The Rules of Procedure

This document sets out the Rules of Procedure for reviews of complaints under section 49 of The Freedom of Information and Protection of Privacy Act (FOIP), section 38 of The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), section 42 of The Health Information Protection Act (HIPA) and investigations under the Acts.

These procedures are established pursuant to section 45 of FOIP, which provides as follows:

General powers of commissioner
45 The commissioner may:

(d) determine the procedure to be followed in the exercise of the powers or
performance of any duties of the commissioner pursuant to this Act; and

For a full copy of the Rules in one document, please click on the following link:   The Rules of Procedure

For referencing specific Parts of the Rules, please click on the + sign to expand each Part below.

PART 1: Name and Definitions

What this Part is about: This Part contains definitions of words and phrases that appear in the rules.

1-1 Name
These rules may be cited as the Rules of Procedure.

1-2 Words in Acts or Regulations
Words used in these rules have the same meaning that they have under the Acts or Regulations and the following definitions are intended to clarify meanings of words as used in these rules.

1-3 Definitions
In these rules:

“access to information request” means a request for information under the Acts submitted to a public body either on paper or electronically;

“Acts” means The Freedom of Information and Protection of Privacy Act, The Local Authority Freedom of Information and Protection of Privacy Act and The Health Information Protection Act and their regulations;

“affected individual” means a person identified as having personal information or personal health information, being inappropriately collected used or disclosed in a privacy breach;

“applicant” means:

  • except in Parts 2 and 3, a person or organization who makes an access to information request or a request for correction or amendment;
  • in Part 2, a person or organization who requests a review pursuant to section 49 of FOIP or section 38 of LA FOIP; and
  • in Part 3, a person who requests a review pursuant to section 42 of HIPA;

“commissioner’s office” means the office of the Information and Privacy Commissioner and includes a staff person employed by the commissioner delegated to carry out certain duties of the commissioner;

“complainant” means an individual who has made a complaint alleging a privacy breach has occurred that involves the complainant’s personal information or personal health information under the Acts;

“days” means calendar days;

“FOIP” means The Freedom of Information and Protection of Privacy Act;

“HIPA” means The Health Information Protection Act;

“Investigation” means an investigation pursuant to sections 33 and 51 of FOIP, sections 32 and 40 of LA FOIP or section 52 of HIPA;

“LA FOIP” means The Local Authority Freedom of Information and Protection of Privacy Act;

“public body” means a government institution, local authority or trustee involved in an investigation or a review;

“real risk of significant harm” may, among other things, include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.

“record” means a record as defined in FOIP, LA FOIP or HIPA;

“representation” means the documents, other evidence and/statements or affidavits provided by a party to the commissioner’s office setting out its position with respect to a review or investigation and often referred to as a submission;

“request for correction” means a request by the individual for correction of his or her personal information or personal health information;

“request for review” means a request made pursuant to section 49 of FOIP, section 38 of LA FOIP or section 42 of HIPA;

“review” means a review pursuant to sections 49 to 55 of FOIP, sections 38 to 44 of LA FOIP or sections 42 to 48 of HIPA;

“section 7 response” means the letter, notice or email provided by the head of a public body pursuant to section 7 of FOIP/LA FOIP;

“section 36 response” means the letter, notice or email provided by the trustee pursuant to section 36 of HIPA;

“trustee” is a trustee, as defined by HIPA.

PART 2: Procedure on Reviews Under FOIP and LA FOIP

What this Part is about: This Part outlines the procedure that the commissioner’s office will follow and require public bodies to follow when carrying out a request for a review under FOIP and LAFOIP.

2-1 Request for review
A request for a review may be made in the prescribed form and may be filed with the commissioner’s office by email, regular mail, fax or personal delivery.

2-2 Early resolution
Before commencing a review, the commissioner’s office may attempt to resolve the matter by entering into discussions with the applicant, public body and any third party.

2-3 Notice of review
After the commissioner’s office determines that a matter cannot be resolved and that a review will be undertaken of the head’s decision under FOIP/LA FOIP, the commissioner’s office will prepare a notice indicating that a review of the head’s decision will be undertaken. Notices will be forwarded electronically or by other means to the public body and the applicant.

2-4 Contents of notice of review
(1) The notice of review will be prepared in accordance with FOIP/ LA FOIP and may include a request for the following:

(a) records for which an exemption is claimed:

  • an index of records (see Form A);
  • the records at issue provided to the applicant in the same unaltered form as provided to the applicant with the addition of a record number or page number and if applicable a redaction or severance number, there is no need to provide the commissioner’s office with records released in full;
  • the records at issue responsive to the access to information request with no redactions and the record number or page number;
  • a written representation (submission);

(b) a request that the public body immediately give notice of review to affected third parties pursuant to section 52 of FOIP or section 41 of LA FOIP;

(c) contact information for third parties affected by the review; and

(d) any other relevant information that the commissioner considers necessary for a full review.

(2) The notice of review will indicate that all of the items requested in the notice of review are to be provided within 30 days after receipt of the notice or any further time directed by the commissioner’s office.

(3) The notice of review will indicate that the public body must in its representation, indicate all the exemptions the public body is relying upon. Discretionary exemptions, not included in a public body’s representation and raised later, may not be considered by the commissioner’s office.

2-5 Request to third parties
At the time of sending out the notice of review to the public body, the commissioner’s office will send a request to third parties, known to the commissioner’s office, indicating they have a right to make representations to the commissioner’s office.

2-6 Parties to a review
(1) The parties entitled to receive notice include the persons requesting a review and the public body to which the access to information request or request for correction was made.

(2) If during the review, the commissioner’s office determines there are other third parties, the commissioner’s office will provide a notice of review to those third parties and will invite those third parties to make a representation within 14 days after receipt of the notice or any further time directed by the commissioner’s office.

(3) From time to time, the commissioner’s office may identify a public body or other organization that may have an interest or concern regarding the records in question, and the commissioner’s office may request representations from any of those parties.

2-7 Index of records 
(1) The index of records provided by the public body shall include but is not limited to the following information:

  • a record number or page number and if applicable, redaction and severance numbers assigned by the public body;
  • a general description of the record such as a letter, email, memo, note, agreement indicating who it was from, who it was sent to and the date;
  • the number of pages in the record;
  • the section or subsection numbers of the exemptions claimed for that record; and
  • the status of the record, whether released to the applicant in part, full or withheld in full.

