Table of Contents 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60

Guide to FOIP-Chapter 2

GUIDE TO FOIP The Freedom of Information and Protection of Privacy Act Chapter 2 Administration of FOIP

TABLE OF CONTENTS Overview.......................................................................................................................................................................1 Minister of Justice and Attorney General – Roles & Responsibilities....................................................2 Minister’s Annual Report....................................................................................................................................2 Ministry of Justice and Attorney General.....................................................................................................4 Government Institutions – Roles & Responsibilities....................................................................................4 Head of a Government Institution..................................................................................................................6 The FOIP Coordinator or Privacy Officer ......................................................................................................7 Section 60: Delegation........................................................................................................................................9 Notices Required by FOIP............................................................................................................................... 12 Routine Disclosure & Active Dissemination ............................................................................................ 14 Proactive Reporting of Privacy Breaches .................................................................................................. 15 Information & Privacy Commissioner - Roles & Responsibilities........................................................ 17 Section 33: Privacy Powers ............................................................................................................................. 18 Section 38: Appointment ................................................................................................................................ 20 Section 44: Oath or Affirmation.................................................................................................................... 21 Section 46: Confidentiality.............................................................................................................................. 22 Section 45: General Powers of Commissioner ........................................................................................ 24 Section 45.1: Power to Authorize a Government Institution to Disregard Applications or Requests ................................................................................................................................................................ 25 Section 47: Non-compellability .................................................................................................................... 26 Section 50: Refusal to Review........................................................................................................................ 27 Section 53: Conduct of Review ..................................................................................................................... 28 Section 54: Powers of Commissioner ......................................................................................................... 30 Section 55: Report of Commissioner .......................................................................................................... 31 Section 62: Annual Report .............................................................................................................................. 33 Procedural Fairness ........................................................................................................................................... 33 Court of King’s Bench - Roles & Responsibilities ...................................................................................... 35 Section 57: Appeal to Court........................................................................................................................... 35 Section 58: Powers of Court on Appeal..................................................................................................... 37

Section 61: Burden of Proof ............................................................................................................................... 42 Standard Required to Meet Burden of Proof .......................................................................................... 42 Who has the Burden of Proof........................................................................................................................ 45 Affidavit Evidence .............................................................................................................................................. 47 Offences & Penalties............................................................................................................................................. 48 Section 66: Proceedings Prohibited............................................................................................................ 48 Section 67: Immunity from Prosecution.................................................................................................... 49 Section 68: Summary Offences ..................................................................................................................... 50 Privacy and Access Offences............................................................................................................... 53 Not Cooperating with the Commissioner...................................................................................... 54

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 2, Administration of FOIP. Updated 7 March 2023. 1 Overview This Chapter explains the administration of The Freedom of Information and Protection of Privacy Act (FOIP). This includes the roles and responsibilities of various bodies including the Ministry of Justice, government institutions and the Information and Privacy Commissioner. What follows is non-binding guidance. Every matter should be considered on a case-by-case basis. This guidance is not intended to be an exhaustive authority on the interpretation of these provisions. Government institutions may wish to seek legal advice when deciding on how to interpret the Act. Government institutions should keep section 61 of FOIP in mind. Section 61 places the burden of proof for establishing that access to a record may or must be refused on the government institution. For more on the burden of proof, see Section 61: Burden of Proof later in this Chapter. This is a guide. The tests, criteria and interpretations established in this Chapter reflect the precedents set by the current and/or former Information and Privacy Commissioners in Saskatchewan through the issuing of Review Reports. Court decisions from Saskatchewan affecting The Freedom of Information and Protection of Privacy Act (FOIP) will be followed. Where this office has not previously considered a section of FOIP, the Commissioner looked to other jurisdictions for guidance. This includes other Information and Privacy Commissioners’ Orders, Reports and/or other relevant resources. In addition, court decisions from across the country are relied upon where appropriate. This Chapter will be updated regularly to reflect any changes in precedent. This office will update the footer to reflect the last update. Using the electronic version directly from our website will ensure you are always using the most current version.

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 2, Administration of FOIP. Updated 7 March 2023. 2 Minister of Justice and Attorney General – Roles & Responsibilities The Lieutenant Governor of Saskatchewan designates the Minister responsible for the administration of The Freedom of Information and Protection of Privacy Act (FOIP) by Order in Council. This responsibility has been given to the Minister of Justice and Attorney General. While the nature of FOIP requires that decisions with respect to access to records and the management of personal information be made within each government institution, the Minister of Justice and Attorney General retains overall responsibility for its administration.1 The Minister is required by FOIP to prepare and submit an Annual Report to the Speaker of the Assembly on the administration of FOIP and The Freedom of Information and Protection of Privacy Regulations. Minister’s Annual Report Minister’s report 63(1) The minister shall prepare and submit an annual report to the Speaker of the Assembly on the administration of this Act and the regulations within each government institution during the year, and the Speaker shall cause the report to be laid before the Assembly in accordance with section 13 of The Executive Government Administration Act. (2) The annual report of the minister is to provide details of: (a) the number of applications received by each government institution during the year; (b) the number of times during the year that the head of each government institution refused an application for access to a record, and the specific provisions of this Act or the regulations on which the refusals were based; and (c) the fees charged and collected by each government institution for access to records during the year. (3) The minister may require government institutions to produce the information or records that, in the opinion of the minister, are necessary to enable the minister to fulfil the requirements of this section. 1 Ministry of Justice, Annual Report 2001-2002, The Freedom of Information and Protection of Privacy Act at p. 4.

