s office or MLA’s office will be asked to advise the commissioner’s office of the appeal.

PART 8: Information and Evidence

What this Part is about: This Part sets out some basic requirements for communicating with the commissioner’s office and the providing of information and evidence.

Commissioner’s office will communicate with the parties or interested persons
8-1 The commissioner’s office may communicate with the parties by mail, email, telephone or fax. Unless impractical, parties shall communicate personal information or personal health information by means of encrypted transmissions or other means where the information is protected.

Providing information in the form of an affidavit or declaration
8-2 Pursuant to section 54 of FOIP, section 43 of LA FOIP or section 46 of HIPA, the commissioner where the circumstances warrant, can require the applicant, complainant, public body, third party or any other person to provide the information or documents in the form of an affidavit or declaration.

Refusal to provide information or documents
8-3 Pursuant to section 54 of FOIP, section 43 of LA FOIP, or section 46 of HIPA where a person or organization refuses to provide information or documents, under oath or otherwise, the commissioner may issue a Notice to Produce Documents or summon a person to attend at the office and give evidence under oath or affirmation and produce documents related to the review or investigation.

Commissioner’s office will make inquiries
8-4 In any review or investigation, the commissioner’s office may ask for relevant information from any person or organization that the commissioner considers necessary for a full review or investigation.

PART 9: Solicitor-Client Privilege

What this Part is about: This Part sets out the procedure to be followed when a head claims solicitor-client privilege.

Claiming solicitor-client privilege
9-1(1) Where in a proceeding it is brought to the attention of the commissioner’s office that solicitor-client privilege will be claimed by the head over certain records, the commissioner’s office will request:

(a) an affidavit of records over which the solicitor-client privilege is claimed (Form B);
(b) a representation (submission) providing further information as to why solicitor-client privilege is claimed.

(2) The commissioner’s office will not release the affidavit of records over which solicitor-client privilege is claimed to the applicant, unless the party submitting the affidavit agrees that the affidavit or a portion thereof can be shared with the applicant (Form B).

(3) If the affidavit of records over which solicitor-client privilege is claimed does not have sufficient information for the commissioner’s office to conclude that exemption based on solicitor-client privilege is justified, the commissioner’s office will request further information by affidavit or otherwise until satisfied the exemption is justified.

PART 10: Application to Disregard an Access to Information Request or a Request for Correction Under FOIP or LA FOIP

What this Part is about: This Part sets out the procedure for a public body in applying to disregard an access to information request or a request for correction under FOIP or LA FOIP.

Head applies to disregard an access to information request or a request for correction
10-1(1) When a head applies to the commissioner’s office to disregard an access to information request or a request for correction pursuant to section 45.1 of FOIP or section 43.1 of LA FOIP, the head shall apply to the commissioner’s office and provide information outlined in section 9-2 as soon as reasonably practical but preferably within 10 days of receiving the request.

(2) Where the circumstances require, the commissioner’s office may request the head to provide the information by an affidavit or declaration.

Head to provide information
10-2 When a head of a public body applies to disregard an access to information request or a request for correction, the head will provide the following information:

  • a copy of the date stamped access to information request(s) or request(s) for correction that the public body wishes to disregard;
  • contact information for the applicant;
  • specific subsections relied on (subsection 45.1(2)(a), (b), or (c) of FOIP or 43.1(2)(a), (b), or (c) of LA FOIP);
  • reasons as to why the commissioner’s office should grant the application to disregard;
  • copies of previous access to information requests or requests for correction, if relevant;
  • copies of letters or emails between the person making the access to information request and the public body, if relevant;
  • copies of any other documents the head considers relevant; and
  • confirmation that the applicant was provided a copy of the application to disregard.

Head to provide copy
10-3 The head shall provide the application to disregard as outlined in section 9-2 to the applicant.

Parties to application to disregard
10-4(1) The parties to the application to disregard are the public body and the applicant.

(2) The commissioner’s office will not consider the application to disregard received by the commissioner’s office 30 days after the date of the access to information request or request for correction, unless the commissioner’s office is satisfied there are extraordinary circumstances as to why the application is late.

(3) The commissioner’s office will notify the applicant that the public body has applied to the commissioner to disregard the access to information request or the request for correction and the applicant may respond to the commissioner’s office within 10 days.

Commissioner’s office will make inquiries
10-5 In an application to disregard, the commissioner’s office will make inquiries of any person or organization it considers necessary to do a complete and accurate analysis.

Priority of application to disregard
10-6 The commissioner’s office will give applications to disregard, priority in the office and all efforts will be taken to make inquiries, do the analysis and provide a decision within 20 days.

Form of commissioner’s response
10-7(1) The commissioner will issue a decision with reasons for his decision and a statement as to whether the application to disregard has been granted or refused.

(2) The decision of the commissioner will be sent to the head of the public body and the applicant.

Decision will be posted
10-8 Within three to five days after the decision is sent, unless the commissioner directs otherwise, the decision will be:

  • posted on the commissioner’s office website;
  • forwarded to CanLll;
  • forwarded to the Saskatchewan Legislative Library; and
  • forwarded to the commissioner’s across Canada.

Form A: Index of Records

Form B: Affidavit of Records