A sample of the index of records is contained in Form A.

(2) The commissioner’s office will provide a copy of the index of records to the applicant unless subsection 7(4) of FOIP/LA FOIP has been invoked or the commissioner’s office determines not to release the index of records.

2-8 Contents of a representation
(1) A representation should include but is not limited to the following:

For each exemption relied on or issue under review:

(a) refer to the exemptions that has been applied by section, subsection, clause and sub-clause;

(b) list the record number, page numbers and where applicable redaction or severance numbers that the exemption applies to (group pages if the records are similar);

(c) refer to the test from the IPC Guide to FOIP for that exemption;

(d) refer to the test from the IPC Guide to LA FOIP for that exemption;

(e) provide positions for each part of the test and link these to the information in the record;

(f) provide any further materials necessary to support its position (i.e. affidavits, cases, reports, contracts, screen shots); and

(g) provide reasons or justifications for the position taken by the public body regarding the issue in question including records do not exist, searches, possession or control, fees, waiver of fees, time extensions, transfers, manner of access or correction decisions.

(2) Applicants, third parties and public bodies are encouraged in their representation to follow the tests and principles set out in the IPC Guide to FOIP or IPC Guide to LA FOIP . In addition, cite relevant court cases and decisions from Saskatchewan or other commissioners or ombudsmen across Canada who are responsible for overseeing access and privacy legislation in other jurisdictions.

(3) A representation shall not be disclosed to another party unless the party submitting the representation agrees that the representation or a portion thereof can be shared with another party.

(4) In accordance with section 46 of FOIP, the commissioner may quote short passages from the representation in its final report.

2-9 Records
The records will be provided to the commissioner’s office either in electronic or paper form, with a document number, page number or if applicable, redactions or severance number that corresponds to the number given to that record in the index of records and a redaction or severance number for each line item severed with exemptions applied clearly noted. There is no need to provide the IPC with records released in full. If the record is illegible, the commissioner’s office will ask for a copy that is legible or for a transcript of that record.

2-10 Analysis of the information provided
After 30 days or any further time directed by the commissioner’s office, the commissioner’s office will continue its analysis of the information or materials provided to it. If any information, requested in the notice of review is missing or clarification is needed, the commissioner’s office will make one request for that information from the applicant, public body or third party and then continue with its analysis.

2-11 Additional information
(1) If the commissioner’s office determines it requires additional relevant information to do its analysis, it will request that information from the public body or any other organization it considers appropriate.

(2) In order to avoid delay, the commissioner’s office will request the information by a certain date and if information was not provided by that date or another date directed by the commissioner’s office, the commissioner’s office will proceed with its analysis.

2-12 A draft report
(1) After all information and material has been gathered and an analysis done, the commissioner’s office may prepare a draft report and send it to the public body and any other party the commissioner deems appropriate.

(2) The public body shall have seven days, unless the commissioner directs otherwise, to provide input regarding factual errors in the draft report.

(3) Additional arguments on the exemptions claimed in the representation will not be considered, unless the draft report has raised an approach or principle not contained in the notice of review, the IPC Guide to FOIP or IPC Guide to LA FOIP or unique circumstances exist as to why the additional arguments should be considered.

2-13 Final report 
(1) After the time set out in 2-12(2) expires, the commissioner’s office will proceed to prepare and issue the final report, including, if deemed necessary by the commissioner, any factual corrections or revisions to the recommendations.

(2) The final report will be sent to:

  • the applicant; the head and the head’s designate (if known) of the public body and the FOIP coordinator;
  • any affected third parties;
  • the Deputy Minister of Justice;
  • where the report discloses a possible offense, the Director of Public Prosecutions;
  • where the report involves a city, town, or village, the Deputy Minister of Government Relations and CEO of the Saskatchewan Urban Municipalities Association;
  • where the report involves a board or commission of a city, town or village, the Mayor of the city, town or village, the Deputy Minister of Government Relations and the Saskatchewan Urban Municipalities Association;
  • where a report involves the municipality, the Deputy Minister of Government Relations and the Executive Director of the Saskatchewan Association of Rural Municipalities;
  • where the report involves a board or commission of a rural municipality, the Reeve of the municipality, the Deputy Minister of Government Relations and the Executive Director of the Saskatchewan Rural Municipalities Association;
  • where the report involves information technology of the government of Saskatchewan, the Deputy Minister of Central Services;
  • where the report involves an affiliate or health care organization that provides services to the Saskatchewan Health Authority, the Deputy Minister of Health and the CEO of the Saskatchewan Health Authority;
  • where the report involves the managing or archiving of official records, the Provincial Archivist;
  • where the report involves a Board of Education, the Director of the Board of Education, the Deputy Minister of Education, and the Executive Director of the Saskatchewan School Boards Association;
  • where the report involves a University, College, Regional College or Saskatchewan Polytechnic, the Deputy Minister of Advanced Education;
  • where the report involves a professional, the CEO of the association to which the professional belongs;
  • where a report involves a police force, the Chair of the Board of Police Commissioners, the President of the Saskatchewan Association of Chiefs of Police and the Chair of the Saskatchewan Police Commission; and
  • any other public body, organization or person the commissioner’s office considers appropriate.

2-14 Report will be posted
Unless the commissioner directs otherwise, three to five days after the final report is sent to the parties, the report will be:

  • posted on the commissioner’s office’s website;
  • forwarded to CanLll;
  • forwarded to the Saskatchewan Legislative Library; and
  • forwarded to other commissioners or ombudsmen across Canada who are responsible for overseeing federal, provincial or territorial access or privacy legislation.

2-15 Public body to indicate decision
Pursuant to section 56 of FOIP and section 45 of LA FOIP, the head of the public body, within 30 days, shall indicate to the applicant and the commissioner’s office, their decision on the recommendations in the final report. If the head fails to advise the commissioner’s office within 30 days, the commissioner will consider that there is no response to the report and will so state in the commissioner’s Annual Report, in accordance with subsection 62(2) of FOIP and subsection 52(2) of LA FOIP.