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 2, Administration of FOIP. Updated 7 March 2023. 3 The Minister of Justice and Attorney General transmits to the Speaker of the Assembly an Annual Report on the administration of FOIP and The Freedom of Information and Protection of Privacy Regulations (FOIP Regulations). The Annual Report breaks down the administration of FOIP and the FOIP Regulations for each government institution. The requirement for an Annual Report and its contents is outlined at section 63 of FOIP. Each year, the Ministry of Justice and Attorney General collects and reports statistical information regarding the exercise of and compliance with access rights under FOIP. The reports provide statistical information both by individual government institutions and by the total provincial government administration.2 The reports are divided into two categories: general and personal. Applications for general information refer to records in the possession or under the control of a government institution other than those described as personal information in section 24 of FOIP. Applications for personal information refer to records in the possession or under the control of a government institution described in section 24 of FOIP. The Minister’s Annual Report breaks down: • The number of applications received government-wide, their status, the processing time in completing the applications, the fees estimated and collected. • Exemptions applied to deny access. • The number of general information requests received by each government institution, action taken, and fees estimated and collected. • The number of personal information requests received by each government institution, action taken, and fees estimated and collected.3 2 Ministry of Justice, Annual Report 2016-2017, The Freedom of Information and Protection of Privacy Act, at p. 6. 3 Ministry of Justice, Annual Report 2016-2017, The Freedom of Information and Protection of Privacy Act, at p. 6.

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 2, Administration of FOIP. Updated 7 March 2023. 4 Ministry of Justice and Attorney General On an ongoing basis, the Ministry of Justice and Attorney General provides direction and support to government institutions as it relates to FOIP. The Ministry of Justice and Attorney General: • Provides legal advice to government institutions. • Plays a leadership role on access and privacy issues, including the collection of statistical information related to access to information requests and the preparation of the annual report. • Prepares and maintains access and privacy tools, such as guidelines, checklists and administrative procedures. • Provides and supports training and awareness regarding access and privacy. • Through its website, provides information to the public, government institutions and local authorities to help with understanding both the access to information and the privacy components of the legislation.4 The Ministry of Justice and Attorney General collects statistical information regarding the exercise of and compliance with access rights under FOIP. The reports provide statistical information both by individual government institutions and by the total provincial government administration. This statistical information is reported in the Minister’s Annual Report.5 Government Institutions – Roles & Responsibilities Interpretation 2(1) In this Act: … (d) “government institution” means, subject to subsection (2): (i) the office of Executive Council or any department, secretariat or other similar agency of the executive government of Saskatchewan; or 4 Ministry of Justice and Attorney General, The Freedom of Information and Protection of Privacy Act, Annual Report 2021-22, at p. 5. 5 Ministry of Justice, Annual Report 2016-2017, The Freedom of Information and Protection of Privacy Act, at p. 6.

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 2, Administration of FOIP. Updated 7 March 2023. 5 (ii) any prescribed board, commission, Crown corporation or other body, or any prescribed portion of a board, commission, Crown corporation or other body, whose members or directors are appointed, in whole or in part: (A) by the Lieutenant Governor in Council; (B) by a member of the Executive Council; or (C) in the case of: (I) a board, commission or other body, by a Crown corporation; or (II) a Crown corporation, by another Crown corporation; FOIP applies to all “government institutions” as defined by subsection 2(1)(d) of FOIP. This includes ministries, boards, commissions, Crown corporations and other bodies as prescribed in the Appendix, Part I of The Freedom of Information and Protection of Privacy Regulations. See the Guide to FOIP, Chapter 1, “Purposes and Scope of FOIP” for more on the definition of a government institution. A government institution that is subject to FOIP has statutory duties with regard to providing access to information and protecting personal information in its possession or control. The head of a particular government institution may claim that the government institution is not covered by FOIP6 and consequently refuse a request for information on that basis. Such a refusal will likely be subject to review, at the request of the applicant, in the same way as a refusal based on a disclosure exemption. The applicability of FOIP to particular agencies may be resolved in this manner or through ultimate resort by the courts.7 FOIP states explicitly that the courts are not government institutions for the purposes of FOIP.8 6 Government institutions should consider the definition of a “government institution” at subsection 2(1)(d) of FOIP and the Appendix, Part I of the FOIP Regulations for additional prescribed “government institutions”. 7 Adapted from McNairn and Woodbury, Government Information: Access and Privacy, (2009), Carswell: Toronto at p. 2-7. 8 The Freedom of Information and Protection of Privacy Act, S.S. 1990-91, c. F-22.01, at subsection 2(2)(c).