2-16 Appeal to court
Pursuant to section 57 of FOIP or section 46 of LA FOIP, the applicant or the third party has the right to appeal the decision of the head to the Court of Queen’s Bench and the applicant, third party, public body or local authority involved will be asked to advise the commissioner’s office of the appeal.

2-17 Commissioner’s office shall destroy the record
The commissioner’s office shall destroy the record which the public body has provided to the commissioner’s office, six months after the report was sent, unless:

(a) the commissioner’s office finds the matter has proceeded to the Court of Queen’s Bench, and in that case shall not destroy the record until the matter is no longer in the courts; or

(b) the commissioner’s office determines there are unique circumstances that justify the record being retained.

PART 3: Procedure on Reviews Under HIPA

What this Part is about: This Part outlines the procedure that the commissioner’s office will follow and require trustees to follow when carrying out a request for a review under HIPA.

3-1 Request for review
A request for a review may be made and filed with the commissioner’s office by email, regular mail, fax or personal delivery.

3-2 Early resolution
Before commencing a review, the commissioner’s office may attempt to resolve the matter by entering into discussions with the applicant, trustee and any third party.

3-3 Notice of review
After the commissioner’s office determines that a matter cannot be resolved and that a review will be undertaken of the trustee’s decision under HIPA, the commissioner’s office will prepare a notice of review indicating that a review of the trustee’s decision will be undertaken. Notices will be forwarded electronically or by other means to the trustee and the applicant.

3-4 Contents of notice of review 
(1) The notice of review will be prepared in accordance with HIPA and may include a request for the following:

(a) For all records for which the trustee refuses to release:

  • an index of records (see Form A);
  • the records at issue provided to the applicant in the same unaltered form as provided to the applicant with the addition of a record number or page number and if applicable a redaction or severance number, there is no need to provide the IPC with records released in full;
  • the records at issue responsive to the access to information request with no redactions or severances and the record number or page number;
  • a written representation; and
  • any other relevant information that the commissioner considers necessary for a full review.

(2) The notice of review will indicate that all of the items requested in the notice are to be provided within 30 days after receipt of the notice of review or any further time directed by the commissioner’s office.

(3) The notice of review will indicate that the trustee must in its representation, indicate all the reasons the trustee is relying upon. Reasons, not included in a trustee’s representation and raised later, may not be considered by the commissioner’s office.

3-5 Request for representations
From time to time, the commissioner’s office may identify a public body or other organization that may have an interest or concern regarding the records or issues in question, and the commissioner’s office may request representations from any of those parties.

3-6 Index of records 
(1) The index of records provided by the trustee shall include the following information:

  • a record number or page number and if applicable, redaction and severance numbers assigned by the trustee;
  • a general description of the record such as a letter, email, memo, note, agreement indicating who it was from, who it was sent to and the date;
  • the number of pages in the record;
  • the section or subsection numbers of HIPA claimed to support withholding that record; and
  • the status of the record, whether released to the applicant in part, full or withheld in full.

A sample of the index of records is contained in Form A.

(2) The commissioner’s office will provide a copy of the index of records to the applicant unless the trustee provides strong reasons why the index of records should not be provided to the applicant and the commissioner’s office agrees with those reasons.

3-7 Contents of a representation
(1) A representation (should include but is not limited to the following:

For each reason given to withhold a record or issues under review:

(a) list the record number, page numbers and where applicable redaction or severance numbers where the trustee wishes to withhold certain information (group pages if the records are similar);

(b) refer to the test from the Guide to HIPA, where appropriate;

(c) provide positions for each reason to withhold and link the argument to the information in the record;

(d) provide any further materials necessary to support its position (i.e. affidavits, cases, reports, contracts, screen shots); and

(e) provide reasons or justifications for the position taken by the trustee regarding the issue in question under HIPA including searches, custody or control, fees, , time extensions, transfers or correction decisions.

(2) Applicants and trustees are encouraged in their representation to follow the tests and principles set out in the Guide to HIPA. In addition, cite relevant court cases and decisions of other commissioners or ombudsmen across Canada who are responsible for overseeing access and privacy legislation in other jurisdictions.

(3) A representation shall not be disclosed to another party unless the party submitting the representation agrees that the representation or a portion thereof can be shared with another party.

(4) In accordance with section 54 of HIPA, the commissioner may quote short passages from the representation in its final report.

3-8 Records
The records will be provided to the commissioner’s office either in electronic or paper form, with a document number, page number or if applicable, redactions or severance numbers that correspond to the number given to that record in the index of records. There is no need to provide the commissioner’s office with records released in full. If the record is illegible, the commissioner’s office will ask for a copy that is legible or for a transcript of that record.

3-9 Analysis of the information provided 
After 30 days or any further time directed by the commissioner’s office, the commissioner’s office will continue its analysis of the information or materials provided to it. If any information, requested in the notice of review is missing or clarification is needed, the commissioner’s office will make one request for that information from the applicant, trustee or other person and then continue with its analysis.

3-10 Additional information
(1) If the commissioner’s office determines it requires additional relevant information to do its analysis, it will request that information from the trustee or any other organization it considers appropriate.

(2) In order to avoid delay, the commissioner’s office will request the information by a certain date and if information was not provided by that date or another date directed by the commissioner’s office, the commissioner’s office will proceed with its analysis.

3-11 A draft report
(1) After all information and material has been gathered and an analysis done, the commissioner’s office may prepare a draft report and send it to the trustee and any other party the commissioner deems appropriate.

(2) The trustee shall have seven days, unless the commissioner directs otherwise, to provide input regarding factual errors in the draft report.

(3) Additional arguments not contained in the representation will not be considered, unless the draft report has raised an approach or principle not contained in the notice of review, the Guide to HIPA or unique circumstances exist as to why the additional arguments should be considered.

3-12 Final report
(1) After the time set out in 3-11(2) expires, the commissioner’s office will proceed to prepare and issue the final report, including, if deemed necessary by the commissioner, any factual corrections or revisions to the recommendations.

(2) The final report will be sent to:

  • the applicant; the trustee and the trustee’s designate (if known);
  • the Deputy Minister of Justice;
  • where the report discloses a possible offense, the Director of Public Prosecutions;
  • the Deputy Minister of Health;
  • where the report involves information technology related to personal health information, the CEO of eHealth Saskatchewan and the CEO of the Saskatchewan Health Authority;
  • where the report involves an affiliate or health care organization that provides services to the Saskatchewan Health Authority, the CEO of the Saskatchewan Health Authority;
  • where the report involves the managing or archiving of official records, the provincial archivist;
  • where the report involves a health professional, the CEO of the association to which the health professional belongs; and
  • any other public body, organization or person the commissioner’s office considers appropriate.

3-13 Report will be posted 
Unless the commissioner directs otherwise, three to five days after the final report is sent to the parties, the report will be:

  • forwarded to CanLll;
  • forwarded to the Saskatchewan Legislative Library;
  • posted on the commissioner’s office website; and
  • forwarded to other commissioners or ombudsmen across Canada who are responsible for overseeing federal, provincial or territorial access or privacy legislation.

3-14 Trustee to indicate decision 
Pursuant to section 49 of HIPA, the trustee, within 30 days, shall indicate to the applicant and the commissioner’s office, the trustee’s decision on the recommendations in the final report. If the trustee fails to advise the commissioner’s office within 30 days, the commissioner will consider that there is no response to the report and will so state in the commissioner’s Annual Report, in accordance with subsection 60(2) of HIPA.

3-15 Appeal to court
Pursuant to section 50 of HIPA, the applicant has the right to appeal the decision of the head to the Court of Queen’s Bench and the applicant and trustee will be asked to advise the commissioner’s office of the appeal.

3-16 Commissioner’s office shall destroy the record
The commissioner’s office shall destroy the record which the trustee has provided to the commissioner’s office, six months after the report was sent, unless:

(a) the commissioner’s office finds the matter has proceeded to the Court of Queen’s Bench, and in that case shall not destroy the record until the matter is no longer in the courts; or

(b) the commissioner’s office determines there are unique circumstances that justify the record being retained.

PART 4: Procedure on Proactively Reported Privacy Breaches Under FOIP and LA FOIP

What this Part is about: This Part outlines the procedure that the commissioner’s office will follow and require public bodies, Minister’s offices or Members of the Legislative Assembly’s (MLA) offices to follow when there is a proactively reported privacy.

4-1 Proactively reported privacy breaches 
(1) A public body, Minister’s office or MLA’s office can proactively report a privacy breach by completing the Proactively Reported Breach of Privacy Reporting Form, or an equivalent document and delivering it to the commissioner’s office by email, regular mail, fax or personal delivery.

(2) When a public body, Minister’s office or MLA’s office reports a privacy breach to the commissioner’s office under FOIP/LA FOIP, the commissioner’s office may proceed with an investigation of that privacy breach as outlined in this Part.

(3) When a public body, Minister’s office or MLA’s office proactively reports a privacy breach to the commissioner’s office, the commissioner’s office will open a case file.

4-2 Notice of investigation
When a public body, Minister’s office or MLA’s office proactively reports a privacy breach to the commissioner’s office, the commissioner’s office will prepare and send to the public body, Minister’s office or MLA’s office, a notice of investigation indicating that an investigation will be undertaken. The notice will also request a response within 30 days after receipt of the notice or any further time directed by the commissioner’s office.

4-3 When investigating a privacy breach 
When investigating a proactively reported privacy breach, the commissioner’s office will, among other things, review whether the public body, Minister’s office or MLA’s office issued a notice of a privacy breach under section 29.1 of FOIP or section 28.1 of LA FOIP to the affected individuals as soon as practical.

4-4 Steps taken by public body, minister’s office or MLA’s office
When the commissioner’s office investigates a proactively reported privacy breach, the commissioner’s office will analyze whether the public body, Minister’s office or MLA’s office appropriately managed the breach and took the following steps in responding to the privacy breach:

  • Contained the breach (as soon as possible),
  • Notified affected individuals (as soon as possible),
  • Investigated the breach, and
  • Prevented future breaches.

4-5 Privacy breach notification and questionnaire
When the commissioner’s office investigates a reported privacy breach, the commissioner’s office will review:

(a) the notice of privacy breach sent to affected individuals and consider whether it contains the following:

  • a description of what happened, including the date, time, location and who was involved;
  • how the breach was contained,
  • a detailed description of the personal information that was involved;
  • if known, a description of possible types of harm that may come to them as a result of the privacy breach;
  • steps that can be taken to mitigate harm;
  • steps the public body, Minister’s office or MLA’s office is taking to prevent the occurrence of similar privacy breaches in the future;
  • the contact  information  of  an  individual  within  the  public body, Minister’s office or MLA’s office who can answer questions and provide further information regarding the breach;
  • a reference to the fact that individuals have a right to complain to the commissioner’s office;
  • the contact information of the commissioner’s office; and
  • where appropriate, recognition of the impact of the privacy breach on affected individuals and an apology; and

(b)  the Privacy Breach Investigation Questionnaire for public bodies and consider whether the public body has:

  • Contained the breach, (as soon as possible)
  • Notified affected individuals, (as soon as possible)
  • Investigated the breach, and
  • Prevented future breaches.

4-6 Closing of file or issuing a report
After investigating the proactively reported privacy breach and the actions taken by the public body, Minister’s office or MLA’s office:

(a) if the commissioner’s office is satisfied with the steps taken, the file will be closed without issuing a report.

(b) If the commissioner’s office is not satisfied with the steps taken, a person has filed a complaint with the commissioner’s office, a privacy breach is egregious, there is a systemic issue involved, there is significant educational value or where it involves a large number of affected individuals, the commissioner may direct that a report will be issued.

4-7 Issuing a report
If the commissioner’s office determines that a report will be issued, the process for issuing a report in Part 6 will be followed.

PART 5: Procedure on Proactively Reported Privacy Breaches Under HIPA

What this Part is about: This Part outlines the procedure that the commissioner’s office will follow and require trustees to follow when there is a proactively reported privacy breach.

5-1 Proactively reported privacy breaches 
(1) A trustee can proactively report a privacy breach by completing the Proactively Reported Breach of Privacy Reporting Form or an equivalent document and delivering it to the commissioner’s office, by email, regular mail, fax or personal delivery or).

(2) When a trustee reports a privacy breach to the commissioner’s office under HIPA, the commissioner’s office may proceed with an investigation of that privacy breach as outlined in this Part.

(3) When a trustee proactively reports a privacy breach to the commissioner’s office, the commissioner’s office will open a case file.