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 2, Administration of FOIP. Updated 7 March 2023. 6 IPC Findings In Review Report 056-2014, the Commissioner considered whether the Office of the Chief Coroner (OCC) was a government institution pursuant to subsection 2(d) of FOIP. The Commissioner found that the OCC was not a government institution and recommended that the Ministry of Justice take steps to amend section 3 of the Appendix, Part I of The Freedom of Information and Protection of Privacy Regulations to include the OCC as a prescribed government institution. An amendment was made in 2016 adding the Office of the Chief Coroner to the list of government institutions in The Freedom of Information and Protection of Privacy Regulations.9 Head of a Government Institution Interpretation 2(1) In this Act: … (e) “head” means: (i) in the case of an agency mentioned in subclause d(i), the member of the Executive Council responsible for the administration of the agency; and (ii) in the case of a board, commission, Crown corporation or body mentioned in subsection (d)(ii), the prescribed person; The head of each government institution is responsible for all decisions made under FOIP that relate to the government institution. It would be difficult and perhaps ineffective to have an entire government institution accountable. Therefore, accountability rests with the “head” of the government institution. Subsection 2(1)(e) of FOIP defines the “head” of a government institution. In most circumstances, the head is generally the minister, chief executive officer or chair of a government institution. 9 Publications Saskatchewan, OC 134/2016 – The Freedom of Information and Protection of Privacy (Designation) Amendment Regulations, 2016 (Minister of Justice and Attorney General). See https://publications.saskatchewan.ca/#/products/78543.

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 2, Administration of FOIP. Updated 7 March 2023. 7 Minister is a member of the Executive Council appointed to head a ministry of the Government of Saskatchewan.10 Section 4 of The Freedom of Information and Protection of Privacy Regulations provides further definitions as follows: Heads prescribed 4(1) For the purpose of subclause 2(1)(e)(ii) of the Act: (a) the chief executive officers of Crown corporations that are prescribed as government institutions pursuant to clause 3(a) are prescribed as the heads of their respective Crown corporations; (b) the chief executive officers of Crown corporations that are the parent corporations of subsidiaries that are prescribed as government institutions pursuant to clause 3(b) are prescribed as the heads of the respective subsidiaries; (b.1) the Chief Coroner for Saskatchewan is prescribed as the head of the Office of the Chief Coroner; (c) the chairpersons of all other bodies that are prescribed as government institutions pursuant to clause 3(a) or the chairpersons of the boards of those bodies, as the case may be, are prescribed as the heads of their respective government institutions; and (d) in the case of a corporation sole prescribed as a government institution pursuant to clause 3(a), the individual that constitutes the corporation sole is prescribed as the head of that government institution. The head of a government institution can delegate some or all of the responsibilities to another individual. In most cases, it is the deputy minister or another senior official who will be delegated this authority. Such delegation should be done in compliance with section 60 of FOIP. For more on delegation, see Section 60: Delegation, later in this Chapter. The FOIP Coordinator or Privacy Officer Probably the most important person in managing access and privacy issues in any government institution is the designated FOIP Coordinator or Privacy Officer. The FOIP Coordinator may have different titles such as an Access Coordinator. It is also possible the 10 Adapted from British Columbia Government Services, FOIPPA Policy Definitions at https://www2.gov.bc.ca/gov/content/governments/services-for-government/policiesprocedures/foippa-manual/policy-definitions. Accessed April 23, 2020.

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 2, Administration of FOIP. Updated 7 March 2023. 8 title does not appear to relate to access and privacy, yet the individual also carries these duties. The roles of the FOIP Coordinator and Privacy Officer might be combined and handled by one individual in the organization or the roles might be separated and handled by two. The duties and roles of each in an organization are very different but also very interrelated. FOIP places responsibility on the “head” or Minister of a government institution. That head, however, may delegate some or all of those powers to someone else in the organization, such as the FOIP Coordinator and/or Privacy Officer, pursuant to section 60 of FOIP. The FOIP Coordinator or Privacy Officer is responsible for the overall management of access to information and protection of personal information within the organization.11 So, what exactly does a FOIP Coordinator or Privacy Officer do? FOIP Coordinators and Privacy Officers assist departments to meet their statutory responsibilities, promoting open government and fostering “an organizational culture” that advances four fundamental principles: 1. Information (general records should be available to the public). 2. Individuals should have access to their own personal information. 3. Exemptions to access should be limited and specific. 4. Institutions should protect the privacy of individuals with respect to their personal information.12 A FOIP Coordinator or Privacy Officer should: • Respond to access requests and privacy complaints. • Raise awareness of access and privacy issues on a regular and proactive basis within their organization. • Be aware of operations of the organization, the types of records and recordmanagement systems in the department. 11 Service Alberta, FOIP Guidelines and Practices: 2009 Edition, Chapter 2, p. 24. 12 Office of the Saskatchewan Information and Privacy Commissioner (SK OIPC), FOIP FOLIO, January 2004 at p. 3.