5-2 Notice of investigation
When a trustee proactively reports a privacy breach to the commissioner’s office, the commissioner’s office will prepare and send to the trustee, a notice of investigation indicating that an investigation will be undertaken. The notice will also request a response, including completed Privacy Breach Investigation Questionnaire within 30 days after receipt of the notice or any further time directed by the commissioner’s office.

5-3 When investigating a privacy breach 
When investigating a proactively reported privacy breach, the commissioner’s office will, among other things, review whether the trustee issued a notice of a privacy breach to affected individuals as soon as practical.

5-4 Steps taken by trustee
When the commissioner’s office investigates a proactively reported privacy breach, the commissioner’s office will analyze whether the trustee appropriately managed the breach and took the following steps in responding to the privacy breach:

  • Contained the breach (as soon as possible),
  • Notified affected individuals (as soon as possible),
  • Investigated the breach, and
  • Prevented future breaches.

5-5 Privacy breach notification and questionnaire
When the commissioner’s office investigates a reported privacy breach, the commissioner’s office will review:

(a) the notice of privacy breach sent to affected individuals and consider whether it contains the following:

  • a description of what happened;
  • a detailed description of the personal health information that was involved;
  • if known, a description of possible types of harm that may come to them as a result of the privacy breach;
  • steps that can be taken to mitigate harm;
  • steps the trustee is taking to prevent the occurrence of similar privacy breaches in the future;
  • the contact  information  of  an  individual  within  the  trustee who can answer questions and provide further information regarding the breach;
  • a reference to the fact that individuals have a right to complain to the commissioner’s office;
  • the contact information of the commissioner’s office; and
  • where appropriate, recognition of the impacts of the privacy breach on affected individuals and an apology.

(b) the Privacy Breach Investigation Questionnaire and consider whether the trustee has:

  • Contained the breach (as soon as possible),
  • Notified affected individuals (as soon as possible),
  • Investigated the breach, and
  • Prevented future breaches.

5-6 Closing of file or issuing a report
After investigating the reported privacy breach and the actions taken by the trustee:

(a) if the commissioner’s office is satisfied with the steps taken, the file will be closed without issuing a report.

(b) if the commissioner’s office is not satisfied with the steps taken, a person has filed a complaint with the commissioner’s office, a privacy breach is egregious, there is a systemic issue involved, there is significant educational value or where it involves a large number of affected individuals, the commissioner may direct that a report will be issued.

5-7 Issuing a report
If the commissioner’s office determines that a report will be issued, the process for issuing a report in Part 7 will be followed.

PART 6: Procedure on Privacy Breach Investigations Under FOIP and LA FOIP

What this Part is about: This Part outlines the procedure that the commissioner’s office will follow and require public bodies, Minister’s office or Members of the Legislative Assembly’s (MLA) office to follow when carrying out an investigation of a possible privacy breach.

6-1 Complaint of breach of privacy
(1) The commissioner’s office may become aware of a possible privacy breach in several different ways including:

  • an individual complaining to the commissioner’s office about a public body, Minister’s office or MLA’s office actions or practices.
  • a third party in possession of personal information notifying the commissioner’s office.
  • employees of a public body, Minister’s office or MLA’s office informing the commissioner’s office of inappropriate practices within the organization.
  • the commissioner’s office becoming aware of media reports of a potential privacy breach or inappropriate privacy practices

and upon becoming aware, the commissioner’s office may commence an investigation.

(2) A complainant can report a possible privacy breach by completing the Alleged Breach of Privacy Reporting form: for Affected Individuals/Complainants or an equivalent document and delivering it to the commissioner office by email, regular mail, fax or personal delivery.

(3) If a complainant has not yet given the public body, Minister’s office or MLA’s office an opportunity to respond to the matter, the commissioner’s office may refer the complainant to the public body, Minister’s office or MLA’s office before proceeding with an investigation.

6-2 Preliminary inquiries 
Before commencing an investigation, the commissioner’s office may make inquiries to determine whether there are grounds to investigate the possible privacy breach.

6-3 Notice of investigation
After the commissioner’s office determines that there are grounds to investigate, the commissioner’s office will prepare and send to the public body, Minister’s office or MLA’s office, complainant, and any other interested person, a notice of investigation indicating that an investigation will be undertaken.

6-4 Notice of investigation and questionnaire
(1) The notice of investigation will be prepared in accordance with FOIP/ LA FOIP and may include a request for the following:

(2) The notice of investigation will indicate that all of the items requested in the notice of investigation are to be provided within 30 days after receipt of the notice or any further time directed by the commissioner’s office.

6-5 Investigation of the alleged breach 
(1) The commissioner’s office will continue its investigation of the alleged breach. If any information is missing or clarification is needed, the commissioner’s office will make one request for that information from the public body, Minister’s office or MLA’s office and then continue with its investigation. The commissioner’s office will determine whether to request the missing information from the public body, Minister’s office or MLA’s office or another organization.

(2) In order to avoid delay, the commissioner’s office will request the information by a certain date and if information was not provided by that date or another date directed by the commissioner’s office, the commissioner’s office will proceed with its investigation.

(3) If, during the investigation, the commissioner’s office determines there are other interested persons, the commissioner’s office may provide a copy of the notice of investigation to those interested persons and may request those interested persons to provide information within 14 days after receipt of the notice or any further time directed by the commissioner’s office.

6-6 When investigating a complaint of a privacy breach 
When investigating a complaint of a possible privacy breach, the commissioner’s office will, among other things, review whether the public body, Minister’s office or MLA’s office ought to have issued a notification of breach.

6-7 Steps taken by public body, Minister’s office or MLA’s office
When the commissioner’s office determines that there has been a privacy breach, the commissioner’s office will analyze whether the public body, Minister’s office or MLA’s office appropriately managed the breach and took the following steps in responding to the privacy breach:

  • Contained the breach (as soon as possible),
  • Notified affected individuals (as soon as possible),
  • Investigated the breach, and
  • Prevented future breaches.

6-8 Breach notification and questionnaire
When the commissioner’s office determines there has been a privacy breach, the commissioner’s office will, in addition to other things, review:

(a) the notice of breach sent to the complainant and affected individuals and determine whether it contains the following:

  • a description of what happened, including date, time location and individual involved;
  • a detailed description of the personal information that was involved;
  • if known, a description of possible types of harm that may come to them as a result of the privacy breach;
  • steps that can be taken to mitigate harm;
  • steps the organization is taking to prevent the occurrence of similar privacy breaches in the future;
  • the contact information of an individual within the organization who can answer questions and provide further information regarding the breach;
  • a reference to the fact that individuals have a right to complain to the commissioner’s office;
  • the contact information of the commissioner’s office; and
  • where appropriate, recognition of the impacts of the breach on affected individuals and an apology; and

(b) the Privacy Breach Investigation Questionnaire and consider whether the public body has:

  • Contained the breach (as soon as possible),
  • Notified affected individuals (as soon as possible),
  • Investigated the breach, and
  • Prevented future breaches.

6-9 A draft report 
(1) After all information and materials have been gathered and an analysis done, the commissioner’s office may prepare and send a draft report to the public body, Minister’s office or MLA’s office and any other party the commissioner deems appropriate.

(2) The public body, Minister’s office or MLA’s office, shall have seven days, unless the commissioner directs otherwise, to provide input regarding factual errors in the report.

6-10 Final report
(1) After the time set out in 6-9(2) expires, the commissioner’s office will proceed to prepare and issue the final report, including, if deemed necessary by the commissioner, any factual corrections or revisions to the recommendations.

(2) The final report will be sent to:

  • the complainant;
  • the head and the head’s designate of the public body and the FOIP coordinator or where appropriate the Minister’s office or the MLA’s office;
  • where the commissioner directs, the person or entity who is accused of the alleged breach;
  • the Deputy Minister of Justice;
  • where the report discloses a possible offense, the Director of Public Prosecutions;
  • where the report involves a city, town, or village, the Deputy Minister of Government Relations and the CEO of the Saskatchewan Urban Municipalities Association;
  • where the report involves a board or commission of a city, town or village, the Mayor of the city, town or village, the Deputy Minister of Government Relations and the CEO of the Saskatchewan Urban Municipalities Association;
  • where a report involves a municipality, the Deputy Minister of Government Relations and the Executive Director of the Saskatchewan Association of Rural Municipalities;
  • where the report involves a board or commission of a municipality, the Reeve of the municipality, the Deputy Minister of Government Relations and the Executive Director of the Saskatchewan Rural Municipalities Association;
  • where the report involves information technology of the government of Saskatchewan, the Deputy Minister of Central Services;
  • where the report involves an affiliate or health care organization that provides services to the Saskatchewan Health Authority, the Deputy Minister of Health and the CEO of the Saskatchewan Health Authority;
  • where the report involves the managing or archiving of official records, the provincial archivist;
  • where the report involves a board of education, the Director of the Board of Education the Deputy Minister of Education, and the Executive Director of the Saskatchewan School Boards Association;
  • where the report involves a University, College, Regional College or Saskatchewan Polytechnic, the Deputy Minister of Advanced Education;
  • where the report involves a professional, the CEO of the Association to which the professional belongs;
  • where a report involves a police force, the Chair of the Board of Police Commissioners, the President of the Saskatchewan Association of Chiefs of Police and the Chair of the Saskatchewan Police Commission; and
  • any other public body, Minister’s office or MLA’s office, organization or person the commissioner’s office considers appropriate.

(3) The commissioner will determine whether the name of the person committing the unauthorized breach will be named in the final report and will take in to consideration the following:

  • does the complainant or affected individual need to know in order to protect themselves or take precautionary measures;
  • is the personal information sensitive in nature;
  • was there malicious intent;
  • was the breach accidental;
  • was the unauthorized breach egregious;
  • is there a risk of harm or violence if the snooper’s name is included;
  • was there a breach of professional trust by the snooper; or
  • if it was a case of employee snooping, was the snooper a minor?

6-11 Report will be posted 
(1) Unless the commissioner directs otherwise, three to five days after the final report is sent to the parties, the report will be:

  • posted on the commissioner’s office website;
  • forwarded to CanLll;
  • forwarded to the Saskatchewan Legislative Library; and
  • forwarded to other commissioners or ombudsmen across Canada who are responsible for overseeing federal, provincial or territorial access or privacy legislation.

(2) Unless the commissioner directs otherwise, the final report posted to the commissioner’s office website or forwarded according to subsection (1), will be edited so that the name of the person committing the breach will be changed to initials or some other non-identifying method.

6-12 Head to indicate decision 
Pursuant to section 56 of FOIP or section 45 of LA FOIP, the head of the public body, Minister’s office or MLA’s office shall provide within 30 days to the complainant and the commissioner’s office, the decision on the recommendations in the report. If the head fails to advise the commissioner’s office within 30 days, the commissioner will consider that there is no response to the report and will so state in the commissioner’s Annual Report, in accordance with subsection 62(2) of FOIP or subsection 52(2) of LA FOIP.

6-13 Appeal to court
Pursuant to section 57 of FOIP or section 46 of LA FOIP, the complainant or individual has the right to appeal the decision of the head to the Court of Queen’s Bench and the complainant, or individual, government institution, local authority, Minister’s office or MLA’s office will be asked to advise the commissioner’s office of the appeal.

Part 7: Procedure on Privacy Breach Investigations Under HIPA

What this Part is about: This Part outlines the procedure that the commissioner’s office will follow and require trustees follow when carrying out an investigation of a possible privacy breach.

7-1 Complaint of breach of privacy
(1) The commissioner’s office may become aware of a possible privacy breach in several different ways including:

  • an individual complaining to the commissioner’s office about a trustee’s, actions or practices.
  • Another individual in possession of personal health information notifying the commissioner’s office.
  • employees of a trustee informing the commissioner’s office of inappropriate practices within the organization.
  • the commissioner’s office becoming aware of media reports of a potential privacy breach or inappropriate privacy practices,

and upon becoming aware, the commissioner’s office may commence an investigation.

(2) A complainant can report a possible privacy breach by completing the Alleged Breach of Privacy Reporting Form: for Affected Individuals/Complainants or an equivalent document and delivering it to the commissioner office by email, regular mail, fax or personal delivery.

(3) If a complainant has not yet given the trustee an opportunity to respond to the matter, the commissioner’s office may refer the complainant to the trustee before proceeding with an investigation.