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 2, Administration of FOIP. Updated 7 March 2023. 9 • Quickly identify what units within the department are likely to have the records responsive to an access request and which employees should be consulted. • Be senior enough to be able to provide access and privacy advice to the Deputy Minister or head of the organization on a regular basis. • Monitor decisions and recommendations of the IPC and ensure those decisions are integrated into the orientation and in-service training of staff in the department. • Be involved in the design of new programs that may impact access or privacy rights. • Provide timely advice to the department to ensure that FOIP will be complied with. • Improve general awareness about the legislation through training sessions and materials within the department. In large organizations, newsletters, notices, FAQs or a column in an intradepartmental bulletin may be helpful. The FOIP Coordinator or Privacy Officer may undertake internal audits to identify areas where more work is required to ensure full compliance.13 FOIP Coordinators and Privacy Officers may meet from time to time to discuss common problems or share knowledge and experience. Section 60: Delegation Delegation 60(1) A head may delegate to one or more officers or employees of the government institution a power granted to the head or a duty vested in the head. (2) A delegation pursuant to subsection (1): (a) is to be in writing; and (b) may contain any limitations, restrictions, conditions or requirements that the head considers necessary. Delegation means entrusting someone else to act in one’s place.14 Only the head of a government institution has the power to delegate some or all of the head’s powers under FOIP to one or more officers or employees of the government institution. The delegation should: 13 SK OIPC, FOIP FOLIO, January 2004 at pp. 3-4. 14 British Columbia Government Services, FOIPPA Policy Definitions at https://www2.gov.bc.ca/gov/content/governments/services-for-government/policiesprocedures/foippa-manual/policy-definitions. Accessed April 23, 2020.

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 2, Administration of FOIP. Updated 7 March 2023. 10 • Be in writing. • Contain any limitations, restrictions, conditions or requirements the head considers necessary.15 The head, for purposes of FOIP, includes the member of the Executive Council responsible for the administration of the agency (i.e., Minister, President/CEO).16 Here are some important things regarding a delegation: • The delegation should identify the position, not the individual, to which the powers are delegated. When delegation is to the position, a new delegation is not required when a new appointee assumes the position. • The delegation can cover a wide variety of duties, powers and functions; • It remains in effect until replaced by an updated version. • It is important to review the delegation periodically for any changes that may be needed, especially if the government institution is restructured or part of the government institution is transferred to another government institution. • The delegation should specifically refer to handling access to information requests including the processing of requests and the power to make decisions whether or not to disclose all or part of a record. • A delegation relating to the handling of privacy can be more general and center on the delegated responsibility for collection, handling and protection of personal information. • Delegated authority empowers certain officials and employees to make decisions or act. • In general, delegation should be considered for all provisions of FOIP that state that the head may or must do something.17 • The person delegating the authority remains responsible and accountable for all actions and decisions made under that delegation.18 15 The Freedom of Information and Protection of Privacy Act, S.S. 19901-91, c. F-22.01 at s. 60(2)(a) and (b). 16 The Freedom of Information and Protection of Privacy Act, S.S. 19901-91, c. F-22.01 at s. 2(1)(e). 17 Service Alberta, FOIP Guidelines and Practices: 2009 Edition, Chapter 2, p. 27. 18 “Delegate” British Columbia Government Services, FOIPPA Policy Definitions at https://www2.gov.bc.ca/gov/content/governments/services-for-government/policiesprocedures/foippa-manual/policy-definitions. Accessed April 23, 2020.