7-2 Preliminary inquiries 
Before commencing an investigation, the commissioner’s office may make inquiries to determine whether there are grounds to investigate the possible privacy breach.

7-3 Notice of investigation
After the commissioner’s office determines that there are grounds to investigate, the commissioner’s office will prepare and send to the trustee, complainant, and any other interested person, a notice of investigation indicating that an investigation will be undertaken.

7-4 Notice of investigation and questionnaire
(1) The notice of investigation will be prepared in accordance with HIPA and may include a request for the following:

(2)  The notice of investigation will indicate that all of the items requested in the notice of investigation are to be provided within 30 days after receipt of the notice or any further time directed by the commissioner’s office.

7-5 Investigation of the complaint and alleged breach 
(1) The commissioner’s office will continue its investigation of the complaint. If any information is missing or clarification is needed, the commissioner’s office will make one request for that information from the trustee and then continue with its investigation. The commissioner’s office will determine whether to request the missing information from the trustee or another organization.

(2) In order to avoid delay, the commissioner’s office will request the information by a certain date and if information was not provided by that date or another date directed by the commissioner’s office, the commissioner’s office will proceed with its investigation.

(3) If, during the investigation, the commissioner’s office determines there are other interested persons, the commissioner’s office may provide a copy of the notice of investigation to those interested persons and may request those interested persons to provide information within 14 days after receipt of the notice or any further time directed by the commissioner’s office.

7-6 When investigating a complaint of a breach 
When investigating a complaint of a possible privacy breach, the commissioner’s office will, among other things, review whether the trustee ought to have issued a notification of breach.

7-7 Steps taken by trustee
When the commissioner’s office determines that there has been a privacy breach, the commissioner’s office will analyze whether the trustee appropriately managed the breach and took the following steps in responding to the privacy breach:

  • Contained the breach (as soon as possible),
  • Notified affected individuals (as soon as possible),
  • Investigated the breach, and
  • Prevented future breaches.

7-8 Breach notification and questionnaire
When the commissioner’s office determines there has been a privacy breach, the commissioner’s office will, in addition to other things, review:

(a) the notice of breach sent to the complainant and affected individuals and determine whether it contains the following:

  • a description of what happened;
  • a detailed description of the personal health information that was involved;
  • if known, a description of possible types of harm that may come to them as a result of the privacy breach;
  • steps that can be taken to mitigate harm;
  • steps the organization is taking to prevent the occurrence of similar privacy breaches in the future;
  • the contact  information  of  an  individual  within  the  organization who can answer questions and provide further information regarding the breach;
  • a reference to the fact that individuals have a right to complain to the office of the Saskatchewan Information and Privacy Commissioner;
  • the contact information of the office of the Saskatchewan Information and Privacy Commissioner; and
  • where appropriate, recognition of the impacts of the breach on affected individuals and an apology; and

(b) the Privacy Breach Investigation Questionnaire and consider whether the public body has:

  • Contained the breach (as soon as possible),
  • Notified affected individuals (as soon as possible),
  • Investigated the breach, and
  • Prevented future breaches.

7-9 A draft report 
(1) After all information and materials has been gathered and an analysis done, the commissioner’s office may prepare and send a draft report to the trustee and any other party the commissioner deems appropriate.

(2) The trustee shall have seven days, unless the commissioner directs otherwise, to provide input regarding factual errors in the report.

7-10 Final report 
(1) After the time set out in 7-9(2) expires, the commissioner’s office will proceed to prepare and issue the final report, including, if deemed necessary by the commissioner, any factual corrections or revisions to the recommendations.

(2) The final report will be sent to:

  • the applicant; the trustee and the trustee’s designate (if known);
  • the Deputy Minister of Justice;
  • where the report discloses a possible offense, the Director of Public Prosecutions;
  • the Deputy Minister of Health;
  • where the report involves information technology related to personal health information, the President of eHealth Saskatchewan and the CEO of the Saskatchewan Health Authority;
  • where the report involves an affiliate or health care organization that provides services to the Saskatchewan Health Authority, and the CEO of the Saskatchewan Health Authority;
  • where the report involves the managing or archiving of official records, the provincial archivist;
  • where the report involves a health professional, the CEO of the association to which the health professional belongs; and
  • any other public body, trustee, organization or person the commissioner’s office considers appropriate.

(3) The commissioner will determine whether the name of the person committing the unauthorized breach will be named in the final report and will take in to consideration the following:

  • does the complainant or affected individuals need to know in order to protect themselves or take precautionary measures;
  • is the personal information sensitive in nature;
  • was there malicious intent;
  • was the breach accidental;
  • was the unauthorized breach egregious;
  • is there a risk of harm or violence if the snooper’s name is included;
  • was there a breach of professional trust by the snooper; or
  • if it was a case of employee snooping, was the snooper a minor?

7-11 Report will be posted 
(1) Unless the commissioner directs otherwise, three to five days after the final report is sent to the parties, the report will be:

  • posted on the commissioner’s office web site;
  • forwarded to CanLll;
  • forwarded to the Saskatchewan Legislative Library; and
  • forwarded to other commissioners or ombudsmen across Canada who are responsible for overseeing federal, provincial or territorial access or privacy legislation.

(2) Unless the commissioner directs otherwise, the final report posted to the commissioner’s office website or forwarded according to subsection (1), will be edited so that the name of the person committing the breach will be changed to initials or some other non-identifying method.

7-12 Trustee to indicate decision 
Pursuant to section 49 of HIPA, the trustee shall indicate within 30 days to the complainant and the commissioner’s office, the decision on the recommendations in the report. If the trustee fails to advise the commissioner’s office within 30 days, the commissioner will consider that there is no response to the report and will so state in the commissioner’s Annual Report, in accordance with subsection 60(2) of HIPA.

7-13 Appeal to court
Pursuant to section 50 of HIPA, the complainant or individual has the right to appeal the decision of the head to the Court of Queen’s Bench and the complainant or individual and the trustee will be asked to advise the commissioner’s office of the appeal.

PART 8: Information and Evidence

What this Part is about: This Part sets out some basic requirements for communicating with the commissioner’s office and the providing of information and evidence.