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 2, Administration of FOIP. Updated 7 March 2023. 11 The FOIP Coordinator or Privacy Officer normally prepares the delegation and submits it to the head for approval.19 It is important that all delegated officers or employees know and understand their delegated responsibilities. It is also important that others in the organization understand that only those with delegated responsibilities under FOIP should be carrying out those duties and functions.20 If the individual with delegated authority is not actually making the decisions that they were delegated to make, the delegation is not being properly utilized.21 In other words, in order to be a true delegation, the individual needs to actually be given the authority to make the decisions as per the delegation. As noted earlier, the head of a government institution may delegate some or all of the head’s powers under FOIP. Even with a delegation, the head may retain certain powers and make certain decisions. There may be instances where there is no written delegation, but another Minister or Deputy Minister could act on behalf of the Minister (the head). The Legislation Act provides: 2-34(1) If an enactment directs or empowers a minister of the Crown to do an act or thing, or otherwise applies to the minister by the minister’s name of office, a reference in that enactment to the minister includes: (a) another minister acting for the minister; (b) if the office of the minister is vacant, a minister designated to act in the office; (c) the successor in the office of the minister; and (d) the minister’s deputy minister or a person acting as deputy minister.22 For more assistance on the delegation of powers, see Guidance for Delegation Powers, issued by the former Access and Privacy Branch with the Ministry of Justice and Attorney General. 19 Service Alberta, FOIP Guidelines and Practices: 2009 Edition, Chapter 2, p. 27. 20 Service Alberta, FOIP Guidelines and Practices: 2009 Edition, Chapter 2, p. 28. 21 Service Alberta, FOIP Guidelines and Practices: 2009 Edition, Chapter 2, p. 29. 22 The Legislation Act, SS 2019, c L-10.2 at s. 2-34.

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 2, Administration of FOIP. Updated 7 March 2023. 12 Notices Required by FOIP FOIP contains requirements that government institutions give various types of notices to persons. For example, section 7 of FOIP provides that the head of the government institution shall give written notice to an applicant of its decision regarding access within 30 days after an application is made. The following are notices required to be provided by government institutions. This list does not include other obligations to inform: • Section 7 notice of the head’s decision regarding access is to be provided to an applicant within 30 days after an application is received by the government institution. • Subsection 7.1(2) notice is to be provided to applicants when applications are deemed abandoned. • Subsection 11(1)(b) notice is to be provided to applicants when a record responsive to an access request is transferred to another government institution for processing. • Subsections 12(2) and (3) requires a notice to be provided to applicants when the head extends the 30-day response time. Notice of the extension is to be given within the first 30 days after an application is made. Within the period of extension, the head shall give notice in accordance with section 7. • Subsection 26(2) requires the government institution to inform an individual of the purpose for the direct collection of the individual’s personal information unless the FOIP Regulations exempts the information from this notice. • Section 34 notice is to be given to third parties where a head intends to give access to third party information (see section 19 of FOIP) or personal information that may be disclosed pursuant to subsection 29(2)(o) of FOIP. This notice requirement can be waived by the third party (see section 35 of FOIP). • Section 37 notice of the head’s decision regarding whether access to the third party information will be given is to be provided to the third party and applicant within 30 days after the third party was provided notice pursuant to section 34 of FOIP. • Section 52 notice is to be given to third parties that a review by the Information and Privacy Commissioner (IPC) is occurring. The head shall provide this notice to any third party that was or would have been given notice under section 34 of FOIP. This notice shall be given immediately upon learning of the IPC’s review. The head must also immediately provide notice of a review to an applicant where the review is requested by the third party. • Section 56 notice of the head’s decision regarding the Commissioner’s report must be given to the Commissioner, applicant or individual and third party within 30 days of receiving the Commissioner’s report.

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 2, Administration of FOIP. Updated 7 March 2023. 13 • Subsections 57(2) and (3) requires notice to be given to any third party that was or would have been given notice under section 34 advising them that an appeal to the Court of King’s Bench has been made by an applicant. If it is the third party that is appealing to the Court of King’s Bench, then the head must give notice to the applicant. Subsection 66(1)(c) of FOIP provides that no proceeding lies or shall be instituted against the Government of Saskatchewan, a government institution, a head or other officer or employee of a government institution if it fails to give any notice required under FOIP provided reasonable care was taken to give the notice. Subsection 66(2) of FOIP provides that reasonable care is deemed to have been taken if the notice was sent to the applicant’s address that was provided on the access to information form. IPC Findings In Review Report 110-2014, the Commissioner found that the Ministry of Health (Health) did not provide its section 7 notice within the legislated timeline. The Commissioner noted that 114 days had elapsed between when Health received the access request and when it provided its section 7 notice to the applicant. The Commissioner recommended that Health remain committed to the changes it is making to its processes by regularly evaluating whether it is achieving timelier responses and searches that are more comprehensive. Further, it should continue to make necessary changes until both are achieved. In Review Report 209-2015 to 213-2015 (five files in one report), the Commissioner found that the Ministry of Health (Health) did not respond to five access requests within the legislated timelines. The timelines were 81 to 107 days for the five access requests. The Commissioner noted that in 2015, the Commissioner issued 10 reports addressing 24 access requests to which Health had not responded within the legislated timelines. The Commissioner recommended Health change its processes so that responses to access requests go through a consistent streamlined process with no more than two or three approvers. In Review Report 311-2017, 312-2017, 313-2017, 316-2017, 340-2017, 341-2017 and 3422017 (seven files in one report), the Commissioner found that the Global Transportation Hub’s (GTH) responses to the applicant were inadequate in terms of what is required by subsections 12(3) and 7(2) of FOIP. The Commissioner also found that GTH did not provide notice to the third party pursuant to subsection 52(1) of FOIP. The Commissioner

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 2, Administration of FOIP. Updated 7 March 2023. 14 recommended that GTH amend its procedures so that when it is extending the initial 30 days to respond pursuant to section 12, it provides the necessary notices to third parties pursuant to Part V of FOIP no later than the 30th day after it received an access request. Routine Disclosure & Active Dissemination In addition to providing access to records and information in response to access requests, government institutions may provide access to information and records through two other processes: 1. Routine disclosure in response to inquiries and requests for information. 2. Active dissemination of information.23 Routine disclosure and active dissemination will likely satisfy many of the information needs of members of the public. There are numerous advantages of using routine disclosure and active dissemination processes. The public will be better served and better informed through the planned and targeted release of information in support of overall program objectives. As well, making information available outside the FOIP process can promote cost-effective management of public information resources.24 Personal information and personal health information must be handled differently. For more on handling personal information, see the Guide to FOIP, Chapter 6, “Protection of Privacy”. For more on handling personal health information, see the IPC Guide to HIPA. For more on routine disclosure and active dissemination, see the Guide to FOIP, Chapter 3, “Access to Records” at Section 65: Access to Manuals and Section 65.1: Records Available Without an Application. 23 Service Alberta, FOIP Guidelines and Practices: 2009 Edition, Chapter 2, p. 31. 24 Service Alberta, FOIP Guidelines and Practices: 2009 Edition, Chapter 2 at p. 31.

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 2, Administration of FOIP. Updated 7 March 2023. 15 Proactive Reporting of Privacy Breaches A privacy breach occurs when there is an unauthorized collection, use or disclosure of personal information.25 For more on what constitutes a privacy breach see Chapter 6, Protection of Privacy. When a government institution believes that a privacy breach may have occurred, it has the option to proactively report the matter to the IPC rather than wait for the IPC to learn about the breach through other sources such as the media or affected individuals. The IPC has a form titled, Proactively Reported Breach of Privacy Reporting Form: for Public Bodies. Government institutions should complete this form and submit it to intake@oipc.sk.ca. Some of the benefits of proactively reporting privacy breaches include: • May reduce the need for the IPC to issue a public report on the matter. • Receive timely, expert advice from the IPC - the IPC can help guide the government institution on what to consider, what questions to ask and what parts of FOIP or The Freedom of Information and Protection of Privacy Regulations may be applicable. • Should the media contact the government institution, the government institution can advise it has notified the IPC of the privacy breach and will seek assistance from the IPC with handling it. • Should affected individuals contact the IPC, the IPC can assure the individuals that the IPC is aware of the breach which may prevent a formal complaint to the IPC.26 When a government institution proactively reports a privacy breach to the IPC, a file will be opened. The government institution will be asked to complete and provide the IPC’s Privacy Breach Investigation Questionnaire (Questionnaire) and any other relevant material within 30 days. The Questionnaire takes government institutions through the four best practice steps of responding to a breach (see four steps below). The completed Questionnaire should provide the IPC with what is required to conduct an investigation. If further information is required, the IPC will advise. 25 SK OIPC Dictionary available at https://oipc.sk.ca/resources/dictionary/. 26 SK OIPC Resource, Privacy Breach Guidelines for Government Institutions and Local Authorities at p. 11.

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 2, Administration of FOIP. Updated 7 March 2023. 16 Upon receipt, the focus of the IPC is on whether the government institution appropriately handled the breach. This is based on whether the government institution adequately addressed each of the four best practice steps recommended by the IPC. The four best practice steps include: 1. Contain the breach 2. Notify affected individuals and/or appropriate organizations 3. Investigate the breach 4. Plan for prevention27 Once the IPC receives the relevant material, it will review the file and make a decision. The possible outcomes are as follows: • If the Commissioner is satisfied with the government institution’s overall response to the breach, the file will be closed informally without a public report. This process may include some informal recommendations from the IPC. • If the breach is egregious or it involves a large number of affected individuals, the Commissioner may determine that a report will be issued. • If an affected individual makes a formal complaint, the Commissioner may determine that a report will be issued. • If the Commissioner is not satisfied with the government institution’s response or handling of the breach, the IPC will issue a report. Once the IPC has made a decision, the government institution will be advised if a report will be issued or not. The government institution will also be notified if an affected individual makes a formal complaint, which may also result in a public report.28 If you have questions or need further guidance, contact the SK OIPC at intake@oipc.sk.ca. Government institutions should be aware of section 29.1 of FOIP. It requires government institutions to notify an individual of an unauthorized use or disclosure of the individual’s 27 SK OIPC Resource, Privacy Breach Guidelines for Government Institutions and Local Authorities at pp. 6 to 9. 28 For more, see SK OIPC resource, Privacy Breach Guidelines for Government Institutions and Local Authorities. Available at Privacy Breach Guidelines (oipc.sk.ca).