8-1 Commissioner’s office will communicate with the parties or interested persons
The commissioner’s office may communicate with the parties by mail, email, telephone, Liquid Files, encrypted transmissions or fax. Unless impractical, parties shall communicate personal information or personal health information by means of encrypted transmissions or other means where the information is protected.

8-2 Providing information in the form of an affidavit or declaration
(1) Pursuant to section 54 of FOIP, section 43 of LA FOIP or section 46 of HIPA, the commissioner where the circumstances warrant, can require the applicant, complainant, public body, trustee, third party or any other person to provide the information or documents in the form of an affidavit or declaration.

(2) An affidavit or declaration should particularly be used where the issue involves adequate search, custody or control, solicitor client or litigation privilege or other evidence to support the public bodies’ or trustee’s position.

8-3 Refusal to provide information or documents 
Pursuant to section 54 of FOIP, section 43 of LA FOIP, or section 46 of HIPA, where a person or organization refuses to provide information or documents, under oath or otherwise, the commissioner may issue a Notice to Produce Documents or summon a person to attend at the commissioner’s office and give evidence under oath or affirmation and produce documents related to the review or investigation.

8-4 Commissioner’s office will make inquiries 
In any review or investigation, the commissioner’s office may ask for relevant information from any person or organization that the commissioner considers necessary for a full review or investigation.

8-5 Party requesting oral representations
(1) Pursuant to section 53 of FOIP, section 42 of LA FOIP, or section 45 of HIPA, a party may choose to provide the commissioner with written representations, affidavits or other documents.

(2) Prior to receiving the draft of a report, a party may request a hearing to make oral representations in a course of a review or investigation.

(3) All written or oral representations shall be dealt with by the commissioner pursuant to the confidentiality provisions under section 46 of FOIP, section 48 of LA FOIP, or section 54 of HIPA.

PART 9: Solicitor-Client or Litigation Privilege

What this Part is about: This Part sets out the procedure to be followed when a head claims solicitor-client privilege or litigation privilege.

9-1 Claiming solicitor-client or litigation privilege 
(1) Where solicitor-client privilege or litigation privilege is being claimed as an exemption by the head or delegate, the commissioner’s office will request the head or delegate to provide a copy of the records, a redacted copy of the records or an affidavit of records over which solicitor-client or litigation privilege is claimed setting out the elements requested in Form B.

(2) Where the commissioner’s office has reasonable basis for seeking clarifying information on the face of the affidavit itself, it will informally request such clarifying information, which the government institution may voluntarily provide without jeopardizing the privilege claimed.

(3) If the affidavit of records over which solicitor-client privilege or litigation privilege is claimed does not establish a prima facie case for solicitor-client privilege or litigation privilege, and the commissioner has a reasonable basis for questioning the content of the affidavit, the commissioner may, exercising his formal powers, and only as necessary, request additional background information by affidavit or otherwise.

(4) In rare cases, where the prima facie case for privilege is still not established, despite the informal and / or formal requests for additional information by the commissioner’s office, and only as absolutely necessary, will the commissioner order production of the records over which privilege is claimed in order to verify the claim in accordance with his statutory powers.

(5) The commissioner’s office will not release any record, partial record, or affidavit of records over which solicitor-client privilege or litigation privilege is claimed to the applicant, unless the head or delegate submitting the affidavit agrees that the record or affidavit, or a portion thereof, can be shared with the applicant.

PART 10: Application to Disregard an Access to Information Request or a Request for Correction Under FOIP and LA FOIP

What this Part is about: This Part sets out the procedure for a public body in applying to disregard an access to information request or a request for correction under FOIP and LA FOIP.

10-1 Head applies to disregard an access to information request or a request for correction 
(1) When a head applies to the commissioner’s office to disregard an access to information request or a request for correction pursuant to section 45.1 of FOIP or section 43.1 of LA FOIP, the head shall apply to the commissioner’s office and provide information outlined in section 10-2 as soon as reasonably practical but preferably within 10 days of receiving the request.

(2) Where the circumstances require, the commissioner’s office may request the head to provide the information by an affidavit or declaration.

10-2 Head to provide information 
When a head of a public body applies to disregard an access to information request or a request for correction, the head will provide the following information:

  • a copy of the date stamped access to information request(s) or request(s) for correction that the public body wishes to disregard;
  • contact information for the applicant;
  • specific subsections relied on (subsection 45.1(2)(a), (b), or (c) of FOIP or 43.1(2)(a), (b), or (c) of LA FOIP);
  • reasons as to why the commissioner’s office should grant the application to disregard;
  • copies of previous access to information requests or requests for correction, if relevant;
  • copies of letters or emails between the person making the access to information request and the public body, if relevant;
  • copies of any other documents the head considers relevant; and
  • confirmation that the applicant was provided a copy of the application to disregard.

10-3 Head to provide copy
The head shall provide the application to disregard as outlined in section 10-2 to the applicant.

10-4 Parties to application to disregard
(1) The parties to the application to disregard are the public body and the applicant.

(2) The commissioner’s office will not consider the application to disregard received by the commissioner’s office 30 days after the date of the access to information request or request for correction, unless the commissioner’s office is satisfied there are extraordinary circumstances as to why the application is late.

(3) The commissioner’s office will notify the applicant that the public body has applied to the commissioner to disregard the access to information request or the request for correction and the applicant may respond to the commissioner’s office within 10 days.

10-5 Commissioner’s office will make inquiries
In an application to disregard, the commissioner’s office will make inquiries of any person or organization it considers necessary to do a complete and accurate analysis.

10-6 Priority of application to disregard
The commissioner’s office will give applications to disregard priority in the office and all efforts will be taken to make inquiries, do the analysis and provide a decision within 20 days.

10-7 Form of commissioner’s response
(1) The commissioner will issue a report with the decision with reasons for the decision and a statement as to whether the application to disregard has been granted or refused.

(2) The report with the decision of the commissioner will be sent to the head of the public body and the applicant.

10-8 Decision will be posted 
Unless the commissioner directs otherwise, in three to five days after the decision is sent to the parties, the decision will be:

  • posted on the commissioner’s office website;
  • forwarded to CanLll;
  • forwarded to the Saskatchewan Legislative Library; and
  • forwarded to other commissioners or ombudsmen across Canada who are responsible for overseeing federal, provincial or territorial access or privacy legislation.

Forms