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 2, Administration of FOIP. Updated 7 March 2023. 17 personal information by the government institution if it is reasonable in the circumstances to believe that the incident creates a real risk of significant harm to the individual. For more on this, see the Guide to FOIP, Chapter 6, “Protection of Privacy” at Section 29.1. Information & Privacy Commissioner - Roles & Responsibilities The Saskatchewan Information and Privacy Commissioner is an independent Officer of the Legislative Assembly. Commencing November 1, 2003, the Commissioner became a full-time position and resources were provided to enable a stand-alone office. Prior to this, the Commissioner was a part-time position and there was no office.29 The enabling statute creates the powers of the Commissioner. In this case, that statute is FOIP. Under FOIP, the Commissioner has oversight over compliance with the Act by all government institutions in Saskatchewan that are subject to it. FOIP provides for independent reviews of decisions made by government institutions under FOIP and the resolution of privacy complaints. There are four elements in the Commissioner’s mandate: 1. The Commissioner responds to requests for review of decisions made by government institutions in response to access requests and makes recommendations to government institutions. 2. The Commissioner responds to complaints from individuals who believe their privacy has not been respected by government institutions and makes recommendations to those government institutions. 3. The Commissioner provides advice to government institutions on legislation, policies or practices that may impact access or privacy rights. 29 SK OIPC Annual Report - 2003-2004 at p. 7.

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 2, Administration of FOIP. Updated 7 March 2023. 18 4. The Commissioner undertakes public education with respect to information rights including both access to information and protection of privacy.30 The Commissioner prepares a report on the completion of a review or investigation that includes findings and recommendations for the government institution. The government institution has a responsibility to respond to the Commissioner’s report under section 56 of FOIP indicating whether it will comply with the recommendations. If not satisfied with the section 56 response from the government institution, an applicant can pursue an appeal to the Court of King’s Bench for Saskatchewan. The Court of King’s Bench will determine the matter de novo. A hearing de novo means a review of a matter anew, as if the original hearing had not taken place.31 The Commissioner is neutral and does not represent a government institution or an applicant in a review or investigation. In January 2018, the Commissioner wrote a blog about the Commissioner’s office and when the roles of collaborator and neutral objective decision-maker come into play. For more see, So, Do We Collaborate? Section 33: Privacy Powers Privacy powers of commissioner 33 The commissioner may: (a) offer comment on the implications for privacy protection of proposed legislative schemes or government programs; (b) after hearing the head, recommend that a government institution: (i) cease or modify a specified practice of collecting, using or disclosing information that contravenes this Act; and (ii) destroy collections of personal information that is collected in contravention of this Act; 30 SK OIPC Annual Report - 2003-2004 at p. 7. 31 Garner, Bryan A., 2009. Black’s Law Dictionary, Deluxe 10th Edition. St. Paul, Minn.: West Group at p. 837.

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 2, Administration of FOIP. Updated 7 March 2023. 19 (c) in appropriate circumstances, authorize the collection of personal information in a manner other than directly from the individual to whom it relates; (d) from time to time, carry out investigations with respect to personal information in the possession or under the control of government institutions to ensure compliance with this Part. Section 33 of FOIP enables the Commissioner to monitor compliance with FOIP and carry out investigations with respect to the handling of personal information in the possession or under the control of government institutions. The Commissioner may: • Offer comment on the implications for privacy protection of proposed legislative schemes or government programs [s. 33(a) of FOIP]. • Make recommendations to government institutions: o to cease or modify certain practices for collecting, using or disclosing personal information that contravenes FOIP. o to destroy collections of personal information that are collected in contravention of FOIP [s. 33(b) of FOIP]. • Where appropriate, authorize a government institution to collect personal information in a manner other than directly from the individual to whom it relates [s. 33(c) of FOIP]. • Carry out investigations with respect to personal information in the possession or under the control of government institutions to ensure compliance with FOIP [s. 33(d) of FOIP]. A privacy breach happens when there is an unauthorized collection, use or disclosure of personal information, regardless of whether the personal information ends up in a third party’s possession.32 Generally, privacy breaches are investigated by the Commissioner in one of three ways: • A complaint is received from an individual. • A government institution proactively reports a privacy breach to the Commissioner. 32 SK OIPC Annual Report - 2012-2013 at Appendix 3.

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 2, Administration of FOIP. Updated 7 March 2023. 20 • A privacy matter comes to the attention of the Commissioner and the Commissioner initiates an investigation. For more on privacy, see the Guide to FOIP, Chapter 6, “Protection of Privacy”. For more on the Commissioner’s procedures during an investigation, see The Rules of Procedure. Section 38: Appointment Appointment of commissioner 38(1) The office of the Information and Privacy Commissioner is continued. (2) The commissioner is an Officer of the Legislative Assembly. (3) The commissioner shall be appointed by order of the Legislative Assembly. (4) Subject to sections 39 and 40, unless he or she resigns, dies or is removed from office, the commissioner holds office for a term of five years. (5) The commissioner may be reappointed for one additional term of five years. (6) The commissioner may resign the office at any time by giving written notice to the Speaker. The Commissioner is an Officer of the Legislature and is independent of government. Section 38 of FOIP provides in part that the Commissioner: • Is appointed by order of the Legislative Assembly. • Is appointed for a term of five years. • Can be extended an additional term of five years. Sections 38, 39 and 40 of FOIP also provide that the Commissioner may resign or may be removed or suspended for cause, incapacity to act, neglect of duty or misconduct. The Commissioner’s office is made up of employees appointed by the Commissioner in order to exercise the powers and perform the duties of the commissioner effectively. Employees of the Commissioner’s office are employees of the Legislative Assembly.

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 2, Administration of FOIP. Updated 7 March 2023. 21 Section 44: Oath or Affirmation Oath or affirmation 44(1) Before entering on the duties of office, the commissioner shall take and subscribe the prescribed oath or affirmation before the Speaker of the Assembly or the Clerk of the Assembly. (2) Before entering on the duties of office, every member of the staff of the commissioner shall take and subscribe the prescribed oath or affirmation before the commissioner. Before entering the duties of office, the Commissioner takes an oath of office before the Speaker of the Legislative Assembly or the Clerk of the Assembly (see section 44(1) of FOIP). All staff of the Commissioner sign an oath of office on an annual basis. This oath is sworn before the Commissioner affirming that, except as provided for under FOIP, staff will not divulge any information received in the exercise of their powers or performance of their duties and functions at the IPC (see section 44(2) of FOIP). Section 19 of The Freedom of Information and Protection of Privacy Regulations provides the language for those oaths as follows: Oath of office 19(1) For the purposes of subsection 44(1) of the Act, the following oath or affirmation is prescribed for the commissioner: I,………………..………….., do swear/solemnly affirm that I will faithfully and impartially perform and discharge the duties and functions of the Information and Privacy Commissioner and that I will not, except as provided in The Freedom of Information and Protection of Privacy Act or in The Local Authority Freedom of Information and Protection of Privacy Act, divulge any information received by me in the exercise of my powers or the performance of my duties and functions under those Acts. (2) For purposes of subsection 44(2) of the Act, the following oath or affirmation is prescribed for the members of the staff of the commissioner: I,……………………..…….., do swear/solemnly affirm that I will faithfully and impartially perform and discharge the duties and functions of my office as an employee of the Information and Privacy Commissioner and that I will not, except as provided in The Freedom of Information and Protection of Privacy Act or in The Local Authority Freedom of Information and Protection of Privacy Act, divulge any information received by me in the exercise of my powers or the performance of my duties and functions under those Acts.

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 2, Administration of FOIP. Updated 7 March 2023. 22 Section 46: Confidentiality Confidentiality 46(1) Subject to clause 45(2)(e), the commissioner shall not disclose any information that comes to the knowledge of the commissioner in the exercise of the powers, performance of the duties or carrying out of the functions of the commissioner pursuant to this Act. (2) Subsection (1) applies, with any necessary modification, to the staff of the commissioner and any contractors employed by the commissioner. (3) Notwithstanding subsection (1), the commissioner may disclose: (a) in the course of a review pursuant to section 49, any matter that the commissioner considers necessary to disclose to facilitate the review; and (b) in a report prepared pursuant to this Act, any matter that the commissioner considers necessary to disclose to establish grounds for the findings and recommendations in the report. (4) When making a disclosure pursuant to subsection (3), the commissioner shall take every reasonable precaution to avoid disclosure, and shall not disclose: (a) any information or other material if the nature of the information or material could justify a refusal by a head to give access to a record or part of a record; or (b) any information as to whether a record exists if the head, in refusing to give access, does not indicate whether the record exists. (5) Notwithstanding subsection (1), the commissioner may disclose to the Attorney General for Saskatchewan or the Attorney General of Canada information that relates to the commission of an offence against: (a) an Act or a regulation; or (b) an Act of the Parliament of Canada or a regulation made pursuant to an Act of the Parliament of Canada; by an officer or employee of a government institution if, in the opinion of the commissioner, there is evidence of the commission of the offence. Subsection 46(1) of FOIP provides that the Commissioner shall not disclose any information that comes to the knowledge of the Commissioner in the exercise of the powers, performance of the duties or carrying out of the functions of the Commissioner under FOIP. This also applies to the staff of the Commissioner (s.46(2) of FOIP). However, the Commissioner may disclose: • In the course of a review - any matter the Commissioner considers necessary to facilitate a review [s. 46(3)(a) of FOIP].

RkJQdWJsaXNoZXIy MTgwMjYzOA==